[OAUTH-WG] New Assertion Drafts Published

Brian Campbell <bcampbell@pingidentity.com> Mon, 09 December 2013 21:30 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61BE41AE586 for <oauth@ietfa.amsl.com>; Mon, 9 Dec 2013 13:30:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.577
X-Spam-Level:
X-Spam-Status: No, score=-3.577 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WntusYFDu3Ea for <oauth@ietfa.amsl.com>; Mon, 9 Dec 2013 13:30:07 -0800 (PST)
Received: from na3sys009aog113.obsmtp.com (na3sys009aog113.obsmtp.com [74.125.149.209]) by ietfa.amsl.com (Postfix) with ESMTP id 0808D1AE08B for <oauth@ietf.org>; Mon, 9 Dec 2013 13:30:06 -0800 (PST)
Received: from mail-ie0-f176.google.com ([209.85.223.176]) (using TLSv1) by na3sys009aob113.postini.com ([74.125.148.12]) with SMTP ID DSNKUqY2We8iVksAVuR2e4eJapeCpLe5Kpmy@postini.com; Mon, 09 Dec 2013 13:30:02 PST
Received: by mail-ie0-f176.google.com with SMTP id at1so6972609iec.7 for <oauth@ietf.org>; Mon, 09 Dec 2013 13:30:01 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=6k+6t/OE/1pcsSlYP9KijMMozGY9MdhGZiEzTXCNRGU=; b=Uw6afLKmwXOHpSJHuWjpG+qn+dWCywFY2cGYDPzKREEWQkZgXZSlbRjxcfbPF9U41t NV1n9w0QeYYFLfdpXIiytwR0apVyzhL9GgRiyP93QDqIPTmKnUl+s5G81WA7bN8cwAwf MQeCeju66n5esdiLsGseFE4wQfJ1AnEg+QiDnNjMDCQ5M4NiyV/r+o2LHWdPuaxxtd+K MshaVQ8ovXSGJE1fHbSGyOyQDXOao8I7yx+LY5Jqkjcm2pFnM1p3sQPiAyPoyUddZU5P rpjnLt7lqWV/ZuQodVrzvDMdQIlQZOuK6u0WaNFesMbhoQtRyXTq+V0qvuQ7WUbZaLwg tXcA==
X-Gm-Message-State: ALoCoQlq7yXMnnPMbmSfl44bv7EVlTd8Y29aSnnxoWCcbrMozGas3On3ULj+/AieDbwS3eN2wYRwldHMisqFBRfGXRjTkfKygZKq6bFxzs++7tp3V5qHaho8t32oqJ3+zFaWWU+t1uF3Cc674IYUQOqiriLspEn+Dg==
X-Received: by 10.50.119.4 with SMTP id kq4mr17634865igb.40.1386624601686; Mon, 09 Dec 2013 13:30:01 -0800 (PST)
X-Received: by 10.50.119.4 with SMTP id kq4mr17634859igb.40.1386624601566; Mon, 09 Dec 2013 13:30:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.245.233 with HTTP; Mon, 9 Dec 2013 13:29:31 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 09 Dec 2013 14:29:31 -0700
Message-ID: <CA+k3eCSoMJ4dj3jzTgYi1xwCZLKuEZ6hoUUUaL6wWq7JNJ3H_A@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="089e013c6e4ad0b1a404ed20b2d5"
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>
Subject: [OAUTH-WG] New Assertion Drafts Published
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 21:30:10 -0000

New versions of all three OAuth related assertion documents have been
published. Links to the htmlized drafts and change logs (mostly
clarification resulting from Shepherd review in early November) are listed
below. Thanks to Mike Jones for the preliminary review and updates/fixes.

Assertion Framework for OAuth 2.0 Client Authentication and Authorization
Grants
http://tools.ietf.org/html/draft-ietf-oauth-assertions-13

   draft-ietf-oauth-assertions-13
<http://tools.ietf.org/html/draft-ietf-oauth-assertions-13>

   o  Clean up language around subject per the subject part of http://
<http://www.ietf.org/mail-archive/web/oauth/current/msg12155.html>
      www.ietf.org/mail-archive/web/oauth/current/msg12155.html

   o  Replace "Client Credentials flow" by "Client Credentials _Grant_"
      as suggested in
http://www.ietf.org/mail-archive/web/oauth/current
<http://www.ietf.org/mail-archive/web/oauth/current/msg12155.html>
      /msg12155.html
<http://www.ietf.org/mail-archive/web/oauth/current/msg12155.html>

