IETF Logo Mail Archive

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

John Bradley <ve7jtb@ve7jtb.com> Fri, 17 October 2014 17:32 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A23491A0063 for <oauth@ietfa.amsl.com>; Fri, 17 Oct 2014 10:32:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9v60E4mLmloJ for <oauth@ietfa.amsl.com>; Fri, 17 Oct 2014 10:32:32 -0700 (PDT)
Received: from mail-qg0-f44.google.com (mail-qg0-f44.google.com [209.85.192.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E6EF1A004B for <oauth@ietf.org>; Fri, 17 Oct 2014 10:32:32 -0700 (PDT)
Received: by mail-qg0-f44.google.com with SMTP id j5so899894qga.3 for <oauth@ietf.org>; Fri, 17 Oct 2014 10:32:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=pw89O4suV1bHgVbpEHL8MHp3F76u22/usqd4JIVNnr4=; b=b9beOxH3/NzUV9Y7ojqBc7Z7dQrh242RQA5852Y3syU5irP+G6NEnAFS0rtXoAgABT GYbJM9HFC4i7IgLzlGtMSeK+Ntfvb7JRO0hJEjw/+LWyjN+wZ1CxJ19DAI8zLYM+Hn/7 O8fsA8fyPTeT4GK7BnSuaLIDd8jTylVmUYwGSxoSDvbj+P4uAt3eL3dxNEQ7hi69AvOF ArdTUD76SLn7R68gqE0i7h/9prYBgua3vJwlND8f9PElXw6JnY3VxHHJJvLzu1Q8UsV6 3XnWszv5FnacDjGuulQywVMMI9ieQqq5FVkUZJAvgpGvwQi/xn51T1IjeTfJuqEE6sZU 2JUg==
X-Gm-Message-State: ALoCoQmSuwdNqVlsylJfl5HuWa2O/rchR5Ne/UQVWyJD4xQaKrNfmWC8cMuEoB+3iFFLOEtNjTh8
X-Received: by 10.140.33.183 with SMTP id j52mr13072873qgj.95.1413567151757; Fri, 17 Oct 2014 10:32:31 -0700 (PDT)
Received: from [192.168.8.100] ([201.188.100.219]) by mx.google.com with ESMTPSA id p45sm1343956qgd.49.2014.10.17.10.32.29 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 17 Oct 2014 10:32:31 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_651E6B2E-70BD-4EBE-839B-83747B4C551E"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <54415122.9030902@qti.qualcomm.com>
Date: Fri, 17 Oct 2014 14:32:26 -0300
Message-Id: <3E356AAD-8B64-42DF-8DAF-054DDFC58A30@ve7jtb.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> <CA+k3eCQKxWri1kjjig90AhrsQ=D0H=CLfKGuSa513sKDar52Rw@mail.gmail.com> <A9B4CF00-6D06-4FE1-83EE-CC0D141C9AD3@oracle.com> <CAL02cgQO1nuozW-F6riDgo4QFkp3Gv89SSWzJcbO-0eayyGufg@mail.gmail.com> <28A05FEA-9EEA-4E95-9B9F-587120A74BAA@ve7jtb.com> <CA+k3eCS=TRmfR2to2wfJsQrkyRd3gGEPJ-x7ao4dLcN-V7ctiA@mail.gmail.com> <19E82AEC-A5DA-41E9-9370-3FF16264DEAE@ve7jtb.com> <F47576F0-9B71-4CDE-88BB-487993A2E661@oracle.com> <4E1F6AAD24975D4BA5B16804296739439BB16289@TK5EX14MBXC286.redmond.corp.microsoft.com> <54415122.9030902@qti.qualcomm.com>
To: Pete Resnick <presnick@qti.qualcomm.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/RP1bv_SlxLIPcbyt2_v9U49cDIU
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, Richard Barnes <rlb@ipv.sx>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 17:32:34 -0000

I think this part of sec 3 of assertions states that:

 The protocol parameters and processing rules defined in this document
   are intended to support a client presenting a bearer assertion to an
   authorization server.  The use of holder-of-key assertions are not
   precluded by this document, but additional protocol details would
   need to be specified.


As part of defining the additional protocol details for holder-of-key/PoP we can relax the must for audience in the profile that defines how to use those assertion types.

John B.

On Oct 17, 2014, at 2:25 PM, Pete Resnick <presnick@qti.qualcomm.com> wrote:

> On 10/17/14 12:09 PM, Mike Jones wrote:
>> 
>> This is the standard mitigation for a known set of actual attacks.  We shouldn’t even consider making it optional.
>> 
>> 
> 
> Do you mean you shouldn't consider making it optional for HoK? Again, making it clear that the MUST applies only to bearer assertions, and that future extensions for HoK might have different requirements, is all that is being asked for here.
> 
> pr
> -- 
> Pete Resnick <http://www.qualcomm.com/~presnick/>
> Qualcomm Technologies, Inc. - +1 (858)651-4478

v2.23.0 | Report a Bug | By Email