Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer
Brian Campbell <bcampbell@pingidentity.com> Sun, 20 July 2014 14:48 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80DE81B2818 for <oauth@ietfa.amsl.com>; Sun, 20 Jul 2014 07:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id txlS9Sk-Z93d for <oauth@ietfa.amsl.com>; Sun, 20 Jul 2014 07:48:29 -0700 (PDT)
Received: from na3sys009aog107.obsmtp.com (na3sys009aog107.obsmtp.com [74.125.149.197]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 477551B2814 for <oauth@ietf.org>; Sun, 20 Jul 2014 07:48:29 -0700 (PDT)
Received: from mail-ie0-f174.google.com ([209.85.223.174]) (using TLSv1) by na3sys009aob107.postini.com ([74.125.148.12]) with SMTP ID DSNKU8vWvDsEyvK0qJMiRpXfJA/mQUWTs2JI@postini.com; Sun, 20 Jul 2014 07:48:29 PDT
Received: by mail-ie0-f174.google.com with SMTP id rp18so6085422iec.33 for <oauth@ietf.org>; Sun, 20 Jul 2014 07:48:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=lFWjNY80aMHLNYjE2AVbs3nHDLobrSN60qCNshxrFWY=; b=DTFyRdPvpPki2TL3fP8VumMUwJ8RMPCK/TJgjkz3pjm9+Ko4+tu8MQCuVb08/s1sAG u+kw9Kjr7TAYzpMzaNFktF/JMb8Wko4AqOfKtuZVuNygjXEVhCHLvpIpeNOQH16RBxQo dJx8e0GACyji1JuSjRocJVLY+rV+84/vODZlEYFYh+vZ5SW1pTNEGapn5TZuqzBt25iS 4Wc7PpHpEo+IpzHTLWfMnwzNV2hm/R9o3YA6mxtefIw7VQT9KAeEYrwyIi/BIjpICRp3 Jo4gZJigZcd+hpK9ccFXtWzYDFTX5IfOeWO1VmhxOD9qNhWA1LpWfMZrT4OjBQ8CYhwZ iz4Q==
X-Gm-Message-State: ALoCoQkV5zdPWhgHskX7eafNSyBI2VzVt+hWyJluv2I1vpyOjLIw0i0ohyg1GM684SlmZLO7Wugr67VVvz7Zy9urziqtMy2NcP8gKklKOOG27I9a/mFQ/Bkn8AXH/fbUf6mtVVxlP18m
X-Received: by 10.42.82.6 with SMTP id b6mr4553057icl.51.1405867708545; Sun, 20 Jul 2014 07:48:28 -0700 (PDT)
X-Received: by 10.42.82.6 with SMTP id b6mr4553041icl.51.1405867708411; Sun, 20 Jul 2014 07:48:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.233.170 with HTTP; Sun, 20 Jul 2014 07:47:58 -0700 (PDT)
In-Reply-To: <CAHbuEH4FBbnt==99uS=WKnP7zYL7=9yGZ_hHwRZvFXQh+RR5FA@mail.gmail.com>
References: <CAHbuEH6w9mfHLwN8WMJHHV5qZ8MzLJY6ky-Yp_xg39WfpGbC3g@mail.gmail.com> <CA+k3eCR__YW3e1Ca0+3ix3Y2MuGjdwaP=YHEjpnCcxshTOoRkA@mail.gmail.com> <60D7F5DB-0574-4F58-ADCB-C9E4D9850401@gmail.com> <CA+k3eCTtSLoj5LbYyvXZ+HK8Dpe94CbuLqU=tBYg6Jmy0+B+Bg@mail.gmail.com> <CAHbuEH4FBbnt==99uS=WKnP7zYL7=9yGZ_hHwRZvFXQh+RR5FA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 20 Jul 2014 07:47:58 -0700
Message-ID: <CA+k3eCQPnBh_JJN=H-ZCG+VVEykDenTQu8tBhbp3kx+50Ua1PQ@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="485b397dd7015c8ad104fea115ad"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/W6Axintbxj-__HPVeUeRMt3m4PM
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jul 2014 14:48:31 -0000
Great, thanks Kathleen. I'll get new drafts published soon(ish). On Sun, Jul 20, 2014 at 6:18 AM, Kathleen Moriarty < kathleen.moriarty.ietf@gmail.com> wrote: > Thanks, Brian. That looks good to me. > > Kathleen > > > On Sat, Jul 19, 2014 at 5:18 PM, Brian Campbell < > bcampbell@pingidentity.com> wrote: > >> Thanks Kathleen, that makes sense. I do, however, think that a little >> 'should' would be more appropriate there than a big 'SHOULD' as there's no >> other use of RFC2119 language in that text. That okay by you? It would read >> like this: >> >> >> A SAML Assertion may contain privacy-sensitive information and, to >> prevent disclosure of such information to unintended parties, should only >> be transmitted over encrypted channels, such as TLS. In cases where it’s >> desirable to prevent disclosure of certain information the client, the >> Subject and/or individual attributes of a SAML Assertion should be >> encrypted to the authorization server. >> >> >> Deployments should determine the minimum amount of