IETF Logo Mail Archive

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Sat, 25 October 2014 06:33 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58DDF1A7005; Fri, 24 Oct 2014 23:33:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9axvEOxbiwMy; Fri, 24 Oct 2014 23:33:40 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0762.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::762]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFCAF1A7004; Fri, 24 Oct 2014 23:33:39 -0700 (PDT)
Received: from CH1PR03CA011.namprd03.prod.outlook.com (10.255.156.156) by BY1PR0301MB1208.namprd03.prod.outlook.com (25.161.203.16) with Microsoft SMTP Server (TLS) id 15.1.6.9; Sat, 25 Oct 2014 06:33:15 +0000
Received: from BL2FFO11FD030.protection.gbl (10.255.156.132) by CH1PR03CA011.outlook.office365.com (10.255.156.156) with Microsoft SMTP Server (TLS) id 15.1.6.9 via Frontend Transport; Sat, 25 Oct 2014 06:33:15 +0000
Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD030.mail.protection.outlook.com (10.173.161.40) with Microsoft SMTP Server (TLS) id 15.0.1049.20 via Frontend Transport; Sat, 25 Oct 2014 06:33:15 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.193]) with mapi id 14.03.0210.003; Sat, 25 Oct 2014 06:32:46 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
Thread-Index: Ac/wHXZicsJzwKMjQzKRicyupW00kA==
Date: Sat, 25 Oct 2014 06:32:45 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB26277@TK5EX14MBXC286.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(189002)(51704005)(52604005)(377454003)(479174003)(69224002)(24454002)(13464003)(199003)(43784003)(52044002)(2656002)(99396003)(80022003)(230783001)(64706001)(31966008)(23676002)(50986999)(54356999)(104016003)(6806004)(85852003)(120916001)(4396001)(77096002)(85306004)(86362001)(55846006)(76482002)(47776003)(20776003)(26826002)(92566001)(92726001)(21056001)(33656002)(46102003)(15202345003)(97736003)(86612001)(87936001)(66066001)(15975445006)(19580395003)(19580405001)(107046002)(95666004)(50466002)(44976005)(85806002)(69596002)(68736004)(106466001)(81156004)(84676001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0301MB1208; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB1208;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0375972289
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/_Gw3e61HKtnKkvDhA2RsNKEFzEA
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "draft-ietf-oauth-json-web-token@tools.ietf.org" <draft-ietf-oauth-json-web-token@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Oct 2014 06:33:43 -0000

Hi Stephen,

I applied your privacy wording to the -30 draft.  Thanks.

About your DISCUSS on "alg":"none" being MTI, several working group members have chimed in agreeing that it should continue to be MTI, and said why.  In summary - unsigned security tokens representing claims are really common in identity protocols; interop will be improved if this functionality is MTI.  Can I therefore ask you hold your nose a little bit more and clear this remaining DISCUSS?

				Thanks again,
				-- Mike

-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] 
Sent: Tuesday, October 21, 2014 6:17 AM
To: Mike Jones; The IESG
Cc: oauth-chairs@tools.ietf.org; draft-ietf-oauth-json-web-token@tools.ietf.org; oauth@ietf.org
Subject: Re: Stephen Farrell's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)


Hi Mike,

I've one remaining discuss point and a comment. See below...

