Re: [OAUTH-WG] Pete Resnick's No Objection on draft-ietf-oauth-assertions-17: (with COMMENT)
Brian Campbell <bcampbell@pingidentity.com> Wed, 15 October 2014 23:07 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D334B1ACDD8 for <oauth@ietfa.amsl.com>; Wed, 15 Oct 2014 16:07:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0hyYI52TgIM for <oauth@ietfa.amsl.com>; Wed, 15 Oct 2014 16:07:24 -0700 (PDT)
Received: from na6sys009bog003.obsmtp.com (na6sys009bog003.obsmtp.com [74.125.150.46]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92C241A87CE for <oauth@ietf.org>; Wed, 15 Oct 2014 16:07:23 -0700 (PDT)
Received: from mail-ie0-f175.google.com ([209.85.223.175]) (using TLSv1) by na6sys009bob003.postini.com ([74.125.148.12]) with SMTP ID DSNKVD7+Kt7mwOlQD0KyLl5gxJsYGKnn2cXq@postini.com; Wed, 15 Oct 2014 16:07:23 PDT
Received: by mail-ie0-f175.google.com with SMTP id x19so2327471ier.34 for <oauth@ietf.org>; Wed, 15 Oct 2014 16:07:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=2fZUNfpbVzUOet4DtjOl7kNbLd5WlLFrUSrLBoXY0vE=; b=IzmjGU9zqUuyl8vfiJpfDFisnas88FxURGebXdTQxHa0uDSLaSPL98oPgpUPEdschs hmLObsO4Dti7koY0LcWCKkdUb7Ay+0wqJD4GCnQ9pg5sPO4puzp34i9VUyDX+Fi21YvX HA9P+lufHqcihNsMSBGK9KnYetWEiK2lQZegjS4EYYo2k5q8rFITJz4YFI6vupi2cka4 fmf0L4ncpVbFuUNh6exO4rD22dCpVRopjAf5GKIj3/LqJUhsQzYLLh70hhJcAEjbkq57 9/58Hj4Ch0vo6Phcjw/q+ox/KrxTC5aOtdDGZF4I/Fw4D+HcqPdzWAOwOaCuC6EfCn9Y Onow==
X-Gm-Message-State: ALoCoQlGU5XrejLuVpF105xs7Vs0EhNuqnTdMw5Y6IwAeWs2SiphDHOp6OZKUT4aeEwg1NuTCtkZdtbE5Hwsx7LhrSZKbmh1thUOTgJH3wA0266SL4Hkp3V5gl/JnVBlBg8JaR8oNp/v
X-Received: by 10.43.87.79 with SMTP id av15mr805794icc.44.1413414442431; Wed, 15 Oct 2014 16:07:22 -0700 (PDT)
X-Received: by 10.43.87.79 with SMTP id av15mr805776icc.44.1413414442240; Wed, 15 Oct 2014 16:07:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.12.137 with HTTP; Wed, 15 Oct 2014 16:06:52 -0700 (PDT)
In-Reply-To: <20141014204213.15568.37128.idtracker@ietfa.amsl.com>
References: <20141014204213.15568.37128.idtracker@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 15 Oct 2014 17:06:52 -0600
Message-ID: <CA+k3eCQmM27m4XPsCQu+GeRGiE6ppQiv8vB3KpnWhAYXpmOV7Q@mail.gmail.com>
To: Pete Resnick <presnick@qti.qualcomm.com>
Content-Type: multipart/alternative; boundary="001a11339758c0250005057e312d"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/O47-RBkXq0ZpLkhzitI6qDpU33s
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Pete Resnick's No Objection on draft-ietf-oauth-assertions-17: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 23:07:38 -0000
Thanks for your review and feedback, Pete. Replies are inline below... On Tue, Oct 14, 2014 at 2:42 PM, Pete Resnick <presnick@qti.qualcomm.com> wrote: > Pete Resnick has entered the following ballot position for > draft-ietf-oauth-assertions-17: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > 3 - > > Assertions used in the protocol exchanges defined by this > specification MUST always be protected against tampering using a > digital signature or a keyed message digest applied by the issuer. > > Why is that? Aren't you using assertions over a protected channel (as > required by the spec) and therefore not need to sign the assertions? > Indeed, why would a self-issued Bearer Assertion need to be signed at > all? Does that even make sense? > > Yes, assertions are sent over a protected channel, which does provide integrity protection for the transport form client to AS and also gives server authentication. But it doesn't provide client authentication, which is kind of the point of the Client Authentication part of this draft. And for authorization the signing or MACing is what authenticates the issuer of the assertion - sometimes the issuer is the client but often the issuer will be a 3rd party system. I do agree with you in one specific case that, if the client is trusted to be the assertion issuer and the client is properly authenticated, then an unsigned assertion could be reasonably used as an authorization grant. But it's a fairly rare and very specific case. And one that can be accommodated in other ways. So it's not worth introducing the complexity and potential security problems that having the signature be option would bring. > 4.1 - > > grant_type > REQUIRED. The format of the assertion as defined by the > authorization server. The value MUST be an absolute URI. > > That MUST is unnecessary. It's just definitional from 6749, 4.5 (which, > as it happens, doesn't use 2119 language for this). s/MUST/will > Makes sense. > > assertion > REQUIRED. The assertion being used as an authorization