Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS)
Mike Jones <Michael.Jones@microsoft.com> Tue, 14 October 2014 12:45 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 673161A879D; Tue, 14 Oct 2014 05:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GbJ8-Qe0y99G; Tue, 14 Oct 2014 05:45:44 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0718.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:718]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1A661A87AC; Tue, 14 Oct 2014 05:45:41 -0700 (PDT)
Received: from BN3PR0301CA0027.namprd03.prod.outlook.com (25.160.180.165) by DM2PR0301MB1216.namprd03.prod.outlook.com (25.160.219.17) with Microsoft SMTP Server (TLS) id 15.0.1049.19; Tue, 14 Oct 2014 12:45:18 +0000
Received: from BN1BFFO11FD053.protection.gbl (2a01:111:f400:7c10::1:175) by BN3PR0301CA0027.outlook.office365.com (2a01:111:e400:4000::37) with Microsoft SMTP Server (TLS) id 15.0.1049.19 via Frontend Transport; Tue, 14 Oct 2014 12:45:18 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD053.mail.protection.outlook.com (10.58.145.8) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Tue, 14 Oct 2014 12:45:18 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0210.003; Tue, 14 Oct 2014 12:44:40 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Alissa Cooper <alissa@cooperw.in>
Thread-Topic: Alissa Cooper's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS)
Thread-Index: Ac/nrJyfHkI5GysgQ5uS6ZQxTKLtDg==
Date: Tue, 14 Oct 2014 12:44:40 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB0D28C@TK5EX14MBXC286.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439BB0D28CTK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(24454002)(377454003)(52044002)(43784003)(13464003)(189002)(199003)(41574002)(86362001)(16236675004)(15975445006)(92726001)(19580395003)(44976005)(6806004)(106466001)(81156004)(84676001)(21056001)(19580405001)(19625215002)(69596002)(68736004)(26826002)(33656002)(86612001)(77096002)(55846006)(76482002)(85852003)(85806002)(84326002)(2656002)(80022003)(120916001)(46102003)(87936001)(104016003)(31966008)(110136001)(85306004)(512874002)(19617315012)(19300405004)(230783001)(54356999)(50986999)(97736003)(4396001)(107046002)(99396003)(92566001)(95666004)(64706001)(20776003)(15202345003)(71186001)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB1216; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB1216;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03648EFF89
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/OLEJDK2gVOX-P_nrpH7wPe6tacU
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-oauth-json-web-token@tools.ietf.org" <draft-ietf-oauth-json-web-token@tools.ietf.org>
Subject: Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 12:45:52 -0000
These resolutions have been incorporated in the -28 draft. Thanks again for your review.
-- Mike
From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
Sent: Thursday, October 02, 2014 8:21 AM
To: Mike Jones
Cc: Alissa Cooper; The IESG; oauth-chairs@tools.ietf.org<mailto:oauth-chairs@tools.ietf.org>; draft-ietf-oauth-json-web-token@tools.ietf.org<mailto:draft-ietf-oauth-json-web-token@tools.ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: Alissa Cooper's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS)
On Thu, Oct 2, 2014 at 11:14 AM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
Responding to the DISCUSS below…
-----Original Message-----
From: Alissa Cooper [mailto:alissa@cooperw.in<mailto:alissa@cooperw.in>]
Sent: Wednesday, October 01, 2014 12:25 PM
To: The IESG
Cc: oauth-chairs@tools.ietf.org<mailto:oauth-chairs@tools.ietf.org>; draft-ietf-oauth-json-web-token@tools.ietf.org<mailto:draft-ietf-oauth-json-web-token@tools.ietf.org>
Subject: Alissa Cooper's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS)
Alissa Cooper has entered the following ballot position for
draft-ietf-oauth-json-web-token-27: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)
Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/
----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------
== Section 12 ==
"A JWT may contain privacy-sensitive information. When this is the
case, measures must be taken to prevent disclosure of this
information to unintended parties."
It seems to me that this should be a normative MUST, particularly in light of the fact that claims are being defined that are meant to directly identify users (e.g., sub) and other claims defined here or later could do so as well.
There seems to be debate whether a 2119 language should be used other than when describing protocol requirements. Jim Schaad (the JOSE chair) believes that they shouldn’t and these documents have followed that convention.
With other documents, there is RFC2119 language used for security & privacy considerations. At some point there was a trend to have a separate "Security Requirements" section from "Security Considerations", but I don't think there was any requirement for this, just a preference. I agree that this should be a MUST, but with Stephen as well that you should discourage putting in privacy related information to begin with.
"One way to achieve this is to use
an encrypted JWT. Another way is to ensure that JWTs containing
unencrypted privacy-sensitive information are only transmitted over
encrypted channels or protocols, such as TLS."
Since sensitive JWTs should be protected from both intermediary observation and from being sent to unintended recipients, I would
suggest:
One way to achieve this is to use an encrypted JWT and authenticate the recipient. Another way is to ensure that JWTs containing unencrypted privacy-sensitive information are only transmitted over encrypted channels or protocols that also support endpoint authentication, such as TLS.
Thanks for this suggested language. We can incorporate something like that.
OK, this makes sense and will feed into Pete's discuss on where TLS should be required.
Thanks!
--
Best regards,
Kathleen
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Kathleen Moriarty
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Stephen Farrell
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Stephen Farrell
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Kathleen Moriarty