IETF Logo Mail Archive

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Wed, 12 November 2014 01:30 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B9121AC39A for <oauth@ietfa.amsl.com>; Tue, 11 Nov 2014 17:30:35 -0800 (PST)
X-Quarantine-ID: <0aqtRgc94yxP>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BANNED, message contains text/plain,.exe
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0aqtRgc94yxP for <oauth@ietfa.amsl.com>; Tue, 11 Nov 2014 17:30:32 -0800 (PST)
Received: from mail-vc0-f180.google.com (mail-vc0-f180.google.com [209.85.220.180]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E3261A9251 for <oauth@ietf.org>; Tue, 11 Nov 2014 17:30:31 -0800 (PST)
Received: by mail-vc0-f180.google.com with SMTP id hy10so4994017vcb.11 for <oauth@ietf.org>; Tue, 11 Nov 2014 17:30:30 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/jJ71+hTT7gkFHzI06SHT6oG3pq+oeGmnkUTaZrq0BI=; b=IZUH+6K0MLQHfBfHQI2zUjMn5ReBnQwHYNUwem1KhgTYHBI3DYSqJ8d1++KmyYmVOE zIo0A6lEsrcLN/mXc83ZJwoRlA5HeEySm4Sq/8+r9lqjkJFwgsgYeUlrkwMcXgJKTY2f oXTsmifOX3Ql0EV7slYNgiFz9pLB1fMqlS0/r93+QwZOrM6L2VsfGJ7mFHGGhx0XcRjQ Qc9rikxxdGZuxAQr+G6ctPwDo3RoBwBbZdvay+8rgdqDa6R5HiJ7aS1OY1Or5MusdTHw 0dtCGnHt/Kn5HhM6hcgPsSvCvdEds1S88K0RuZXSyJFuBbEFUVBqTD8AnoCCHbp8q8tk ABwg==
X-Gm-Message-State: ALoCoQmKgn8Gx+HKCFhhLNOXiq8VIA9HfIxMP4k2YeJPxL6+XxYafFaUByH/WYXmZQNsN/qpkozI
MIME-Version: 1.0
X-Received: by 10.52.137.236 with SMTP id ql12mr3879065vdb.81.1415755830218; Tue, 11 Nov 2014 17:30:30 -0800 (PST)
Received: by 10.31.149.1 with HTTP; Tue, 11 Nov 2014 17:30:30 -0800 (PST)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BB7E146@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> <CA+k3eCQKxWri1kjjig90AhrsQ=D0H=CLfKGuSa513sKDar52Rw@mail.gmail.com> <A9B4CF00-6D06-4FE1-83EE-CC0D141C9AD3@oracle.com> <CAL02cgQO1nuozW-F6riDgo4QFkp3Gv89SSWzJcbO-0eayyGufg@mail.gmail.com> <28A05FEA-9EEA-4E95-9B9F-587120A74BAA@ve7jtb.com> <CA+k3eCS=TRmfR2to2wfJsQrkyRd3gGEPJ-x7ao4dLcN-V7ctiA@mail.gmail.com> <19E82AEC-A5DA-41E9-9370-3FF16264DEAE@ve7jtb.com> <F47576F0-9B71-4CDE-88BB-487993A2E661@oracle.com> <4E1F6AAD24975D4BA5B16804296739439BB16289@TK5EX14MBXC286.redmond.corp.microsoft.com> <54415122.9030902@qti.qualcomm.com> <3E356AAD-8B64-42DF-8DAF-054DDFC58A30@ve7jtb.com> <CAL02cgTQvAonog5+TX8RDqjipbLMCfxRopuiCd0p8kyqJJrMvg@mail.gmail.com> <CA+k3eCQWo7FxTcjO7qQLmB6Qi6y0LKGO_iUvPjsz0dV2LX6uog@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439BB7E146@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Tue, 11 Nov 2014 15:30:30 -1000
Message-ID: <CAL02cgRLyC2ETzojVRaWMSb4LjZdm6ObvTFgLqZ-DEFHs1t0jg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="bcaec51b9c0d59798805079f57ef"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/VAoyVeDYDmS1EKIGjTD-4OIYqck
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, The IESG <iesg@ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Nov 2014 01:30:35 -0000

