IETF Logo Mail Archive

Re: [OAUTH-WG] Pete Resnick's No Objection on draft-ietf-oauth-assertions-17: (with COMMENT)

Brian Campbell <bcampbell@pingidentity.com> Wed, 15 October 2014 23:35 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 566731ACE14 for <oauth@ietfa.amsl.com>; Wed, 15 Oct 2014 16:35:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sR-rKW6djesm for <oauth@ietfa.amsl.com>; Wed, 15 Oct 2014 16:35:54 -0700 (PDT)
Received: from na6sys009bog019.obsmtp.com (na6sys009bog019.obsmtp.com [74.125.150.78]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 198B41ACDDB for <oauth@ietf.org>; Wed, 15 Oct 2014 16:35:52 -0700 (PDT)
Received: from mail-ig0-f171.google.com ([209.85.213.171]) (using TLSv1) by na6sys009bob019.postini.com ([74.125.148.12]) with SMTP ID DSNKVD8E17gM0IlBj/FTgE9HfZth+5q/Ab9w@postini.com; Wed, 15 Oct 2014 16:35:52 PDT
Received: by mail-ig0-f171.google.com with SMTP id h15so18359409igd.16 for <oauth@ietf.org>; Wed, 15 Oct 2014 16:35:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=4T15pb80U8XrXHKgxy/SsnFZlQiV1rTxO20r+AXOBxk=; b=A0eCc16GR6Ql3dlIUMbkcwPM1ndaZlQQjeZAEz8KrevpRn7H/aD8nROa6X699eY/zK kclfbspB0WlcQhfaRcNbM5kduqFWcC1ep+opJkvkrrdvmVwswX1VMi4zg9hPOwjv7TSk qH+uDNnvsRL0yjmLSR5GN9QO+Ah722lhNU18GyDXeFjk9U64Yj/U4Bc+umYgNLTVu2dH RTDv1QL9i+DJJKijFQq2Bul8a9yuigQF8ToJvKbSUatRg+KkxGDpjd18zEDzqmBKjgZ5 D9BM1BYgx1liMj69ad1cGGdGlRBur6NZP3j0HiWdAwyKXxZ7suefB1fA6KnnspNBNG2A dXkA==
X-Gm-Message-State: ALoCoQn4tC/t8YHa5mzWGbU3Eyrei1briarKK+2GKkUeTaez0aPDuUMcK6xQTV9QRSj33K9HLvoHjOdWtGMx+4a8rDg96vY24YZ02kRNMM4PbLS2BcbLidag+T/dBPk5lrqbpjB3Xjd3
X-Received: by 10.43.141.67 with SMTP id jd3mr918893icc.24.1413416151156; Wed, 15 Oct 2014 16:35:51 -0700 (PDT)
X-Received: by 10.43.141.67 with SMTP id jd3mr918888icc.24.1413416151032; Wed, 15 Oct 2014 16:35:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.12.137 with HTTP; Wed, 15 Oct 2014 16:35:19 -0700 (PDT)
In-Reply-To: <CALaySJK2SDp=uz8uMa+urhtTL6y81iUA2afctEtBdifYKNKJqA@mail.gmail.com>
References: <20141014204213.15568.37128.idtracker@ietfa.amsl.com> <CA+k3eCQmM27m4XPsCQu+GeRGiE6ppQiv8vB3KpnWhAYXpmOV7Q@mail.gmail.com> <CALaySJK2SDp=uz8uMa+urhtTL6y81iUA2afctEtBdifYKNKJqA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 15 Oct 2014 17:35:19 -0600
Message-ID: <CA+k3eCTRRyK-oW_SaQVckgh3Hinbs_igiU8TBt4iPkASXaQNJQ@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: multipart/alternative; boundary="001a11c312c49a3da705057e9780"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/NwkQ-aajWFoZZtyD5SeXbDWQnxA
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, oauth <oauth@ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [OAUTH-WG] Pete Resnick's No Objection on draft-ietf-oauth-assertions-17: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 23:35:55 -0000

Fair point. I'll add some text saying that in the next revision.

On Wed, Oct 15, 2014 at 5:18 PM, Barry Leiba <barryleiba@computer.org>
wrote:

>
>>>    Assertions used in the protocol exchanges defined by this
>>>    specification MUST always be protected against tampering using a
>>>    digital signature or a keyed message digest applied by the issuer.
>>>
>>> Why is that? Aren't you using assertions over a protected channel (as
>>> required by the spec) and therefore not need to sign the assertions?
>>> Indeed, why would a self-issued Bearer Assertion need to be signed at
>>> all? Does that even make sense?
>>>
>>>
>> Yes, assertions are sent over a protected channel, which does provide
>> integrity protection for the transport form client to AS and also gives
>> server authentication. But it doesn't provide client authentication, which
>> is kind of the point of the Client Authentication part of this draft. And
>> for authorization the signing or MACing is what authenticates the issuer of
>> the assertion - sometimes the issuer is the client but often the issuer
>> will be a 3rd party system.
>>
>> I do agree with you in one specific case that, if the client is trusted
>> to be the assertion issuer and the client is properly authenticated, then
>> an unsigned assertion could be reasonably used as an authorization grant.
>> But it's a fairly rare and very specific case. And one that can be
>> accommodated in other ways. So it's not worth introducing the complexity
>> and potential security problems that having the signature be option would
>> bring.
>>
>
> In other words, the assertion must be protected against tampering *by the
> party that presents the assertion*.  That is a significant point, and you
> should say it.
>
> Barry
>

v2.23.0 | Report a Bug | By Email