Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)
Barry Leiba <barryleiba@computer.org> Fri, 19 July 2019 14:31 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4193F1202D0; Fri, 19 Jul 2019 07:31:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.559
X-Spam-Level:
X-Spam-Status: No, score=-1.559 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.091, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Fp4e5F6-Hvc; Fri, 19 Jul 2019 07:31:57 -0700 (PDT)
Received: from mail-io1-f50.google.com (mail-io1-f50.google.com [209.85.166.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31258120289; Fri, 19 Jul 2019 07:31:57 -0700 (PDT)
Received: by mail-io1-f50.google.com with SMTP id m24so58872626ioo.2; Fri, 19 Jul 2019 07:31:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=sAlO20ULKee8qYglrJCf1YyiGj9d+7VuUQWiKenkgAE=; b=B24YbnGCBxugBCEkTGGcEPtkKW2YJLGH8NS4QiUPz9yGZ0klTL96vu4yqGR9ATqBXd HKMk945SppWq24JuXWMzmArF934Gy8sF5+EURIgEY1QIgoddlRWRIqxSB1iV1fJozjU1 GoJSo33wmviRNm2rAl601AIFsBZI4BRNl2Twb5/8xZbeLB+OBaXO3xeV8J4aF6RzUYgL ++ke6JIG5yFpjGDt22CRj2GYo6cFSQC1ijdNQTdXT1yrxUDbZQ+2vK8QoIZ+VbMVfrfe y60INBegY25joZJh1Tb1RTGtSuKT+124L65II7Bt943e47uAx+pIURpe4sUiNaq1YLFI JP0A==
X-Gm-Message-State: APjAAAWb5gHQxnYdS20sctqw8ldrv8gUYUc05UEVAkbK6SSeUEfSbFl3 BI6ghuAfP/KYybfKF7HUUx3wIiegmR2w8lSvffNw+JQr
X-Google-Smtp-Source: APXvYqxTCoi7KYZO86lxtyyW+UtsnAZYiSxRZEcTObSQRg8GKxHYj2y4q2na+pyXaDBx0x8LI+yqs3KmrvpYeJwjefg=
X-Received: by 2002:a5d:9613:: with SMTP id w19mr12123527iol.140.1563546716075; Fri, 19 Jul 2019 07:31:56 -0700 (PDT)
MIME-Version: 1.0
References: <156348397007.8464.8217832087905511031.idtracker@ietfa.amsl.com> <CA+k3eCQR_yVZJdw0CmPL0qVCA3S0x5gZAr6_BwvDrZDW0NOPWA@mail.gmail.com>
In-Reply-To: <CA+k3eCQR_yVZJdw0CmPL0qVCA3S0x5gZAr6_BwvDrZDW0NOPWA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Fri, 19 Jul 2019 10:31:44 -0400
Message-ID: <CALaySJJ3chNzsJvWgTpg-6GudK8ot=D8Fvguyr=kpFuiVWLSPw@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>, draft-ietf-oauth-token-exchange@ietf.org, oauth-chairs@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QUkVTvH38cXSJK2Zh74DKbds3IU>
Subject: Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jul 2019 14:31:58 -0000
>> and I trust the authors and responsible AD to do the right thing. > > I always endeavor to do the right thing. You do; hence, the trust. :-) And thanks for the quick responses. >> — Section 1.1 — >> Given the extensive discussion of impersonation here, what strikes me as >> missing is pointing out that impersonation here is still controlled, that “A is >> B” but only to the extent that’s allowed by the token. First, it might be >> limited by number of instances (one transaction only), by time of day (only for >> 10 minutes), and by scope (in regard to B’s address book, but not B’s email). >> Second, there is accountability: audit information still shows that the token >> authorized acting as B. Is that not worth clarifying? > > My initial response was going to be "sure, I'll add some bits in sec 1.1 along those lines to clarify > that." However, as I look again at that section for good opportunities to make such additions, I feel > like it is already said that impersonation is controlled. ... > So I think it already says that and I'm gonna have to flip it back and ask if you have concrete > suggestions for changes or additions that would say it more clearly or more to your liking? It is mentioned, true, and that might be enough. But given that Eve also replied that she would like more here, let me suggest something, the use of which is entirely optional -- take it, don't take it, modify it, riff on it, ignore it completely, as you think best. What do you think about changing the last sentence of the paragraph?: "For all intents and purposes, when A is impersonating B, A is B within the rights context authorized by the token, which could be limited in scope or time, or by a one-time-use restriction." >> — Section 6 — >> Should “TLS” here have a citation and normative reference? > > I didn't include an explicit reference here because TLS is transitively referenced by other > normative references (including 6749 of which this whole thing is an extension) and TLS > is pretty widely recognized even without citation. ... > I'm happy to add a citation here but it does raise the question of what the most appropriate > way to cite TLS is right now - 1.3, 1.2, or the BCP or some combination thereof? I wondered the same thing, and you're also right that it might not need a reference in this document. I only even flagged it because it's the subject of a MUST. I'll leave it to the Sec ADs (who obviously didn't flag it themselves, so maybe they agree that it's not necessary). Barry
- [OAUTH-WG] Barry Leiba's No Objection on draft-ie… Barry Leiba via Datatracker
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Benjamin Kaduk
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Eve Maler
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Brian Campbell
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Brian Campbell
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Benjamin Kaduk
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Benjamin Kaduk
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Brian Campbell
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Brian Campbell
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… John Bradley