Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
Richard Barnes <rlb@ipv.sx> Fri, 17 October 2014 18:05 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 830321A01F9 for <oauth@ietfa.amsl.com>; Fri, 17 Oct 2014 11:05:00 -0700 (PDT)
X-Quarantine-ID: <7GPMfD5-JzPA>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BANNED, message contains text/plain,.exe
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7GPMfD5-JzPA for <oauth@ietfa.amsl.com>; Fri, 17 Oct 2014 11:04:58 -0700 (PDT)
Received: from mail-vc0-f169.google.com (mail-vc0-f169.google.com [209.85.220.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 623261A00F0 for <oauth@ietf.org>; Fri, 17 Oct 2014 11:04:58 -0700 (PDT)
Received: by mail-vc0-f169.google.com with SMTP id hy4so1016925vcb.0 for <oauth@ietf.org>; Fri, 17 Oct 2014 11:04:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=eJHVx7kV+cX7g5gcTi3YsOLM9hva7ehfjQ86W38CJfM=; b=hAT8ZZQZYp3FmE9ycxUddDknI8HVQOssFvRDp8w5fUFLrxWRx7KKwgLGb/NESxrfhQ kEJzMm75fw7ux2B0hhZg6jAZvoOZH8AKRoO2LJOntddmBh1WxVNCgFMuKCXxrcHyOUat w0tOTRLlovhemIK5i4bMxMsD8xRX+TBvBzMXQDf9toowmmWeUKdbN+1vzPwJrzMultVB UtCtowLB0UgMNcnLFNG4jBLi9GVS9zu3e+cElqxvuZKJsCkWXFTGS+CzaNwG3svIB/YU Hlr3EK0sF2HKLMn9R+E4bVqjXCxsnQDpPSg308q02QY+BYunel59SSPp+Wm/EtHWVx3q 6/uA==
X-Gm-Message-State: ALoCoQmx7M9Eo/qXfVBPaUbxYfoJz3L6h9fY4VAPZ9l2cFdtJqGDVd1Vx8qy28dY7ISvBIFLAW8i
MIME-Version: 1.0
X-Received: by 10.220.190.72 with SMTP id dh8mr8784073vcb.35.1413569097496; Fri, 17 Oct 2014 11:04:57 -0700 (PDT)
Received: by 10.31.149.205 with HTTP; Fri, 17 Oct 2014 11:04:57 -0700 (PDT)
In-Reply-To: <3E356AAD-8B64-42DF-8DAF-054DDFC58A30@ve7jtb.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> <CA+k3eCQKxWri1kjjig90AhrsQ=D0H=CLfKGuSa513sKDar52Rw@mail.gmail.com> <A9B4CF00-6D06-4FE1-83EE-CC0D141C9AD3@oracle.com> <CAL02cgQO1nuozW-F6riDgo4QFkp3Gv89SSWzJcbO-0eayyGufg@mail.gmail.com> <28A05FEA-9EEA-4E95-9B9F-587120A74BAA@ve7jtb.com> <CA+k3eCS=TRmfR2to2wfJsQrkyRd3gGEPJ-x7ao4dLcN-V7ctiA@mail.gmail.com> <19E82AEC-A5DA-41E9-9370-3FF16264DEAE@ve7jtb.com> <F47576F0-9B71-4CDE-88BB-487993A2E661@oracle.com> <4E1F6AAD24975D4BA5B16804296739439BB16289@TK5EX14MBXC286.redmond.corp.microsoft.com> <54415122.9030902@qti.qualcomm.com> <3E356AAD-8B64-42DF-8DAF-054DDFC58A30@ve7jtb.com>
Date: Fri, 17 Oct 2014 11:04:57 -0700
Message-ID: <CAL02cgTQvAonog5+TX8RDqjipbLMCfxRopuiCd0p8kyqJJrMvg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a11c1bc68ec3d0e0505a233b6"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/TgAvXG1z4w4ExJsXqqRxFeSilLk
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, oauth <oauth@ietf.org>, The IESG <iesg@ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 18:05:00 -0000
On Fri, Oct 17, 2014 at 10:32 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > I think this part of sec 3 of assertions states that: > > The protocol parameters and processing rules defined in this document > are intended to support a client presenting a bearer assertion to an > authorization server. The use of holder-of-key assertions are not > precluded by this document, but additional protocol details would > need to be specified. > > > > As part of defining the additional protocol details for holder-of-key/PoP > we can relax the must for audience in the profile that defines how to use > those assertion types. > I think we're on a path to convergence here. Given all this, is there any point to even mentioning HoK credentials here? The entire remainder of the spec is written as if they didn't exist. And as the text above notes, you can't actually use them with this specification. If we're going to keep the mention, could we augment the text above to make it clearer that HoK assertions are out of scope. """ The protocol parameters and processing rules defined in this document are intended to support a client presenting a bearer assertion to an authorization server. They are not suitable for use with holder-of-key assertions. While they could be used as a baseline for a holder-of-key assertion system, there would be a need for additional mechanisms (to support proof of possession of the secret key), and possibly changes to the security model (e.g., to relax the requirement for an Audience). """ --Richard > > John B. > > On Oct 17, 2014, at 2:25 PM, Pete Resnick <presnick@qti.qualcomm.com> > wrote: > > On 10/17/14 12:09 PM, Mike Jones wrote: > > This is the standard mitigation for a known set of actual attacks. We > shouldn’t even consider making it optional. > > > Do you mean you shouldn't consider making it optional for HoK? Again, > making it clear that the MUST applies only to bearer assertions, and that > future extensions for HoK might have different requirements, is all that is > being asked for here. > > pr > > -- > Pete Resnick <http://www.qualcomm.com/~presnick/> <http://www.qualcomm.com/~presnick/> > Qualcomm Technologies, Inc. - +1 (858)651-4478 > > >
- [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Brian Campbell
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Phil Hunt
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Brian Campbell
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Phil Hunt
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Pete Resnick
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Phil Hunt
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Kathleen Moriarty
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Brian Campbell
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones