IETF Logo Mail Archive

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Wed, 12 November 2014 01:38 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CE1E1AC3F2; Tue, 11 Nov 2014 17:38:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-qcWgZi85VR; Tue, 11 Nov 2014 17:38:40 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0120.outbound.protection.outlook.com [65.55.169.120]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0C2C1A8792; Tue, 11 Nov 2014 17:38:39 -0800 (PST)
Received: from CH1PR03CA002.namprd03.prod.outlook.com (10.255.156.147) by BY1PR0301MB1206.namprd03.prod.outlook.com (25.161.203.155) with Microsoft SMTP Server (TLS) id 15.1.11.14; Wed, 12 Nov 2014 01:38:37 +0000
Received: from BY2FFO11FD036.protection.gbl (10.255.156.132) by CH1PR03CA002.outlook.office365.com (10.255.156.147) with Microsoft SMTP Server (TLS) id 15.1.16.15 via Frontend Transport; Wed, 12 Nov 2014 01:38:36 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD036.mail.protection.outlook.com (10.1.14.221) with Microsoft SMTP Server (TLS) id 15.1.6.13 via Frontend Transport; Wed, 12 Nov 2014 01:38:36 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.229]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0210.003; Wed, 12 Nov 2014 01:38:09 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>
Thread-Topic: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
Thread-Index: AQHP6PPyEQ0Qm5p8FUevm57Q8TXNpZwy3f8AgAAUhoCAAFpTAIAAKwwAgAD78QCAAAGeAIAADVWAgAAFSJCAAATXAIAAAdMAgAAJFoCAAAUjAIAnsHJQgAARMACAAAIjcg==
Date: Wed, 12 Nov 2014 01:38:08 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB7E441@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> <CA+k3eCQKxWri1kjjig90AhrsQ=D0H=CLfKGuSa513sKDar52Rw@mail.gmail.com> <A9B4CF00-6D06-4FE1-83EE-CC0D141C9AD3@oracle.com> <CAL02cgQO1nuozW-F6riDgo4QFkp3Gv89SSWzJcbO-0eayyGufg@mail.gmail.com> <28A05FEA-9EEA-4E95-9B9F-587120A74BAA@ve7jtb.com> <CA+k3eCS=TRmfR2to2wfJsQrkyRd3gGEPJ-x7ao4dLcN-V7ctiA@mail.gmail.com> <19E82AEC-A5DA-41E9-9370-3FF16264DEAE@ve7jtb.com> <F47576F0-9B71-4CDE-88BB-487993A2E661@oracle.com> <4E1F6AAD24975D4BA5B16804296739439BB16289@TK5EX14MBXC286.redmond.corp.microsoft.com> <54415122.9030902@qti.qualcomm.com> <3E356AAD-8B64-42DF-8DAF-054DDFC58A30@ve7jtb.com> <CAL02cgTQvAonog5+TX8RDqjipbLMCfxRopuiCd0p8kyqJJrMvg@mail.gmail.com> <CA+k3eCQWo7FxTcjO7qQLmB6Qi6y0LKGO_iUvPjsz0dV2LX6uog@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439BB7E146@TK5EX14MBXC286.redmond.corp.microsoft.com>, <CAL02cgRLyC2ETzojVRaWMSb4LjZdm6ObvTFgLqZ-DEFHs1t0jg@mail.gmail.com>
In-Reply-To: <CAL02cgRLyC2ETzojVRaWMSb4LjZdm6ObvTFgLqZ-DEFHs1t0jg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439BB7E441TK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(41574002)(479174003)(377454003)(24454002)(199003)(164054003)(189002)(62966003)(50986999)(77096003)(77156002)(76176999)(54356999)(106116001)(95666004)(20776003)(93886004)(106466001)(81156004)(107046002)(92566001)(46102003)(92726001)(86362001)(71186001)(86612001)(64706001)(19617315012)(55846006)(21056001)(110136001)(16236675004)(120916001)(99396003)(97736003)(4396001)(31966008)(15202345003)(84676001)(69596002)(33656002)(87936001)(84326002)(230783001)(68736004)(104016003)(2656002)(6806004)(85806002)(15975445006)(19580395003)(26826002)(19580405001)(44976005); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0301MB1206; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB1206;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA: BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB1206;
X-Forefront-PRVS: 03932714EB
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-Exchange-Antispam-Report-CFA: BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB1206;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/SS4nWEER1OR55W1kGzERvLc7kc8
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, The IESG <iesg@ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Nov 2014 01:38:43 -0000