Looks good to me, thanks.  I cleared.
--Richard

On Tue, Nov 11, 2014 at 2:33 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

>  Richard, yours are the only discusses on draft-ietf-oauth-assertions,
> draft-ietf-oauth-saml2-bearer, and draft-ietf-oauth-jwt-bearer, and they’re
> all about the audience requirement. Brian added text addressing this in
> the last paragraph of
> https://tools.ietf.org/html/draft-ietf-oauth-assertions-18#section-3.
> Are you willing to clear these DISCUSSes on this basis?
>
>
>
> If not, can we try to talk before the OAuth meeting tomorrow morning?
> I’ll be leading the assertions drafts discussions tomorrow since Brian
> won’t be able to attend.
>
>
>
>                                                             Thanks,
>
>                                                             -- Mike
>
>
>
> *From:* Brian Campbell [mailto:bcampbell@pingidentity.com]
> *Sent:* Friday, October 17, 2014 8:23 AM
> *To:* Richard Barnes
> *Cc:* John Bradley; draft-ietf-oauth-assertions@tools.ietf.org; Pete
> Resnick; oauth; The IESG; oauth-chairs@tools.ietf.org
> *Subject:* Re: [OAUTH-WG] Richard Barnes' Discuss on
> draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
>
>
>
> That text works for me, Richard. Thanks.
>
> I will go with Richard's text in the next draft, unless I hear objections.
>
>
>
> FWIW, the mention of HoK was a result of a review and suggestions from
> Hannes some time ago.
>
> http://www.ietf.org/mail-archive/web/oauth/current/msg09437.html
> https://tools.ietf.org/rfcdiff?url2=draft-ietf-oauth-assertions-04.txt
>
>
>
> It could be removed, to your point, but I think your proposed text is very
> clear about the scope and might help prevent confusion.
>
>
>
>
>
> On Fri, Oct 17, 2014 at 12:04 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
> On Fri, Oct 17, 2014 at 10:32 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>  I think this part of sec 3 of assertions states that:
>
>
>
>  The protocol parameters and processing rules defined in this document
>
>    are intended to support a client presenting a bearer assertion to an
>
>    authorization server.  The use of holder-of-key assertions are not
>
>    precluded by this document, but additional protocol details would
>
>    need to be specified.
>
>
>
>
>
> As part of defining the additional protocol details for holder-of-key/PoP
> we can relax the must for audience in the profile that defines how to use
> those assertion types.
>
>
>
> I think we're on a path to convergence here.
>
>
>
> Given all this, is there any point to even mentioning HoK credentials
> here?  The entire remainder of the spec is written as if they didn't
> exist.  And as the text above notes, you can't actually use them with this
> specification.
>
> If we're going to keep the mention, could we augment the text above to
> make it clearer that HoK assertions are out of scope.
>
>
> """
>
> The protocol parameters and processing rules defined in this document
> are intended to support a client presenting a bearer assertion to an
> authorization server.  They are not suitable for use with holder-of-key
> assertions.  While they could be used as a baseline for a holder-of-key
>
> assertion system, there would be a need for additional mechanisms
>
> (to support proof of possession of the secret key), and possibly changes
> to the security model (e.g., to relax the requirement for an Audience).
>
> """
>
> --Richard
>
>
>
>
>
>
> John B.
>
>
>
> On Oct 17, 2014, at 2:25 PM, Pete Resnick <presnick@qti.qualcomm.com>
> wrote:
>
>
>
>  On 10/17/14 12:09 PM, Mike Jones wrote:
>
> This is the standard mitigation for a known set of actual attacks.  We
> shouldn’t even consider making it optional.
>
>
> Do you mean you shouldn't consider making it optional for HoK? Again,
> making it clear that the MUST applies only to bearer assertions, and that
> future extensions for HoK might have different requirements, is all that is
> being asked for here.
>
> pr
>
>  --
>
> Pete Resnick <http://www.qualcomm.com/~presnick/> <http://www.qualcomm.com/~presnick/>
>
> Qualcomm Technologies, Inc. - +1 (858)651-4478
>
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.14.0 | Report a Bug | By Email