Re: [OAUTH-WG] AD review of draft-ietf-oauth-amr-values
Mike Jones <Michael.Jones@microsoft.com> Mon, 14 November 2016 07:29 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C6DA1295EC for <oauth@ietfa.amsl.com>; Sun, 13 Nov 2016 23:29:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UX9m-b9qM_X1 for <oauth@ietfa.amsl.com>; Sun, 13 Nov 2016 23:29:24 -0800 (PST)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0120.outbound.protection.outlook.com [104.47.33.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39461129554 for <oauth@ietf.org>; Sun, 13 Nov 2016 23:29:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=jvQXCKZisRE+KdD+GSxKuHUJniTOEnjwU3CZxpnjgOI=; b=SuYMyKzL/g2dluAu1TRhzx/zgNNJfGXmfIpDUVqVyF67+p+8hlFhATBvelwoWxaEPWQdXnuI/vC58Sa500aHZ1HNAZy0I1Nvr353sDhTsSxgFcdaLCKQ2jkMQccIaCXmCswS6M1d7ROqvc2yFEidIqiXs4svuKkAKOLpLUlFrdM=
Received: from BN3PR03MB2355.namprd03.prod.outlook.com (10.166.74.150) by BN3PR03MB2355.namprd03.prod.outlook.com (10.166.74.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.721.10; Mon, 14 Nov 2016 07:29:21 +0000
Received: from BN3PR03MB2355.namprd03.prod.outlook.com ([10.166.74.150]) by BN3PR03MB2355.namprd03.prod.outlook.com ([10.166.74.150]) with mapi id 15.01.0721.015; Mon, 14 Nov 2016 07:29:21 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] AD review of draft-ietf-oauth-amr-values
Thread-Index: AQHSMU17leOjgPWSW0iFyu0dFkkDAKDYLIoQ
Date: Mon, 14 Nov 2016 07:29:21 +0000
Message-ID: <BN3PR03MB235557F8D25DA58E3CDB4CFEF5BC0@BN3PR03MB2355.namprd03.prod.outlook.com>
References: <CAHbuEH7UtRgV42jEr62yjR9zkLvSzRqSwUDT_EDHmuaMSjuYBw@mail.gmail.com>
In-Reply-To: <CAHbuEH7UtRgV42jEr62yjR9zkLvSzRqSwUDT_EDHmuaMSjuYBw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:67c:370:128:dca7:1fb6:1ff6:f5d3]
x-microsoft-exchange-diagnostics: 1; BN3PR03MB2355; 7:fGyRBnh1TJb8H6VQDdzheiwtT/UCvHvNac8bLHbFSi0Vo4e6qGYzCz5m0BA4FQ9ILumr5rrMUoeBPZp9SR4DrIvmMzhRkdADHOD9CNHPx/L93VpWDRAqkROiLDjTdPdwyWSdB6qrq+1QV/D+/alMFM2kx2+4ePvicCyEjI3rucgZWOpJ191iOere7QTEGGSbhI/fDLADgFckM67u9/5H835pTRA7GXeMeQqC/wYgYguKrhaavD8M1QuRYDjiy99HSFD3ByZ+gwTrw9HEzOuo3Yo+6B7aGlLC/NqFN3W2OjjbpowwI/6/BZb2KzVcWU8kPrw6oQElXGDRRvVHvObqxnjTOz5IGCaBpjwKBoPtF/n+q/1ivqq0zifqrBtYKyuY
x-ms-office365-filtering-correlation-id: bf0b6a46-4e6f-47f9-ded7-08d40c5ff393
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:BN3PR03MB2355;
x-microsoft-antispam-prvs: <BN3PR03MB2355DAAE769BE147B82D33EFF5BC0@BN3PR03MB2355.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6060324)(6045074)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6046074)(6061318); SRVR:BN3PR03MB2355; BCL:0; PCL:0; RULEID:(304825118); SRVR:BN3PR03MB2355;
x-forefront-prvs: 0126A32F74
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(336003)(199003)(377454003)(189002)(81166006)(8936002)(101416001)(122556002)(77096005)(229853002)(106116001)(99286002)(81156014)(86612001)(8676002)(86362001)(106356001)(33656002)(92566002)(68736007)(2900100001)(74316002)(5001770100001)(7846002)(7736002)(97736004)(189998001)(10290500002)(5005710100001)(9686002)(8990500004)(7520500002)(10090500001)(107886002)(105586002)(3280700002)(87936001)(2906002)(586003)(7696004)(54356999)(50986999)(230783001)(5660300001)(6116002)(76176999)(790700001)(76576001)(102836003)(3660700001)(2501003)(2950100002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR03MB2355; H:BN3PR03MB2355.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN3PR03MB235557F8D25DA58E3CDB4CFEF5BC0BN3PR03MB2355namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Nov 2016 07:29:21.2752 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR03MB2355
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Nq5M_o0ktCGw8xTaFOBnNV-ZIoI>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-amr-values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2016 07:29:26 -0000
Thanks for your review, Kathleen. Draft -04 has been published to address these comments. Actions taken are described inline.
-- Mike
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Kathleen Moriarty
Sent: Saturday, October 29, 2016 3:51 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] AD review of draft-ietf-oauth-amr-values
Hello,
I reviewed draft-ietf-oauth-amr-values and have a few comments. First, thanks for your work on this draft!
Several of the authentication methods mentioned are typically used (or recommended for use) as a second or third factor. I see in section 3 that multiple methods can be contained in the claim. I'd like to see an example of single and multiple authentication methods being represented. Was it a WG decision to leave out examples?
· Added “amr” claim examples with both single and multiple values.
In the Privacy considerations section, I think it should be made clear that the actual credentials are not part of this specification to avoid additional privacy concerns for biometric data.
· Clarified that the actual credentials referenced are not part of this specification to avoid additional privacy concerns for biometric data.
Section 5, shouldn't a pointer be here to the attacks on OAuth 2.0 as well?
· Clarified that the OAuth 2.0 Threat Model [RFC6819] applies to applications using this specification.
Thank you.
--
Best regards,
Kathleen
- [OAUTH-WG] AD review of draft-ietf-oauth-amr-valu… Kathleen Moriarty
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-amr-… Mike Jones
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-amr-… Kathleen Moriarty