Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer
Brian Campbell <bcampbell@pingidentity.com> Sat, 19 July 2014 21:18 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90E471B2A0A for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 14:18:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gqXzPh1XycoG for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 14:18:37 -0700 (PDT)
Received: from na3sys009aog132.obsmtp.com (na3sys009aog132.obsmtp.com [74.125.149.250]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C89651B299B for <oauth@ietf.org>; Sat, 19 Jul 2014 14:18:36 -0700 (PDT)
Received: from mail-ie0-f178.google.com ([209.85.223.178]) (using TLSv1) by na3sys009aob132.postini.com ([74.125.148.12]) with SMTP ID DSNKU8rgrOtqRHF3IiTTYHdKTOPvO8idk3Bl@postini.com; Sat, 19 Jul 2014 14:18:36 PDT
Received: by mail-ie0-f178.google.com with SMTP id tp5so5698295ieb.37 for <oauth@ietf.org>; Sat, 19 Jul 2014 14:18:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=j5RC6T83nDyIuFY7ImtsOzLutv9QNG3QN4IcbfovVVU=; b=OqvwBWj5z2gq//Aqfem3qFGcCPVTxK1F3vIgY4iA0WyTqZ5MJpVATfmx2Vju6BJHM9 x2a8UMBckHlA/MKujUGLYZkcR9YipL7j35h/A9tfLAOSoNoI4Npfznvs0IDMluy/jWvQ b11aqohIQP7uIEpsXtbaEloVXkQrVn45prvfuwiUjs6RvBStAIG5TVBLa8+hqkrLl4NU ArnLtMS/Nt8cwEWE6XjWiG+8BQGMxi491bpfgSNpHgCpHVkQ5eLL1B6TzZ6xFiq8AQYo +kCA3sAL+e1icHKCtwhYUjJvgU63+JhNY+AxsYIWvPMz4/2VdFH4cVdWzcZ36WCrB0pM P9ag==
X-Gm-Message-State: ALoCoQm1OzJfOLOZxziPp86Ter7fiNmAGvzL9XA9w7/AAbmf4kb1iHYjM9+IBXohv5mCWDaYp37Vp+G/KMTX6UZQTPRBSIRXsUpBgYDGHhAepf75uCgJaDFpTHpqzhMnhtmp+BrnMXTc
X-Received: by 10.50.41.6 with SMTP id b6mr25021206igl.40.1405804716106; Sat, 19 Jul 2014 14:18:36 -0700 (PDT)
X-Received: by 10.50.41.6 with SMTP id b6mr25021168igl.40.1405804715866; Sat, 19 Jul 2014 14:18:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.233.170 with HTTP; Sat, 19 Jul 2014 14:18:05 -0700 (PDT)
In-Reply-To: <60D7F5DB-0574-4F58-ADCB-C9E4D9850401@gmail.com>
References: <CAHbuEH6w9mfHLwN8WMJHHV5qZ8MzLJY6ky-Yp_xg39WfpGbC3g@mail.gmail.com> <CA+k3eCR__YW3e1Ca0+3ix3Y2MuGjdwaP=YHEjpnCcxshTOoRkA@mail.gmail.com> <60D7F5DB-0574-4F58-ADCB-C9E4D9850401@gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sat, 19 Jul 2014 15:18:05 -0600
Message-ID: <CA+k3eCTtSLoj5LbYyvXZ+HK8Dpe94CbuLqU=tBYg6Jmy0+B+Bg@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="089e01161414b694cc04fe926a95"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/U7YueuIa67M_mEc9MBVSQY04wU0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2014 21:18:38 -0000
Thanks Kathleen, that makes sense. I do, however, think that a little 'should' would be more appropriate there than a big 'SHOULD' as there's no other use of RFC2119 language in that text. That okay by you? It would read like this: A SAML Assertion may contain privacy-sensitive information and, to prevent disclosure of such information to unintended parties, should only be transmitted over encrypted channels, such as TLS. In cases where it’s desirable to prevent disclosure of certain information the client, the Subject and/or individual attributes of a SAML Assertion should be encrypted to the authorization server. Deployments should determine the minimum amount of information necessary to complete the exchange and include only that information in an Assertion (typically by limiting what information is included in an <AttributeStatement> or omitting it altogether). In some cases the Subject can be a value representing an anonymous or pseudonymous user as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1 <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>*]. On Sat, Jul 19, 2014 at 8:24 AM, Kathleen Moriarty < kathleen.moriarty.ietf@gmail.com> wrote: > Thanks for the quick response, Brian. I think the text looks great. The > only change I'd like to suggest is in the second sentence, to change the > 'may' to 'SHOULD'. > > Best regards, > Kathleen > > Sent from my iPhone > > On Jul 19, 2014, at 1:00 AM, Brian Campbell <bcampbell@pingidentity.com> > wrote: > > How about the following (which is intentionally similar to the text I just > put forth for your request for privacy consideration in > draft-ietf-oauth-jwt-bearer-09)? > > A SAML Assertion may contain privacy-sensitive information and, to prevent > disclosure of such information to unintended parties, should only be > transmitted over encrypted channels, such as TLS. In cases where it’s > desirable to prevent disclosure of certain information the client, the > Subject and/or individual attributes of a SAML Assertion may be encrypted > to the authorization server. > > Deployments should determine the minimum amount of information necessary > to complete the exchange and include only that information in an Assertion > (typically by limiting what information is included in an > <AttributeStatement> or omitting it altogether). In some cases > the Subject can be a value representing an anonymous or pseudonymous user > as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 > Client Authentication and Authorization Grants [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1 > <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>* > ]. > > > On Tue, Jul 15, 2014 at 2:04 PM, Kathleen Moriarty < > kathleen.moriarty.ietf@gmail.com> wrote: > >> Hello, >> >> I just finished my review of >> http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer. The >> draft looks great, thank you for all of your efforts on it! >> >> I did notice that there were no privacy considerations pointing back to >> RFC6973, could that text be added? The draft came after the Oauth >> framework publication (refernced in the security considerations), so I am >> guessing that is why this was missed as there are privacy considerations in >> the oauth assertion draft (I competed that review as well and the draft >> looked great. I don't have any comments to add prior to progressing the >> draft). >> >> Thank you. >> >> -- >> >> Best regards, >> Kathleen >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >
- [OAUTH-WG] AD Review of http://datatracker.ietf.o… Kathleen Moriarty
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Brian Campbell
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Kathleen Moriarty
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Mike Jones
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Brian Campbell
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Kathleen Moriarty
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Brian Campbell
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Brian Campbell