Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer

Brian Campbell <bcampbell@pingidentity.com> Sun, 20 July 2014 14:48 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80DE81B2818 for <oauth@ietfa.amsl.com>; Sun, 20 Jul 2014 07:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id txlS9Sk-Z93d for <oauth@ietfa.amsl.com>; Sun, 20 Jul 2014 07:48:29 -0700 (PDT)
Received: from na3sys009aog107.obsmtp.com (na3sys009aog107.obsmtp.com [74.125.149.197]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 477551B2814 for <oauth@ietf.org>; Sun, 20 Jul 2014 07:48:29 -0700 (PDT)
Received: from mail-ie0-f174.google.com ([209.85.223.174]) (using TLSv1) by na3sys009aob107.postini.com ([74.125.148.12]) with SMTP ID DSNKU8vWvDsEyvK0qJMiRpXfJA/mQUWTs2JI@postini.com; Sun, 20 Jul 2014 07:48:29 PDT
Received: by mail-ie0-f174.google.com with SMTP id rp18so6085422iec.33 for <oauth@ietf.org>; Sun, 20 Jul 2014 07:48:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=lFWjNY80aMHLNYjE2AVbs3nHDLobrSN60qCNshxrFWY=; b=DTFyRdPvpPki2TL3fP8VumMUwJ8RMPCK/TJgjkz3pjm9+Ko4+tu8MQCuVb08/s1sAG u+kw9Kjr7TAYzpMzaNFktF/JMb8Wko4AqOfKtuZVuNygjXEVhCHLvpIpeNOQH16RBxQo dJx8e0GACyji1JuSjRocJVLY+rV+84/vODZlEYFYh+vZ5SW1pTNEGapn5TZuqzBt25iS 4Wc7PpHpEo+IpzHTLWfMnwzNV2hm/R9o3YA6mxtefIw7VQT9KAeEYrwyIi/BIjpICRp3 Jo4gZJigZcd+hpK9ccFXtWzYDFTX5IfOeWO1VmhxOD9qNhWA1LpWfMZrT4OjBQ8CYhwZ iz4Q==
X-Gm-Message-State: ALoCoQkV5zdPWhgHskX7eafNSyBI2VzVt+hWyJluv2I1vpyOjLIw0i0ohyg1GM684SlmZLO7Wugr67VVvz7Zy9urziqtMy2NcP8gKklKOOG27I9a/mFQ/Bkn8AXH/fbUf6mtVVxlP18m
X-Received: by 10.42.82.6 with SMTP id b6mr4553057icl.51.1405867708545; Sun, 20 Jul 2014 07:48:28 -0700 (PDT)
X-Received: by 10.42.82.6 with SMTP id b6mr4553041icl.51.1405867708411; Sun, 20 Jul 2014 07:48:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.233.170 with HTTP; Sun, 20 Jul 2014 07:47:58 -0700 (PDT)
In-Reply-To: <CAHbuEH4FBbnt==99uS=WKnP7zYL7=9yGZ_hHwRZvFXQh+RR5FA@mail.gmail.com>
References: <CAHbuEH6w9mfHLwN8WMJHHV5qZ8MzLJY6ky-Yp_xg39WfpGbC3g@mail.gmail.com> <CA+k3eCR__YW3e1Ca0+3ix3Y2MuGjdwaP=YHEjpnCcxshTOoRkA@mail.gmail.com> <60D7F5DB-0574-4F58-ADCB-C9E4D9850401@gmail.com> <CA+k3eCTtSLoj5LbYyvXZ+HK8Dpe94CbuLqU=tBYg6Jmy0+B+Bg@mail.gmail.com> <CAHbuEH4FBbnt==99uS=WKnP7zYL7=9yGZ_hHwRZvFXQh+RR5FA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 20 Jul 2014 07:47:58 -0700
Message-ID: <CA+k3eCQPnBh_JJN=H-ZCG+VVEykDenTQu8tBhbp3kx+50Ua1PQ@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=485b397dd7015c8ad104fea115ad
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/W6Axintbxj-__HPVeUeRMt3m4PM
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jul 2014 14:48:31 -0000

Great, thanks Kathleen. I'll get new drafts published soon(ish).


