[OAUTH-WG] FW: Subject claim ... was : About draft-ietf-oauth-access-token-jwt-10

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 28 September 2020 16:12 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AEEA3A0FC9 for <oauth@ietfa.amsl.com>; Mon, 28 Sep 2020 09:12:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.136
X-Spam-Level:
X-Spam-Status: No, score=0.136 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, LONGWORDS=2.035, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=9p+tLfe9; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=9p+tLfe9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfJ9-XdUUYGM for <oauth@ietfa.amsl.com>; Mon, 28 Sep 2020 09:12:38 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70047.outbound.protection.outlook.com [40.107.7.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B69F3A0FC6 for <oauth@ietf.org>; Mon, 28 Sep 2020 09:12:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nQq/gAbay+8qwH4eFRDI8FScbjPxjmu0aMROusg8+Ew=; b=9p+tLfe9qBVmj8yTHDzYu6wlFnkMx+jb+y72cB4KU04ONQhveJJ3VDTyJKAPdPBcyWdSbJIycPUGDOwvZmrzWq1hxa/vx+GBzTkcnPJ1XMABGOCB/8zXm7RTykhLWT2hHx+jJqbt+GTpeh/WYTH4/wQyHdefVwA43xQ6SPOFC3M=
Received: from AM6P195CA0069.EURP195.PROD.OUTLOOK.COM (2603:10a6:209:87::46) by AM0PR08MB5170.eurprd08.prod.outlook.com (2603:10a6:208:15c::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.22; Mon, 28 Sep 2020 16:12:34 +0000
Received: from AM5EUR03FT015.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:87:cafe::4e) by AM6P195CA0069.outlook.office365.com (2603:10a6:209:87::46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.20 via Frontend Transport; Mon, 28 Sep 2020 16:12:34 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT015.mail.protection.outlook.com (10.152.16.132) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.21 via Frontend Transport; Mon, 28 Sep 2020 16:12:34 +0000
Received: ("Tessian outbound 7161e0c2a082:v64"); Mon, 28 Sep 2020 16:12:34 +0000
X-CR-MTA-TID: 64aa7808
Received: from a4cd428eb506.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id B79E6CDF-B68B-4A0E-BF44-CFF744F9F048.1; Mon, 28 Sep 2020 16:12:29 +0000
Received: from EUR01-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id a4cd428eb506.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 28 Sep 2020 16:12:29 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=chIB67oSfRCL7tRmvs1PV8XXrt6PqtMjwN26DLE3OpCLmRIf2Qx0/fUrhqN+xHAF8Mp2z2bQNxctscoQUU833Ng0zoxUo95lvrEnLgotsSG/EUUm23oysS/0styzn2Hwc6Ydms6vVMD6lUCDMY3cBZj5af/76jO9RcBVhCsF5jrZ2xQqU/Ko9Nom8iGSvZ3aIXlibt2aAzT2qfVDTXKxdaQWTrgbOnArBzLy123obNcRzNYr52F7OhLRl2rqmLVYOUgl/H+4pTclCfHM8ZfEMkIwtT6xNz1/p708sNqi8JpYNMNtrF2ncubM1PyQOvIEPFXbjiUraW572K2JzlBvNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nQq/gAbay+8qwH4eFRDI8FScbjPxjmu0aMROusg8+Ew=; b=MkNI67byYSDeI0flg4PIvg2v2JQ8wY//Kla85VsjqfGqqCaTr9IDsMfrUhZi8leRqf98aEQe/FGrBS5cv4OMOeGI8sRCOlBd4xHI6hKdOouh3DwRodTehmIE6iR0OiA++Bpn0SPU+8MIWPFOsE/ePy0aFniJM5FRE1HVqQPJED03KfU454wH/c6wrD58bv1iFXui3nViIPtGhN4iILCX+pq8J6+fDce7VTdPJF7+C981ZTvHn9ZMO29+F98AJJ2vVd5S/0bOQ5K5xbe09rEg8P5cZvlrtut54fEM2Nhb72eTCYqspeWlqCuRCN3GVXtslDHyHPL6cj4yt01+Qw5qXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nQq/gAbay+8qwH4eFRDI8FScbjPxjmu0aMROusg8+Ew=; b=9p+tLfe9qBVmj8yTHDzYu6wlFnkMx+jb+y72cB4KU04ONQhveJJ3VDTyJKAPdPBcyWdSbJIycPUGDOwvZmrzWq1hxa/vx+GBzTkcnPJ1XMABGOCB/8zXm7RTykhLWT2hHx+jJqbt+GTpeh/WYTH4/wQyHdefVwA43xQ6SPOFC3M=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM4PR08MB2820.eurprd08.prod.outlook.com (2603:10a6:205:d::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.28; Mon, 28 Sep 2020 16:12:27 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::900e:c64d:a006:4860]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::900e:c64d:a006:4860%6]) with mapi id 15.20.3412.029; Mon, 28 Sep 2020 16:12:27 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Subject claim ... was : [OAUTH-WG] About draft-ietf-oauth-access-token-jwt-10
Thread-Index: AdaRvHJ/WzYAYLEuSMGyoMFlagaZKwAhnQ2AAAD8rNAABaaBAADVJYPw
Date: Mon, 28 Sep 2020 16:12:27 +0000
Message-ID: <AM0PR08MB37163F6697B965F0A5E35CB0FA350@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <AM0PR08MB3716802774CEC2D1A31BF070FA380@AM0PR08MB3716.eurprd08.prod.outlook.com> <dc416bca-2ad3-e746-625d-2f209d69bceb@free.fr> <AM0PR08MB3716A74B221FFD9DD63CD5AFFA390@AM0PR08MB3716.eurprd08.prod.outlook.com> <671e32a1-9f1b-5bc4-4ebd-eea563afbc3c@free.fr>
