[OAUTH-WG] AuthnStatement (was draft-ietf-oauth-saml2-bearer-17)

Brian Campbell <bcampbell@pingidentity.com> Mon, 04 November 2013 20:48 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55F5F11E822F for <oauth@ietfa.amsl.com>; Mon, 4 Nov 2013 12:48:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.934
X-Spam-Level:
X-Spam-Status: No, score=-5.934 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FPcFNtqAJr8E for <oauth@ietfa.amsl.com>; Mon, 4 Nov 2013 12:48:49 -0800 (PST)
Received: from na3sys009aog111.obsmtp.com (na3sys009aog111.obsmtp.com [74.125.149.205]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9A711E812A for <oauth@ietf.org>; Mon, 4 Nov 2013 12:48:49 -0800 (PST)
Received: from mail-ie0-f169.google.com ([209.85.223.169]) (using TLSv1) by na3sys009aob111.postini.com ([74.125.148.12]) with SMTP ID DSNKUngIMRZJtGDMacYsDJNp0mvZH2l9BihV@postini.com; Mon, 04 Nov 2013 12:48:49 PST
Received: by mail-ie0-f169.google.com with SMTP id ar20so13770473iec.28 for <oauth@ietf.org>; Mon, 04 Nov 2013 12:48:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=LP12Cl0/cc6hVeTFDbW7slkEyhfqTliHGLROR57+Rkg=; b=bHKrdi4hL5KUUSVHRmV9njeHuI8uLV8vMK8nn6PTZ2RJ9bvzS/fCcjX07pkmFl7WRY WmMolhH+pUdJtfAS0p7DspfAP9FHgAk5FYxUpq+2RGAtxwaQUpKWhl1Qx2dmc73JRsyx 04OlFRkUs/DPyfuV8PYLZaiZ+VF2eaGY8P+0g4LnW1TfIU8OCB5iqP7RbP+JWy1BUjQK dELBn8BJN3C/iboOINLoF0RTquonf/XCkcyT3XD3srZXzzj7Rgn5PURDmPoD1NNDdAJ4 MFfug5++iQzmudmh8DG5CNFKFu1lGdav+54B/WORV0wQ4u2QDBdOIgX0w0d1FGK3vfJ9 adCA==
X-Gm-Message-State: ALoCoQnr5FaL30iFNuoU4NPHmkT5Yxf9cHp2XgQrhEuaqCCr5ULlhXdYY2J8ZC67sMh+jZx8LW8Rru1RGyKCwGBHvXjqIGC3WTtjQ8s8KDnbo797I6HZtjGp7RZ07cH3kO+tDgCgPJGKCY+bPZmfRqOz+ig1QSDlZw==
X-Received: by 10.50.126.74 with SMTP id mw10mr13647413igb.24.1383598128941; Mon, 04 Nov 2013 12:48:48 -0800 (PST)
X-Received: by 10.50.126.74 with SMTP id mw10mr13647405igb.24.1383598128744; Mon, 04 Nov 2013 12:48:48 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.245.233 with HTTP; Mon, 4 Nov 2013 12:48:18 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 4 Nov 2013 12:48:18 -0800
Message-ID: <CA+k3eCSQbD767V2rtgitee=GwKyYHVBrB=9KN5bz1AZ6jKkk7Q@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: [OAUTH-WG] AuthnStatement (was draft-ietf-oauth-saml2-bearer-17)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2013 20:48:55 -0000

On Sat, Nov 2, 2013 at 2:07 AM, Hannes Tschofenig
<hannes.tschofenig@gmx.net> wrote:
> Item #7+8: T I think you should combine the two items since they relate to
> the same issue, namely when to include the <AuthnStatement> element.

Okay, #7&8 can be rolled up into one item.

> There
> are two questions:
>
>     Q1: Has the subject been authenticated?
>
>     If 'no', then the <AuthnStatement> cannot be populated.
>
>     If 'yes', then
>         Q2: Has the subject requested to be anonymous?
>
>         If 'no', then the <AuthnStatement> element is populated
>         with the subject's identity.
>
>         If 'yes', then the <AuthnStatement> MUST NOT be populated.
>         (or populated with a field that indicates that the subject
>          is anonymous; I don't know SAML enough to tell what the
>          right approach here is).

#8 is about the client acting *autonomously* on behalf of the subject.
Not *anonymously*. Autonomous was a term used in earlier drafts of RFC
6749 (maybe circa -10 of draft-ietf-oauth-v2) when talking about a
client who was acting on its own without the user being present.

> Then you write:
> "
> The presenter SHOULD
>         be identified in the <NameID> or similar element in the
>         <SubjectConfirmation> element, or by other available means like
>         SAML V2.0 Condition for Delegation Restriction
>         [OASIS.saml-deleg-cs].
> "
>
> Who is the presenter? Is the presenter the subject?

The presenter is the thing that shows up with and presents the
assertion to the AS. It's a term used in the SAML specs. In this case
the presenter is the client. Maybe it's better to just say client here
and not use the term presenter?