grant. > Specific serialization of the assertion is defined by profile > documents. The serialization MUST be encoded for transport within > HTTP forms. It is RECOMMENDED that base64url be used. > > The MUST seems weird here. Are you saying that the profile could not > possibly have a serialization for an assertion that did not require > further encoding? But the RECOMMENDED seems downright wrong: Either an > implementer *needs* to know the encoding independently of the profile, > and therefore this needs to be a MUST, or the profile is going to > describe the encoding, which could be base64url or could be something > else, and the implementation will do whatever the profile says. If you > really want to say something here, I suggest replacing the last two > sentences with: > > If the assertion is going to be transported within HTTP forms, the > profile document needs to describe what (if any) encoding will be > needed to do so. The base64url encoding is widely implemented and > therefore suggested. > > In reading it again, I agree with you that it's weird and not appropriate here. In fact the JWT profile itself does not require any further encoding. Barring any objection, I suggest that the last two sentences just be removed. So it would just be, "assertion REQUIRED. The assertion being used as an authorization grant. Specific serialization of the assertion is defined by profile documents." > scope > [...] > As such, the > requested scope MUST be equal or lesser than the scope originally > granted to the authorized accessor. > > s/MUST/will (unless you explain whether it's the server or the client > that's supposed to be obeying that MUST, and for what reason) > They are both supposed to obey it - the client shouldn't ask for more and the server will reject the request, if it does. Is "will" more appropriate than "MUST" here? Or maybe a non 2119 "should"? > > If the scope parameter and/or > value are omitted, the scope MUST be treated as equal to the scope > originally granted to the authorized accessor. The Authorization > Server MUST limit the scope of the issued access token to be equal > or lesser than the scope originally granted to the authorized > accessor. > > In the first sentence, is this MUST for the server? (That is, shouldn't > it be, "If the scope parameter and/or value are omitted, the server MUST > use the value of the scope originally granted to the authorized > accessor."?) And anyway, don't these two sentences contradict 6749, which > says: > > The authorization server MAY fully or partially ignore the scope > requested by the client, based on the authorization server policy or > the resource owner's instructions. > [...] > If the client omits the scope parameter when requesting > authorization, the authorization server MUST either process the > request using a pre-defined default value or fail the request > indicating an invalid scope. > > Yes, I think you're correct that there is a contradiction with 6749. And, honestly, I'm surprised at the text there as I read it again. I don't think that was the intent. I'd propose that the sentence, " If the scope parameter and/or value are omitted, the scope MUST be treated as equal to the scope originally granted to the authorized accessor." be removed. Here and throughout: s/non-normative example/example (As far as I know, > there are no other kinds in IETF documents.) > I thought I picked that language up from some other draft or RFC but I'm now not sure where it came from and can't easily find other examples of the same thing. So I am happy to remove the "non-normative" throughout, if it is already understood and/or not customary to say so. > > 4.1.1 - s/MUST construct/constructs > OK > > 4.2, client_assertion_type and client_assertion: See comments from 4.1 > regarding grant_type and assertion. > Agree and same answer. > > 4.2.1 - s/MUST construct/constructs > OK > > 5.2 - > > s/MUST identify/identifies > OK > > For clarification: > OLD > Assertions that do > not identify the Authorization Server as an intended audience MUST > be rejected. > NEW > The Authorization Server MUST reject any assertion that does not > contain the its own identity as the intended audience. > END > OK, I agree that reads better.
- [OAUTH-WG] Pete Resnick's No Objection on draft-i… Pete Resnick
- Re: [OAUTH-WG] Pete Resnick's No Objection on dra… Brian Campbell
- Re: [OAUTH-WG] Pete Resnick's No Objection on dra… Barry Leiba
- Re: [OAUTH-WG] Pete Resnick's No Objection on dra… Brian Campbell
- Re: [OAUTH-WG] Pete Resnick's No Objection on dra… Pete Resnick