Re: [OAUTH-WG] Pete Resnick's No Objection on draft-ietf-oauth-assertions-17: (with COMMENT)
Barry Leiba <barryleiba@computer.org> Wed, 15 October 2014 23:18 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 312601ACE00; Wed, 15 Oct 2014 16:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rE7rXNjXKzfQ; Wed, 15 Oct 2014 16:18:27 -0700 (PDT)
Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 795431ACE03; Wed, 15 Oct 2014 16:18:26 -0700 (PDT)
Received: by mail-la0-f46.google.com with SMTP id gi9so1941275lab.19 for <multiple recipients>; Wed, 15 Oct 2014 16:18:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=hhXDA5Q8lHMZ86F7fw0b0YrmtS4bT7/JAzNK1e620aA=; b=qzARYfXDHnKtvkq4WvJFIA+3QO8FgfH49tXULES9Lsv9tEzJNvIxQ5RlbkipxkECuX 20A8ymm5Ddf8uueEAzNb5z5T18N7oVpbGOPUaIZVf+B1G8H71m2PGVbvovEO4mgM/x7l HaGULa0ThVyT7FzFPWqupF+2NuODePxBPy+Xuur9kxp1i9un+ARnKMARKk7zYv5VTYPz qNsYBXxOg9WYDmlrZMnRb84ApP0DEwsKwhiAHJG4KYopqY2seNsRgNEfBFKphEJX8erj uYOIo+u3Qf/G5BBgwu+Xgo5oUgNztd9RZifeW+hk5tIHqkWVTzusKpuO1ip27oScOc72 T2Xg==
MIME-Version: 1.0
X-Received: by 10.112.166.130 with SMTP id zg2mr15555882lbb.3.1413415104757; Wed, 15 Oct 2014 16:18:24 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.8.103 with HTTP; Wed, 15 Oct 2014 16:18:24 -0700 (PDT)
In-Reply-To: <CA+k3eCQmM27m4XPsCQu+GeRGiE6ppQiv8vB3KpnWhAYXpmOV7Q@mail.gmail.com>
References: <20141014204213.15568.37128.idtracker@ietfa.amsl.com> <CA+k3eCQmM27m4XPsCQu+GeRGiE6ppQiv8vB3KpnWhAYXpmOV7Q@mail.gmail.com>
Date: Wed, 15 Oct 2014 19:18:24 -0400
X-Google-Sender-Auth: LVmMCBqaqNk5A9I4HVu1nKndql0
Message-ID: <CALaySJK2SDp=uz8uMa+urhtTL6y81iUA2afctEtBdifYKNKJqA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="001a1134891e3d479d05057e5943"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/YdjEv6quLkdAA0_VBbhkLoMn8Uo
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, oauth <oauth@ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [OAUTH-WG] Pete Resnick's No Objection on draft-ietf-oauth-assertions-17: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 23:18:28 -0000
> > >> Assertions used in the protocol exchanges defined by this >> specification MUST always be protected against tampering using a >> digital signature or a keyed message digest applied by the issuer. >> >> Why is that? Aren't you using assertions over a protected channel (as >> required by the spec) and therefore not need to sign the assertions? >> Indeed, why would a self-issued Bearer Assertion need to be signed at >> all? Does that even make sense? >> >> > Yes, assertions are sent over a protected channel, which does provide > integrity protection for the transport form client to AS and also gives > server authentication. But it doesn't provide client authentication, which > is kind of the point of the Client Authentication part of this draft. And > for authorization the signing or MACing is what authenticates the issuer of > the assertion - sometimes the issuer is the client but often the issuer > will be a 3rd party system. > > I do agree with you in one specific case that, if the client is trusted to > be the assertion issuer and the client is properly authenticated, then an > unsigned assertion could be reasonably used as an authorization grant. But > it's a fairly rare and very specific case. And one that can be accommodated > in other ways. So it's not worth introducing the complexity and potential > security problems that having the signature be option would bring. > In other words, the assertion must be protected against tampering *by the party that presents the assertion*. That is a significant point, and you should say it. Barry
- [OAUTH-WG] Pete Resnick's No Objection on draft-i… Pete Resnick
- Re: [OAUTH-WG] Pete Resnick's No Objection on dra… Brian Campbell
- Re: [OAUTH-WG] Pete Resnick's No Objection on dra… Barry Leiba
- Re: [OAUTH-WG] Pete Resnick's No Objection on dra… Brian Campbell
- Re: [OAUTH-WG] Pete Resnick's No Objection on dra… Pete Resnick