IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Scopes

n-sakimura <n-sakimura@nri.co.jp> Sat, 23 June 2018 13:13 UTC

Return-Path: <n-sakimura@nri.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C921130E42 for <oauth@ietfa.amsl.com>; Sat, 23 Jun 2018 06:13:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.789
X-Spam-Level:
X-Spam-Status: No, score=-1.789 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nri365.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DN3a7cMyYpoo for <oauth@ietfa.amsl.com>; Sat, 23 Jun 2018 06:13:23 -0700 (PDT)
Received: from nrifs03.index.or.jp (nrigw01.index.or.jp [133.250.250.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CD3B130E57 for <oauth@ietf.org>; Sat, 23 Jun 2018 06:13:23 -0700 (PDT)
Received: from nrimmfm052.index.or.jp (unknown [172.19.246.144]) by nrifs03.index.or.jp (Postfix) with ESMTP id 02E7317EA43; Sat, 23 Jun 2018 22:13:22 +0900 (JST)
Received: from index.or.jp (unknown [172.19.246.151]) by nrimmfm052.index.or.jp (Postfix) with ESMTP id AEA144E0046; Sat, 23 Jun 2018 22:13:21 +0900 (JST)
Received: from nriea05.index.or.jp (localhost.localdomain [127.0.0.1]) by pps.mf051 (8.15.0.59/8.15.0.59) with SMTP id w5NDDLVv016420; Sat, 23 Jun 2018 22:13:21 +0900
Received: from nrims00b.nri.co.jp ([192.50.135.12]) by nriea05.index.or.jp with ESMTP id w5NDDLOL016419; Sat, 23 Jun 2018 22:13:21 +0900
Received: from nrims00b.nri.co.jp (localhost.localdomain [127.0.0.1]) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id w5NDDL4U029462; Sat, 23 Jun 2018 22:13:21 +0900
Received: (from mailnull@localhost) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.0/Submit) id w5NDDLER029461; Sat, 23 Jun 2018 22:13:21 +0900
X-Authentication-Warning: nrims00b.nri.co.jp: mailnull set sender to n-sakimura@nri.co.jp using -f
Received: from nrizmf13.index.or.jp ([172.100.25.22]) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id w5NDDLDn029458; Sat, 23 Jun 2018 22:13:21 +0900
Received: from CUEXE02PA.cu.nri.co.jp (192.51.23.32) by CUEXM09PA.cu.nri.co.jp (172.159.253.51) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Sat, 23 Jun 2018 22:13:19 +0900
Received: from APC01-SG2-obe.outbound.protection.outlook.com (65.55.88.240) by ex.nri.co.jp (192.51.23.33) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Sat, 23 Jun 2018 22:13:19 +0900
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nri365.onmicrosoft.com; s=selector1-cu-nri-co-jp; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rBI+KZE/9PaindsZRThBNUVaSf29Nk2Hz4Svm4Ov2jY=; b=lxvbC8iLqE/1TPCM/fGjdREwJ1u62rwFu13SNlZe9A6AITI7MgRhghe8aM1I6SAPXg1LYm80RugCC9FcTQFgAyRX2mehxDTX4qWK1eGO2AhTDmz0ecRUSQYs7BRcwAikIUue+F9OlhyeBEbvVPNtp/BI0aJ2IlJYz0oJz5m27f0=
Received: from TY2PR01MB2297.jpnprd01.prod.outlook.com (52.133.184.14) by TY2PR01MB2651.jpnprd01.prod.outlook.com (20.177.99.77) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.884.22; Sat, 23 Jun 2018 13:13:18 +0000
Received: from TY2PR01MB2297.jpnprd01.prod.outlook.com ([fe80::dd58:eb22:ae46:41e0]) by TY2PR01MB2297.jpnprd01.prod.outlook.com ([fe80::dd58:eb22:ae46:41e0%3]) with mapi id 15.20.0863.016; Sat, 23 Jun 2018 13:13:18 +0000
From: n-sakimura <n-sakimura@nri.co.jp>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, George Fletcher <gffletch@aol.com>
CC: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Dynamic Scopes
Thread-Index: AQHUBxoBpDr/OIlzL0GUOtf1C9CbMaRptVSAgALfqYCAACzhgIAACiYAgACxoQCAAFwNkQ==
Date: Sat, 23 Jun 2018 13:13:18 +0000
Message-ID: <TY2PR01MB2297EFB47BCD6A81C549E3F5F9740@TY2PR01MB2297.jpnprd01.prod.outlook.com>
References: <291DC85D-66B4-403F-8159-52D0091F7631@lodderstedt.net> <CA+k3eCQMCJv3NcSnBDKBUVcm131oMAdnbopSeAaD75acAqUMwg@mail.gmail.com> <b9e4115a-512d-3155-9023-604566d7190f@aol.com> <00432150-20C0-4B5F-AB4E-92F96B968A3A@lodderstedt.net> <01e15dff-2bef-831f-0b00-f64137ccc80e@aol.com>, <0EF040C2-F0C2-4586-828A-A809A0373F40@lodderstedt.net>