In-Reply-To: <671e32a1-9f1b-5bc4-4ebd-eea563afbc3c@free.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: CFA3096F4849594C853FB612348036A5.0
x-checkrecipientchecked: true
Authentication-Results-Original: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.123.16]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 7803ec24-bf59-4941-4256-08d863c94fa7
x-ms-traffictypediagnostic: AM4PR08MB2820:|AM0PR08MB5170:
X-Microsoft-Antispam-PRVS: <AM0PR08MB517078781B88D7C001AAB51CFA350@AM0PR08MB5170.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:7691;OLM:7691;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: idvRpy2TC0JRSE09G3nkok58fWBDOr8X99rPDhtDe3S7e8EpdBUgOlNRGyXq5no2dyqVhrs2YuZHgmNNbLOjrK8PiLhNnh2JL4N+7dtP26plqyXaD9ysLXZLcGS0QGadFopT1yeWC9DoQKtKMfdjwvXn2fJvfCz9726ZtgzNZhALG0rJrTZybmOyEr/2dmJ73PIdPIfUpxYDuou6/eujYXtOowxGIJF0wQMajYzOa3dfinLFLXFe7hxmvAXFkOb2zL/iZdrO4OmLqVumCB/vD/ZcjViHgtnJXIb0KAM5byVdiqfZtjdzcrJ+dq3Hhyfs3TEaqez6c1kGhixgWgYwYfjzvIwdOQRB+nQwKCWCzdTmJmBYzLYoYLAu0lJ7kR4RNI0vF95dS9gzplCnzU+RnEj5T6yrSn0yU6X6rgl90nB8v2/ANBhlmfMDsMRY5t7LzVOI/bdNEHcEMQTUteO7rMsO5cHboNvTQWBshl7g9BGMfNwIYn8iuy2NGJGobn7V
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(396003)(39850400004)(376002)(366004)(316002)(478600001)(6916009)(52536014)(8936002)(8676002)(66446008)(64756008)(66556008)(66476007)(86362001)(33656002)(26005)(71200400001)(7696005)(6506007)(53546011)(186003)(66946007)(76116006)(5660300002)(2906002)(83380400001)(166002)(55016002)(9686003)(15866825006); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Q6zhwmyXEr7t72wP8AESER0F0Nu6HudWuCLcrfwq39xPkkEzwn6K4KZYCyxShgrAyQFmI/Aki9oe9CGPivTJI7h7STg1StHrChdw68RIxsVx7DRRtJuFazXxwAHUS+iIKgx++mtJrFcsZLEPY3+8DqDaof/nPE1ZFrLmNCyq+4D4n4/K9xbsAh4slbrd6MdiNXm9Ge0sd6FY8r+e+471xpHZtLCMVxjzwx1b3lo62w/8EDhxpuLYWlE2zsTEHvl9ai+lMWn10SOlTYp4Oi+6wFMengpl3Fu3tBVsl1/F83NBjP2YOxAxIVdi3Livli9KzQR1ZA6UwLlwaBbglkcRPrmJBpMSV+gWkW8Pmu19lnQdV6ODzhXw4ZR3ZXrxdhRIJ5qhKu3kmoWDJT3NpRsYOiKppSpFH6kYCFk6rZgubWp++n5g9c1HpRhkJmhd2zFEnnKLl3J5/6pBE4wlIMwRShgaHA/vyTiDIOpw7d284lgRUirsO6cacGk48DtwE/1q3jnleacl1VRJRftaxj3rM4AGBlLCcqjBSICPbTg4Uz6cgeypCjmk7yphuCW2n5gEWTOlKUaqNtk2Q+feLg8Weuam1GjDBRVVUGTwKnIlXascdfit19kh0lIdBkdXh+JF7/yn/h7lTO0N/dOqov+Anw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR08MB37163F6697B965F0A5E35CB0FA350AM0PR08MB3716eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR08MB2820
Original-Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT015.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: fa9573c6-b512-4c3f-668c-08d863c94b46
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: x9pwlJo9xpoxITmMczxGNifmK4216DdDV4I4Bxb5hPAJjqrf7gPWVcqwdXZh11qcX0UN+A+N12Xw4fcvM4kiEgctsK05sQvqLWwtLe9iFc+1KuA/XWCNYJxfnjngamdli5pT5AXfcMvkcgKVSlPT8fB60yXGTg/B8XP6u+YkSoBDMb1aN3L+orTpRfv6GCt/GxAuyADyk0ZES7fAUOc1SK8011HjOhWuEGjkFW55+xlmEoGud9tFdjSyknmolP4eKtIidSf6qLW6b1VZn6sHzxEASwErZTLBkCK33wt8XM1FZJqJVwLGPyaU8BMDziQ2SI11h0UArVGAvQ6cYqcApUhynnCHbUZhasCrbUxqCrIwfsLsSS3r/olhtzD18As01rjc5lwrm+lg5PEoCUyszZVzO0EkmZ3088QrqznuAFP5kM3Bo4h+LH1lX8V6PlyTKmf4r9u5CNrGlOSfHEVleRF5KnuSFfWatKfamdHYHhxDDhVi/t6Ow8LzvoLHzSL0fLJo2YMOsMekMdXMLBRL5CePHT+rhx4hYJr3z9aP+6I=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(346002)(376002)(396003)(136003)(39850400004)(46966005)(166002)(2906002)(52536014)(336012)(9686003)(86362001)(30864003)(33964004)(47076004)(83380400001)(316002)(8936002)(186003)(70586007)(70206006)(6506007)(356005)(53546011)(82740400003)(26005)(33656002)(55016002)(81166007)(7696005)(8676002)(6916009)(82310400003)(478600001)(5660300002)(36906005)(15866825006); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Sep 2020 16:12:34.8054 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7803ec24-bf59-4941-4256-08d863c94fa7
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT015.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB5170
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4JnfajfjNESi3eKX8JWJUcNRVVA>
Subject: [OAUTH-WG] FW: Subject claim ... was : About draft-ietf-oauth-access-token-jwt-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2020 16:12:42 -0000