information necessary >> to complete the exchange and include only that information in an Assertion >> (typically by limiting what information is included in an >> <AttributeStatement> or omitting it altogether). In some cases >> the Subject can be a value representing an anonymous or pseudonymous user >> as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 >> Client Authentication and Authorization Grants [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1 >> <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>* >> ]. >> >> >> On Sat, Jul 19, 2014 at 8:24 AM, Kathleen Moriarty < >> kathleen.moriarty.ietf@gmail.com> wrote: >> >>> Thanks for the quick response, Brian. I think the text looks great. >>> The only change I'd like to suggest is in the second sentence, to change >>> the 'may' to 'SHOULD'. >>> >>> Best regards, >>> Kathleen >>> >>> Sent from my iPhone >>> >>> On Jul 19, 2014, at 1:00 AM, Brian Campbell <bcampbell@pingidentity.com> >>> wrote: >>> >>> How about the following (which is intentionally similar to the text I >>> just put forth for your request for privacy consideration in >>> draft-ietf-oauth-jwt-bearer-09)? >>> >>> A SAML Assertion may contain privacy-sensitive information and, to >>> prevent disclosure of such information to unintended parties, should only >>> be transmitted over encrypted channels, such as TLS. In cases where it’s >>> desirable to prevent disclosure of certain information the client, the >>> Subject and/or individual attributes of a SAML Assertion may be encrypted >>> to the authorization server. >>> >>> Deployments should determine the minimum amount of information necessary >>> to complete the exchange and include only that information in an Assertion >>> (typically by limiting what information is included in an >>> <AttributeStatement> or omitting it altogether). In some cases >>> the Subject can be a value representing an anonymous or pseudonymous user >>> as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 >>> Client Authentication and Authorization Grants [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1 >>> <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>* >>> ]. >>> >>> >>> On Tue, Jul 15, 2014 at 2:04 PM, Kathleen Moriarty < >>> kathleen.moriarty.ietf@gmail.com> wrote: >>> >>>> Hello, >>>> >>>> I just finished my review of >>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer. The >>>> draft looks great, thank you for all of your efforts on it! >>>> >>>> I did notice that there were no privacy considerations pointing back to >>>> RFC6973, could that text be added? The draft came after the Oauth >>>> framework publication (refernced in the security considerations), so I am >>>> guessing that is why this was missed as there are privacy considerations in >>>> the oauth assertion draft (I competed that review as well and the draft >>>> looked great. I don't have any comments to add prior to progressing the >>>> draft). >>>> >>>> Thank you. >>>> >>>> -- >>>> >>>> Best regards, >>>> Kathleen >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>> >> > > > -- > > Best regards, > Kathleen >
- [OAUTH-WG] AD Review of http://datatracker.ietf.o… Kathleen Moriarty
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Brian Campbell
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Kathleen Moriarty
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Mike Jones
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Brian Campbell
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Kathleen Moriarty
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Brian Campbell
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Brian Campbell