In-Reply-To: <0EF040C2-F0C2-4586-828A-A809A0373F40@lodderstedt.net>
Accept-Language: ja-JP, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=n-sakimura@cu.nri.co.jp;
x-originating-ip: [40.90.247.76]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; TY2PR01MB2651; 7:WxjAF5Mltw7vGsIChHz9ohPkHLK397fNG62/eP6JQ+BsLd/n1zYoedNWTXSZfB62i7AAvFIdqvXzNFQPiJTdNO9tFyko+32pYgGr6DX10qXlYccxppbZvd39MsIfprvHiNQ6FVajWvhhS4TPNkgeqrmza2v/XBW8+SHtHKPixS0DbtCczRpEzzHtlhTCfQ52pU3l+FP+MTMaS9+RCq48msRNFl0kOHYeB/SHMCRCxPMsGUXkrgWOqdvBnfcfXJix
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 9912f395-796d-419b-2467-08d5d90b1615
x-microsoft-antispam: UriScan:(223705240517415); BCL:0; PCL:0; RULEID:(7020095)(4652020)(7021125)(8989117)(4534165)(7022125)(4603075)(4627221)(201702281549075)(8990107)(7048125)(7024125)(7027125)(7028125)(7023125)(5600026)(711020)(2017052603328)(7153060)(7193020); SRVR:TY2PR01MB2651;
x-ms-traffictypediagnostic: TY2PR01MB2651:
x-microsoft-antispam-prvs: <TY2PR01MB2651C7D43CF9A0034EEDD5D9F9740@TY2PR01MB2651.jpnprd01.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(149059832740258)(223705240517415)(81439100147899);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231254)(944501410)(52105095)(3002001)(93006095)(93001095)(10201501046)(149027)(150027)(6041310)(20161123562045)(20161123558120)(20161123560045)(2016111802025)(20161123564045)(6043046)(6072148)(201708071742011)(7699016); SRVR:TY2PR01MB2651; BCL:0; PCL:0; RULEID:; SRVR:TY2PR01MB2651;
x-forefront-prvs: 07126E493C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39380400002)(376002)(396003)(346002)(39830400003)(189003)(199004)(74482002)(3846002)(86362001)(6116002)(5250100002)(97736004)(66066001)(54906003)(106356001)(14454004)(110136005)(316002)(5660300001)(53936002)(105586002)(9686003)(74316002)(4326008)(478600001)(93886005)(39060400002)(6246003)(2906002)(7736002)(68736007)(8936002)(25786009)(102836004)(8676002)(6436002)(26005)(3660700001)(54896002)(76176011)(99286004)(229853002)(3280700002)(81166006)(53546011)(446003)(33656002)(59450400001)(55016002)(6306002)(81156014)(486006)(476003)(11346002)(2900100001)(7696005)(186003)(6506007); DIR:OUT; SFP:1102; SCL:1; SRVR:TY2PR01MB2651; H:TY2PR01MB2297.jpnprd01.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None (protection.outlook.com: cu.nri.co.jp does not designate permitted sender hosts)
x-microsoft-antispam-message-info: GPC96OJEeNqzVe8uI8FrCOKx+nbG8vaRUTla2v7do7DWwdK6RESFWr4zQP3c8wD0HlOzmmbTrWyVEZmp4DZCal3uO2HIFS6i+YmLkrfn9FirkTkIz3sNeGdFBqatjoNwNJMJukgWtQFCPQsi4J9o/IPWsVBDaif0U1bTP4jKs20EHyFLQ0KOJ3GoMqDm0wNY0sEi8tjkOdWAmECfQqxdm3JH4GleSeMOHcUKK7d/HdCvsYFxvn6z5Igq+1nL2HR/96JNWvx2OukbQkEXQ59qMjyfIPaV3F975d+3/hOGd1pfzABZ7rD3IrXnVwxG0CCSqfypliS83cKuH4O5SmrhrUiZO4tTk9yAs+bORtoEpko=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_TY2PR01MB2297EFB47BCD6A81C549E3F5F9740TY2PR01MB2297jpnp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9912f395-796d-419b-2467-08d5d90b1615
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jun 2018 13:13:18.0294 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e3e360d9-7e7f-48d5-ac33-3c5de61f0a75
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY2PR01MB2651
X-OrganizationHeadersPreserved: TY2PR01MB2651.jpnprd01.prod.outlook.com
X-CrossPremisesHeadersPromoted: CUEXE02PA.cu.nri.co.jp
X-CrossPremisesHeadersFiltered: CUEXE02PA.cu.nri.co.jp
X-OriginatorOrg: cu.nri.co.jp
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UGQVSRtmre4to4l2ajPpW-5QRS4>
Subject: Re: [OAUTH-WG] Dynamic Scopes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jun 2018 13:13:26 -0000

