Re: [OAUTH-WG] AD Review of draft-ietf-oauth-introspection-07
Justin Richer <jricher@mit.edu> Mon, 20 April 2015 12:25 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 791011A1AC9 for <oauth@ietfa.amsl.com>; Mon, 20 Apr 2015 05:25:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yjet2Iix244D for <oauth@ietfa.amsl.com>; Mon, 20 Apr 2015 05:24:58 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F013A1A1AB9 for <oauth@ietf.org>; Mon, 20 Apr 2015 05:24:57 -0700 (PDT)
X-AuditID: 12074425-f79ca6d000000e5e-8c-5534f017d4de
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id CB.03.03678.710F4355; Mon, 20 Apr 2015 08:24:55 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t3KCOtaQ023545; Mon, 20 Apr 2015 08:24:55 -0400
Received: from [192.168.128.56] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t3KCOrpd023365 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 20 Apr 2015 08:24:54 -0400
Message-ID: <5534F011.8030200@mit.edu>
Date: Mon, 20 Apr 2015 08:24:49 -0400
From: Justin Richer <jricher@mit.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <CAHbuEH6=036uX5O_kaRJ5zTZneEqDXkF8UUuPxT6UosMfjZYaw@mail.gmail.com>
In-Reply-To: <CAHbuEH6=036uX5O_kaRJ5zTZneEqDXkF8UUuPxT6UosMfjZYaw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------080102090901090600060009"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmleLIzCtJLcpLzFFi42IRYrdT0RX/YBJqsHi3tUXDznyLk29fsTkw eeycdZfdY8mSn0wBTFFcNimpOZllqUX6dglcGZvmORUs16zY1v+VrYHxq1wXIyeHhICJxOxd u1khbDGJC/fWs3UxcnEICSxmkjjx+jkrhLORUeLZzG5mCOc2k0TL+1vsIC28AmoS37ftZAGx WQRUJRY2nQQbxQZkT1/TwgRiiwpESUz8eogFol5Q4uTMJ2C2iECKxOXeJ8wgtrCAm8TBr3PA ZgoJBEjMOfiBEcTmFAiUePPkD9hMZoEwid+bn7FOYOSfhWTULCQpCNtW4s7c3cwQtrzE9rdz oGxdiUXbVrDDxJu3zmZewMi2ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdCLzezRC81pXQTIzis XVR3ME44pHSIUYCDUYmH1/GVSagQa2JZcWXuIUZJDiYlUV79B0AhvqT8lMqMxOKM+KLSnNTi Q4wSHMxKIrxvrwDleFMSK6tSi/JhUtIcLErivJt+8IUICaQnlqRmp6YWpBbBZGU4OJQkeG+9 A2oULEpNT61Iy8wpQUgzcXCCDOcBGs75HmR4cUFibnFmOkT+FKOilDjvCpBmAZBERmkeXC8s 7bxiFAd6RZg3CKSdB5iy4LpfAQ1mAhoctw1scEkiQkqqgXF5kP8+HzvmCNeu0vPFylMOzSjm ODDhhlnmtY3XWXLMTpRdOds6vV2/PdNkT3ym3f/bOz7VCHRMLmSxMSlWf7DOb/3XZDffjulP QvJrEi+7SicKic5vFQ8VP+O1s/QU389brM5VV8v2sCSbmHSnKx6Pc9xous9ryrtcwZuPqvRc 5DZNktr5V4mlOCPRUIu5qDgRAAoc6L0WAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/U-BavsJXegv1Icc_OWIOhZvyWAk>
Subject: Re: [OAUTH-WG] AD Review of draft-ietf-oauth-introspection-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2015 12:25:00 -0000
Kathleen,
Thanks for the update. How would we best handle this situation, since
it's really referring to additional information that's outside the scope
of the interoperable core? Since we're not specifying what the data is,
we're not really in a position to say what the concerns are in a
concrete manner. I'm thinking a sentence or two like this in the privacy
considerations section:
If the protected resource sends additional information about the
client's request to the authorization server using an extension of
this specification, such as the client's IP address or other
information, such information could have have additional privacy
considerations.
-- Justin
On 4/19/2015 7:01 PM, Kathleen Moriarty wrote:
> Hello,
>
> Thank you for your work on draft-ietf-oauth-introspection-07. The
> security considerations appear to be addressed well and I was glad to
> see how a response is handled when the response code is false, to not
> reveal information as to why.
>
> The privacy considerations look good, but I do have another question
> that should be addressed in the draft in regard to privacy.
>
> Section 2.1 says an IP address (or something else) might be used to
> provide context of the query, the authorization server could have
> other information about the client. It would be good to mention
> privacy related considerations for the client in this case in addition
> to what gets returned in the Introspection Response (already covered).
>
> Thank you.
>
>
> --
>
> Best regards,
> Kathleen
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] AD Review of draft-ietf-oauth-introspe… Kathleen Moriarty
- Re: [OAUTH-WG] AD Review of draft-ietf-oauth-intr… Justin Richer
- Re: [OAUTH-WG] AD Review of draft-ietf-oauth-intr… Kathleen Moriarty