Thanks!
________________________________
From: Richard Barnes<mailto:rlb@ipv.sx>
Sent: ‎11/‎11/‎2014 3:30 PM
To: Mike Jones<mailto:Michael.Jones@microsoft.com>
Cc: Brian Campbell<mailto:bcampbell@pingidentity.com>; John Bradley<mailto:ve7jtb@ve7jtb.com>; draft-ietf-oauth-assertions@tools.ietf.org<mailto:draft-ietf-oauth-assertions@tools.ietf.org>; Pete Resnick<mailto:presnick@qti.qualcomm.com>; oauth<mailto:oauth@ietf.org>; The IESG<mailto:iesg@ietf.org>; oauth-chairs@tools.ietf.org<mailto:oauth-chairs@tools.ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

Looks good to me, thanks.  I cleared.
--Richard

On Tue, Nov 11, 2014 at 2:33 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
Richard, yours are the only discusses on draft-ietf-oauth-assertions, draft-ietf-oauth-saml2-bearer, and draft-ietf-oauth-jwt-bearer, and they’re all about the audience requirement. Brian added text addressing this in the last paragraph of https://tools.ietf.org/html/draft-ietf-oauth-assertions-18#section-3.  Are you willing to clear these DISCUSSes on this basis?

If not, can we try to talk before the OAuth meeting tomorrow morning?  I’ll be leading the assertions drafts discussions tomorrow since Brian won’t be able to attend.

                                                            Thanks,
                                                            -- Mike

From: Brian Campbell [mailto:bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>]
Sent: Friday, October 17, 2014 8:23 AM
To: Richard Barnes
Cc: John Bradley; draft-ietf-oauth-assertions@tools.ietf.org<mailto:draft-ietf-oauth-assertions@tools.ietf.org>; Pete Resnick; oauth; The IESG; oauth-chairs@tools.ietf.org<mailto:oauth-chairs@tools.ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

That text works for me, Richard. Thanks.
I will go with Richard's text in the next draft, unless I hear objections.

FWIW, the mention of HoK was a result of a review and suggestions from Hannes some time ago.

http://www.ietf.org/mail-archive/web/oauth/current/msg09437.html
https://tools.ietf.org/rfcdiff?url2=draft-ietf-oauth-assertions-04.txt

It could be removed, to your point, but I think your proposed text is very clear about the scope and might help prevent confusion.


On Fri, Oct 17, 2014 at 12:04 PM, Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:
On Fri, Oct 17, 2014 at 10:32 AM, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:
I think this part of sec 3 of assertions states that:


 The protocol parameters and processing rules defined in this document

   are intended to support a client presenting a bearer assertion to an

   authorization server.  The use of holder-of-key assertions are not

   precluded by this document, but additional protocol details would

   need to be specified.


As part of defining the additional protocol details for holder-of-key/PoP we can relax the must for audience in the profile that defines how to use those assertion types.

I think we're on a path to convergence here.

Given all this, is there any point to even mentioning HoK credentials here?  The entire remainder of the spec is written as if they didn't exist.  And as the text above notes, you can't actually use them with this specification.
If we're going to keep the mention, could we augment the text above to make it clearer that HoK assertions are out of scope.

"""
The protocol parameters and processing rules defined in this document
are intended to support a client presenting a bearer assertion to an
authorization server.  They are not suitable for use with holder-of-key
assertions.  While they could be used as a baseline for a holder-of-key
assertion system, there would be a need for additional mechanisms
(to support proof of possession of the secret key), and possibly changes
to the security model (e.g., to relax the requirement for an Audience).
"""
--Richard



John B.

On Oct 17, 2014, at 2:25 PM, Pete Resnick <presnick@qti.qualcomm.com<mailto:presnick@qti.qualcomm.com>> wrote:


On 10/17/14 12:09 PM, Mike Jones wrote:
This is the standard mitigation for a known set of actual attacks.  We shouldn’t even consider making it optional.

Do you mean you shouldn't consider making it optional for HoK? Again, making it clear that the MUST applies only to bearer assertions, and that future extensions for HoK might have different requirements, is all that is being asked for here.

pr


--

Pete Resnick <http://www.qualcomm.com/~presnick/><http://www.qualcomm.com/~presnick/>

Qualcomm Technologies, Inc. - +1 (858)651-4478<tel:%2B1%20%28858%29651-4478>



_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email