FYI: Forwarding this email to the list so that we can continue the conversation here.

Below, I am trying to find out whether there is room for improvement on the text regarding the uniqueness of the “sub” claim.

Ciao
Hannes


From: Denis <denis.ietf@free.fr>
Sent: Thursday, September 24, 2020 12:29 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: vittorio.bertocci@auth0.com
Subject: Re: Subject claim ... was : [OAUTH-WG] About draft-ietf-oauth-access-token-jwt-10

Hi Hannes,

You apparently missed my second email from this morning where I said that the oauth mailing list was not copied whereas it should.
Hi Denis,

I am trying to understand the text written below since I believe the old and the new text actually say something different.

>  When the "sub" claim is scoped to be locally unique in the context of the issuer, in the event of resource servers collusion, it can be used to correlate principals.

When the "sub" claim is scoped to be locally unique in the context of the issuer then this does not automatically mean that two resource servers can find out that two subsequent requests are actually from the same principal.

I am sorry but it does mean this. The current (old) text is making interpretations of section 4.1.2 from RFC 7519 that are not in accordance with it.

This is a follow up of the "four flavours" I already mentioned that you were not able to understand.

I don't argue that assigning different values to identify the principal would be a bad thing, but unfortunately the "sub" attribute cannot be used for this.

The new text I propose is strictly sticking to the two "flavours" of the definition from RFC 7519 and hence cannot consider four flavours.

A globally unique identifier cannot be a one-time identifier. A good example of a globally unique identifier is an email address.

I hope this clarifies the issue.

Since at this time, the whole mailing list has been kept ignorant of the exchanges we had this morning, I would recommend
that you answer to the Comments 3 of my original email as if the exchanges we had this morning did not existed.

Denis


The old text explains how this works and says
“
Similarly, if a solution requires preventing a resource server from correlating the
   principal’s activity within the resource itself, the authorization server should assign different "sub" values for every JWT access
   token issued.
“

Your next text does not have that case anymore.

