From nobody Thu Aug 27 06:48:45 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 301423A0B2C for ; Thu, 27 Aug 2020 06:48:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hFUNlhPmEVcg for ; Thu, 27 Aug 2020 06:48:43 -0700 (PDT) Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B326A3A0943 for ; Thu, 27 Aug 2020 06:48:42 -0700 (PDT) Received: by mail-ej1-x62e.google.com with SMTP id a21so7764566ejp.0 for ; Thu, 27 Aug 2020 06:48:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kHeXIKmH65EUQSrx7OAbDut9oPWI2hHaFImpWWyBHlQ=; b=doTCS7PDZosT+LySONKvde5DR2C3j6Hv31x8SWSktmBbdFnk6/aE2BTuDL9yxt0oCW 6xXjHVVPoWm9XAI8mj51PYzOwyZ9nbjcfnlpYUaw3xirVS9jCTJq2wjMjfDoWOCki/4Q b0kjYW188d+hatKp5C01xo6Nc/oRz6TTZyBLEJMa09dqVfR6M/s14sHcgyXCcWxox5Tb dq2VhNKAXthc6UBfCmMyt633NqisPqm2wYtNeA48RzoiSjsqaI/PPLiNGPK4MOOzq5zF 5ekiJGUgDlzeZFXxSqePdqMSG69dBkLXWNA5hP9mjy/0KT6Jv1dRtnOoJFLSGmwlwFrL Uq7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kHeXIKmH65EUQSrx7OAbDut9oPWI2hHaFImpWWyBHlQ=; b=TsaNCpDR1g/EFV5WVaME1jJFpkb2xOvq0jQfiPxFNzfPTgTyl09sYE1Z2kgxdmk2SV V8kRdHhe78Kc9d1XjPy5sjT7G9/GuYuLPsx5a+7SNuuqvqDNFBSQHRYZXTuNyUTkwx9H +hqLQQUMS5YlLWPXCznmRurQEdq/qf/GLBjOU2KCSGps0VbqyxxA87oUvVZFcjU+036Z M6iwN6Ayj8lOoH1hkhfmx59bb9MXYJAPAGMNs9ph6iZvqMhoHSoNH3wXum838GGNZVF8 yarx1Eip1xoKG/GNt5eVF62FOVS37Q9/lc0WM9K7f0wUDVDkvO8sP4EEqHdf4Hr05dg7 rT7A== X-Gm-Message-State: AOAM5318oGvrnN5taFENgux36kFvagerfOYHatJ2ic8pHlfuaqZ2fUsT moyh94CHXaIqrT4h7DUg4WUPXg== X-Google-Smtp-Source: ABdhPJw/b4yn0hEbsFobapzU0mz0UJwq90mQdze6JP9aiUd3p4I/Hqw+3qZaE83bn47S8AX51sPW6w== X-Received: by 2002:a17:906:54d3:: with SMTP id c19mr22307411ejp.408.1598536121160; Thu, 27 Aug 2020 06:48:41 -0700 (PDT) Received: from p200300eb8f1e2a30818db2e1d08b89c0.dip0.t-ipconnect.de (p200300eb8f1e2a30818db2e1d08b89c0.dip0.t-ipconnect.de. [2003:eb:8f1e:2a30:818d:b2e1:d08b:89c0]) by smtp.gmail.com with ESMTPSA id e14sm1615365edl.86.2020.08.27.06.48.39 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Aug 2020 06:48:40 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\)) From: Torsten Lodderstedt In-Reply-To: Date: Thu, 27 Aug 2020 15:48:38 +0200 Cc: "last-call@ietf.org" , oauth Content-Transfer-Encoding: quoted-printable Message-Id: <412A63AD-DDE1-4BFE-8234-5A721A0ED88D@lodderstedt.net> References: To: Mike Jones , "dick.hardt" X-Mailer: Apple Mail (2.3608.120.23.2.1) Archived-At: Subject: Re: [OAUTH-WG] Last Call: (JWT Response for OAuth Token Introspection) to Proposed Standard X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2020 13:48:44 -0000 Will the following text work for you? Implementers should be aware that a token introspection request lets the = AS know when the client=20 (and potentially the user) is accessing the RS, which is also an = indication of when the user is using=20 the client. If this impliction is not accepatable, implementars = MUST use other means to carry=20 access token data, e.g. directly transferring the data needed by = the RS within the access token. > On 26. Aug 2020, at 23:12, Mike Jones = wrote: >=20 > I agree with Dick=E2=80=99s observation about the privacy implications = of using an Introspection Endpoint. That=E2=80=99s why it=E2=80=99s = preferable to not use one at all and instead directly have the Resource = understand the Access Token. One way of doing this is the JWT Access = Token spec. There are plenty of others. > =20 > The downsides of using an Introspection Endpoint should be described = in the Privacy Considerations section. > =20 > -- Mike > =20 > From: OAuth On Behalf Of Dick Hardt > Sent: Wednesday, August 26, 2020 9:52 AM > To: Torsten Lodderstedt > Cc: last-call@ietf.org; oauth > Subject: Re: [OAUTH-WG] Last Call: = (JWT Response for = OAuth Token Introspection) to Proposed Standard > =20 > =20 > =20 > On Wed, Aug 26, 2020 at 4:37 AM Torsten Lodderstedt = wrote: > Hi Denis, >=20 > > On 25. Aug 2020, at 16:55, Denis wrote: >=20 > > The fact that the AS will know exactly when the introspection call = has been made and thus be able to make sure which client=20 > > has attempted perform an access to that RS and at which instant of = time. The use of this call allows an AS to track where and when=20 > > its clients have indeed presented an issued access token. >=20 > That is a fact. I don=E2=80=99t think it is an issue per se. Please = explain the privacy implications. > =20 > As I see it, the privacy implication is that the AS knows when the = client (and potentially the user) is accessing the RS, which is also an = indication of when the user is using the client. > =20 > I think including this implication would be important to have in a = Privacy Considerations section. > =20 > /Dick > =E1=90=A7