Torsten,

For the digital signature case, I feel a bit uneasy to sign the hash that was sent by the client. The signing mechanism, a bank in this case, should display what is being signed to the user before the user makes a signature. The staging strategy works here as well. The client sends the signed document to the staging server and the bank verifies the signature and shows the document to the user, where the user can view the document and when he decides to sign it, the signature over the document’s hash will be made so that it will result in a mutually signed document.

Best,

Nat

Nat Sakimura
このメールには、本来の宛先の方のみに限定された機密情報が含まれている場合がございます。お心あたりのない場合は、送信者にご連絡のうえ、このメールを削除してくださいますようお願い申し上げます。

PLEASE READ:This e-mail is confidential and intended for the named recipient only. If you are not an intended recipient, please notify the sender and delete this e-mail.
________________________________
From: OAuth <oauth-bounces@ietf.org> on behalf of Torsten Lodderstedt <torsten@lodderstedt.net>
Sent: Saturday, June 23, 2018 3:43:50 AM
To: George Fletcher
Cc: Brian Campbell; oauth
Subject: Re: [OAUTH-WG] Dynamic Scopes



> Am 22.06.2018 um 23:08 schrieb George Fletcher <gffletch@aol.com>:
>
> I would think that the scope issued to the refresh_token could represent the category or class of authorizations the refresh_token should be able to perform. For example, the kind of transactions that can be bound to access tokens. The scope issued into the access_token could be one of the "parameterized" ones. But maybe I'm not fully understanding the use case :)

Let me try to explain ;-)

The client is an issuance company wanting the customer to electronically sign a new contract (legally binding!). Signing in the end means to send a request containing the hash of the document to an API. The API will respond with an CM/S Object containing signature, certificate etc that the client will embedded in the contract document (typical PDF).

We want the user to authorize the signing request using their bank as IDP/AS.. Therefore the client sends the OAuth authorization request to the AS. The actual signing request needs to be bound to client, user AND hash (document) in order to prevent fraud. Regulation (eIDAS) requires to always demonstrate the sole control of the user over the whole process. The AS therefore binds (scopes) the access token to exactly this single document/signing request. If the client wants the user to sign another document, it needs to got through the whole process again.

One could think about a general signing permission represented by a refresh token, but not in the high assurance level cases I‘m looking into.

Hope that helps,
Torsten.

v2.23.0 | Report a Bug | By Email