Even the use of a globally unique identifier does not allow correlation if you issue one-time identifiers and use the access tokens only with the audience-restricted resource servers.

I believe that the distinction between locally scoped to the issuer and globally scoped isn’t actually that relevant because even a locally scoped subject claim can easily be turned into a globally scoped one if you append the issuer identifier to it.

Am I missing something here?

Ciao
Hannes

From: Denis <denis.ietf@free.fr><mailto:denis.ietf@free.fr>
Sent: Thursday, September 24, 2020 9:18 AM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com><mailto:Hannes.Tschofenig@arm.com>; vittorio.bertocci@auth0.com<mailto:vittorio.bertocci@auth0.com>
Subject: Re: Subject claim ... was : [OAUTH-WG] About draft-ietf-oauth-access-token-jwt-10

Hello Hannes,

You have deleted the original text that I sent about Comment 3 and hence the thread has been broken.

I am proposing to change the following text in section 6 (Privacy Considerations):

  This profile mandates the presence of the "sub" claim in every JWT access token, making it possible for resource servers to rely on that
   information for correlating incoming requests with data stored  locally for the authenticated principal.  Although the ability to
   correlate requests might be required by design in many scenarios, there are scenarios where the authorization server might want to
   prevent correlation.  The "sub" claim should be populated by the authorization servers according to a privacy impact assessment.  For
   instance, if a solution requires preventing tracking principal activities across multiple resource servers, the authorization server
   should ensure that JWT access tokens meant for different resource servers have distinct "sub" values that cannot be correlated in the
   event of resource servers collusion.  Similarly, if a solution requires preventing a resource server from correlating the
   principal’s activity within the resource itself, the authorization server should assign different "sub" values for every JWT access
   token issued.  In turn, the client should obtain a new JWT access token for every call to the resource server, to ensure that the
   resource server receives different "sub" and "jti" values at every call, thus preventing correlation between distinct requests.

by the following text:

  This profile mandates the presence of the "sub" claim in every JWT access token, making it possible for resource servers to rely on
  that information for correlating incoming requests with data stored  locally for the authenticated principal. The "sub" claim is scoped
  to be either locally unique in the context of the issuer or be globally unique (see section 4.1.2 from RFC 7519).

  When the "sub" claim is scoped to be locally unique in the context of the issuer, in the event of resource servers collusion, it can be used to correlate principals.

  When the "sub" claim is scoped to be globally unique, in the event of resource servers collusion, it can be used to correlate principals not only between resource servers
  but it can also be used to correlate principals between resource servers and other servers that do not implement this protocol but are using the same globally unique identifiers.

Please re-use the original mail, to insert your comments.

Denis



Hi Denis,

I am confused about what you are proposing here:

-----

RFC 7519 defines the sub claim in the following way:
4.1.2.  "sub" (Subject) Claim

   The "sub" (subject) claim identifies the principal that is the subject of the JWT.  The claims in a JWT are normally statements
   about the subject.  The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.
   The processing of this claim is generally application specific.  The "sub" value is a case-sensitive string containing a StringOrURI
   value.  Use of this claim is OPTIONAL.
Change into:

   This profile mandates the presence of the "sub" claim in every JWT access token, making it possible for resource servers to rely on
   that information for correlating incoming requests with data stored  locally for the authenticated principal. The "sub" claim is scoped
   to be either locally unique in the context of the issuer or be globally unique (see section 4.1.2 from RFC 7519).

   When the "sub" claim is scoped to be locally unique in the context of the issuer,  in the event of resource servers collusion, it can be used to correlate principals.

  When the "sub" claim is scoped to be globally unique, in the event of resource servers collusion, it can be use d to correlate principals not only between resource servers
  but it can also be used to correlate principals between resource servers and other servers that do not implement this protocol but are using the same globally unique identifiers

-----

The current text of the draft says the following:

   sub  REQUIRED - as defined in Section 4.1.2 of [RFC7519]<https://tools.ietf.org/html/rfc7519#section-4.1.2>.2>.  In case of
      access tokens obtained through grants where a resource owner is
      involved, such as the authorization code grant, the value of "sub"
      SHOULD correspond to the subject identifier of the resource owner.
      In case of access tokens obtained through grants where no resource
      owner is involved, such as the client credentials grant, the value
      of "sub" SHOULD correspond to an identifier the authorization
      server uses to indicate the client application. See Section 5<https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-08#section-5> for
      more details on this scenario.  Also, see Section 6<https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-08#section-6> for a
      discussion about how different choices in assigning "sub" values
      can impact privacy.

The description about the scope of the value is found in RFC 7519 and why do we need to discuss this in this draft. What do we gain from doing so?
Sorry if I am missing the point.

Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.