On Sun, Jul 20, 2014 at 6:18 AM, Kathleen Moriarty <
kathleen.moriarty.ietf@gmail.com> wrote:

> Thanks, Brian.  That looks good to me.
>
> Kathleen
>
>
> On Sat, Jul 19, 2014 at 5:18 PM, Brian Campbell <
> bcampbell@pingidentity.com> wrote:
>
>> Thanks Kathleen, that makes sense. I do, however, think that a little
>> 'should' would be more appropriate there than a big 'SHOULD' as there's no
>> other use of RFC2119 language in that text. That okay by you? It would read
>> like this:
>>
>>
>> A SAML Assertion may contain privacy-sensitive information and, to
>> prevent disclosure of such information to unintended parties, should only
>> be transmitted over encrypted channels, such as TLS. In cases where it’s
>> desirable to prevent disclosure of certain information the client, the
>> Subject and/or individual attributes of a SAML Assertion should be
>> encrypted to the authorization server.
>>
>>
>> Deployments should determine the minimum amount of information necessary
>> to complete the exchange and include only that information in an Assertion
>> (typically by limiting what information is included in an
>> <AttributeStatement> or omitting it altogether). In some cases
>> the Subject can be a value representing an anonymous or pseudonymous user
>> as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0
>> Client Authentication and Authorization Grants [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1
>> <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>*
>> ].
>>
>>
>> On Sat, Jul 19, 2014 at 8:24 AM, Kathleen Moriarty <
>> kathleen.moriarty.ietf@gmail.com> wrote:
>>
>>> Thanks for the quick response, Brian.  I think the text looks great.
>>>  The only change I'd like to suggest is in the second sentence, to change
>>> the 'may' to 'SHOULD'.
>>>
>>> Best regards,
>>> Kathleen
>>>
>>> Sent from my iPhone
>>>
>>> On Jul 19, 2014, at 1:00 AM, Brian Campbell <bcampbell@pingidentity.com>
>>> wrote:
>>>
>>> How about the following (which is intentionally similar to the text I
>>> just put forth for your request for privacy consideration in
>>> draft-ietf-oauth-jwt-bearer-09)?
>>>
>>> A SAML Assertion may contain privacy-sensitive information and, to
>>> prevent disclosure of such information to unintended parties, should only
>>> be transmitted over encrypted channels, such as TLS. In cases where it’s
>>> desirable to prevent disclosure of certain information the client, the
>>> Subject and/or individual attributes of a SAML Assertion may be encrypted
>>> to the authorization server.
>>>
>>> Deployments should determine the minimum amount of information necessary
>>> to complete the exchange and include only that information in an Assertion
>>> (typically by limiting what information is included in an
>>> <AttributeStatement> or omitting it altogether). In some cases
>>> the Subject can be a value representing an anonymous or pseudonymous user
>>> as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0
>>> Client Authentication and Authorization Grants [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1
>>> <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>*
>>> ].
>>>
>>>
>>> On Tue, Jul 15, 2014 at 2:04 PM, Kathleen Moriarty <
>>> kathleen.moriarty.ietf@gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I just finished my review of
>>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer.  The
>>>> draft looks great, thank you for all of your efforts on it!
>>>>
>>>> I did notice that there were no privacy considerations pointing back to
>>>> RFC6973, could that text be added?  The draft came after the Oauth
>>>> framework publication (refernced in the security considerations), so I am
>>>> guessing that is why this was missed as there are privacy considerations in
>>>> the oauth assertion draft (I competed that review as well and the draft
>>>> looked great.  I don't have any comments to add prior to progressing the
>>>> draft).
>>>>
>>>> Thank you.
>>>>
>>>> --
>>>>
>>>> Best regards,
>>>> Kathleen
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>
>>
>
>
> --
>
> Best regards,
> Kathleen
>