   o  For consistency with SAML and JWT per http://www.ietf.org/mail-
<http://www.ietf.org/mail-archive/web/oauth/current/msg12251.html>
      archive/web/oauth/current/msg12251.html
<http://www.ietf.org/mail-archive/web/oauth/current/msg12251.html> and
http://www.ietf.org/
<http://www.ietf.org/mail-archive/web/oauth/current/msg12253.html>
      mail-archive/web/oauth/current/msg12253.html
<http://www.ietf.org/mail-archive/web/oauth/current/msg12253.html>
Stated that "In the
      absence of an application profile specifying otherwise, compliant
      applications MUST compare the audience values using the Simple
      String Comparison method defined in Section 6.2.1 of RFC 3986
<http://tools.ietf.org/html/rfc3986#section-6.2.1>."

   o  Added one-time use, maximum lifetime, and specific subject and
      attribute requirements to Interoperability Considerations.



JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and
Authorization Grants
http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07

   draft-ietf-oauth-jwt-bearer-07
<http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07>

   o  Clean up language around subject per http://www.ietf.org/mail-
<http://www.ietf.org/mail-archive/web/oauth/current/msg12250.html>
      archive/web/oauth/current/msg12250.html
<http://www.ietf.org/mail-archive/web/oauth/current/msg12250.html>.

   o  As suggested in
http://www.ietf.org/mail-archive/web/oauth/current
<http://www.ietf.org/mail-archive/web/oauth/current/msg12251.html>
      /msg12251.html
<http://www.ietf.org/mail-archive/web/oauth/current/msg12251.html>
stated that "In the absence of an application
      profile specifying otherwise, compliant applications MUST compare
      the audience values using the Simple String Comparison method
      defined in Section 6.2.1 of RFC 3986
<http://tools.ietf.org/html/rfc3986#section-6.2.1>."

   o  Added one-time use, maximum lifetime, and specific subject and
      attribute requirements to Interoperability Considerations based on
      http://www.ietf.org/mail-archive/web/oauth/current/msg12252.html.

   o  Remove "or its subject confirmation requirements cannot be met"
      text.

   o  Reword security considerations and mention that replay protection
      is not mandated based on http://www.ietf.org/mail-archive/web/
<http://www.ietf.org/mail-archive/web/oauth/current/msg12259.html>
      oauth/current/msg12259.html
<http://www.ietf.org/mail-archive/web/oauth/current/msg12259.html>.



SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization
Grants
http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-18

   draft-ietf-oauth-saml2-bearer-18
<http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-18>

   o  Clean up language around subject per http://www.ietf.org/mail-
<http://www.ietf.org/mail-archive/web/oauth/current/msg12254.html>
      archive/web/oauth/current/msg12254.html
<http://www.ietf.org/mail-archive/web/oauth/current/msg12254.html>.

   o  As suggested in
http://www.ietf.org/mail-archive/web/oauth/current
<http://www.ietf.org/mail-archive/web/oauth/current/msg12253.html>
      /msg12253.html
<http://www.ietf.org/mail-archive/web/oauth/current/msg12253.html>
stated that "In the absence of an application
      profile specifying otherwise, compliant applications MUST compare
      the audience/issuer values using the Simple String Comparison
      method defined in Section 6.2.1 of RFC 3986
<http://tools.ietf.org/html/rfc3986#section-6.2.1>."

   o  Clarify the potentially confusing language about the AS confirming
      the assertion
http://www.ietf.org/mail-archive/web/oauth/current/
<http://www.ietf.org/mail-archive/web/oauth/current/msg12255.html>
      msg12255.html
<http://www.ietf.org/mail-archive/web/oauth/current/msg12255.html>.

   o  Combine the two items about AuthnStatement and drop the word
      presenter as discussed in http://www.ietf.org/mail-archive/web/
<http://www.ietf.org/mail-archive/web/oauth/current/msg12257.html>
      oauth/current/msg12257.html
<http://www.ietf.org/mail-archive/web/oauth/current/msg12257.html>.

   o  Added one-time use, maximum lifetime, and specific subject and
      attribute requirements to Interoperability Considerations based on
      http://www.ietf.org/mail-archive/web/oauth/current/msg12252.html.

   o  Reword security considerations and mention that replay protection
      is not mandated based on http://www.ietf.org/mail-archive/web/
<http://www.ietf.org/mail-archive/web/oauth/current/msg12259.html>
      oauth/current/msg12259.html
<http://www.ietf.org/mail-archive/web/oauth/current/msg12259.html>.