On 14/10/14 13:50, Mike Jones wrote:
> The proposed resolutions below have been included in the -28 draft.  Hopefully you'll be able to clear your DISCUSSes on that basis.
> 
> The String Comparison Rules in Section 7.3 have been expanded to talk about when the application may need canonicalization rules.
> 
> 				Thanks again,
> 				-- Mike
> 
>> -----Original Message-----
>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones
>> Sent: Monday, October 06, 2014 7:20 PM
>> To: Stephen Farrell; The IESG
>> Cc: oauth-chairs@tools.ietf.org; draft-ietf-oauth-json-web- 
>> token@tools.ietf.org; oauth@ietf.org
>> Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on 
>> draft-ietf-oauth-json-
>> web-token-27: (with DISCUSS and COMMENT)
>>
>> Thanks for tracking all of this Stephen.  Responses inline below...
>>
>>> -----Original Message-----
>>> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
>>> Sent: Monday, October 06, 2014 2:43 PM
>>> To: Mike Jones; The IESG
>>> Cc: oauth-chairs@tools.ietf.org; draft-ietf-oauth-json-web- 
>>> token@tools.ietf.org; oauth@ietf.org
>>> Subject: Re: Stephen Farrell's Discuss on draft-ietf-oauth-json-web-token-27:
>>> (with DISCUSS and COMMENT)
>>>
>>>
>>> Hi Mike,
>>>
>>> On 06/10/14 08:54, Mike Jones wrote:
>>>> Thanks for your review, Stephen.  I've added the working group to 
>>>> the thread so they're aware of your comments.
>>>>
>>>>> -----Original Message----- From: Stephen Farrell 
>>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Thursday, October 02, 
>>>>> 2014
>>>>> 5:03 AM To: The IESG Cc: oauth-chairs@tools.ietf.org;
>>>>> draft-ietf-oauth-json-web- token@tools.ietf.org Subject: Stephen 
>>>>> Farrell's Discuss on draft-ietf-oauth-json-web-token-27: (with 
>>>>> DISCUSS and COMMENT)
>>>>>
>>>>> Stephen Farrell has entered the following ballot position for
>>>>> draft-ietf-oauth-json-web-token-27: Discuss
>>>>>
>>>>> When responding, please keep the subject line intact and reply to 
>>>>> all email addresses included in the To and CC lines. (Feel free to 
>>>>> cut this introductory paragraph, however.)
>>>>>
>>>>>
>>>>> Please refer to
>>>>> http://www.ietf.org/iesg/statement/discuss-criteria.html for more 
>>>>> information about IESG DISCUSS and COMMENT positions.
>>>>>
>>>>>
>>>>> The document, along with other ballot positions, can be found
>>>>> here:
>>>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> -
>>>>> --
>>>>> -
>>>>>
>>>>>
>>> DISCUSS:
>>>>> ------------------------------------------------------------------
>>>>> -
>>>>> --
>>>>> -
>>>>>
>>>>>
>>>>>
>>>>>
>>> (1) 4.1.1 and elsewhere you say case-sensitive: the same thing I 
>>> raised wrt DNS
>>>>> names for another JOSE spec - do you need to say those SHOULD be 
>>>>> [upper|lower]cased when used in these?
>>>>
>>>> I believe that somewhere we should say that if case-insensitive 
>>>> values, such as DNS names, are used when constructing "kid" values, 
>>>> that the application doing so needs to define a convention on the 
>>>> canonical case to use for the case-insensitive portions, such as 
>>>> lowercasing them.
>>>
>>> As that discussion's happening on the key draft, I'll clear it here 
>>> and trust you to fix if a change is the end result.
>>
>> Thanks

np

>>
>>>>> (2) Section 8: Why is "none" MTI? That seems both broken and going 
>>>>> in the oppostite direction from other WGs and so should be 
>>>>> explicitly jusified I think. (If a good enough justification 
>>>>> exists that is.)
>>>>
>>>> It is MTI because there are several existing applications of JWTs 
>>>> in which both unsigned and signed representations of the JWTs are 
>>>> requirements.  These include draft-ietf-oauth-token-exchange, 
>>>> draft-hunt-oauth-v2-user-a4c, and OpenID Connect.  This is a pretty 
>>>> common pattern where you sign something if the recipient cares who 
>>>> made the statements and where you don't have to sign it either if 
>>>> the recipient doesn't care who made the statements
>>>
>>> I don't see how (non-)signers can divine non-verifier's wishes that 
>>> way. (Absent negotiation or a directory.)
>>
>> Sometimes it does occur via negotiation.  For instance, in some 
>> protocols, at registration time, relying parties explicitly tell 
>> identity providers what algorithms are acceptable to them, which may 
>> include "none".  No divination - explicit communication.
>>
>>>> or if it can tell from
>>>> another secured aspect of the application protocol (typically 
>>>> through the use of TLS) who made the statements.  In the TLS case, 
>>>> the server authentication step makes a signature step unnecessary, 
>>>> so an Unsecured JWT is fine there.
>>>
>>> That's arguable IMO.
>>
>> I agree that it's application and context-dependent whether it's OK 
>> or not.  The point is that there exist some circumstances in which it 
>> is OK, and this feature is being used in some of those cases.
>>
>>> I think I'll look back over the wg thread and either hold my nose or
>>
>> This issue was tracked as http://trac.tools.ietf.org/wg/jose/trac/ticket/36.
>> Karen O'Donoghue recorded this conclusion in the tracker "Note: There 
>> was extensive discussion on the mailing list, and the rough  
>> consensus of the working group was to leave "none" in the document."
>>
>> Discussion threads on this topic include:
>> [jose] #36: Algorithm "none" should be removed 
>> http://www.ietf.org/mail- archive/web/jose/current/msg02911.html - 
>> Began Jul 31, 2013  (91 messages) [jose] Text about applications and 
>> "alg":"none" http://www.ietf.org/mail- 
>> archive/web/jose/current/msg03321.html - Began Sep 3, 2013 (5 
>> messages)
>>
>> This issue was a topic of a special working group call on Aug 19, 
>> 2013.  The text discussed in the last thread and published at 
>> https://tools.ietf.org/html/draft-
>> ietf-jose-json-web-algorithms-33#section-8.5 (Unsecured JWS Security
>> Considerations) was the result of the working group's decisions 
>> resulting from all of this discussion.

Thanks for all the pointers above. I read through all the (many!) Aug 19 mails and most of the `"none" should be removed" thread.

So I do see that there was rough consensus to keep "none" in the draft and can (with difficulty;-) hold my nose and let that pass. I do not however, see that there was consensus to make "none" MTI for this draft. I did see a bit of haggling about this draft vs. JWS but still do not see why none ought be MTI here.

>>
>>>>> (3) Section 12: another way to handle privacy is to not include 
>>>>> sensitive data - I think you ought mention that as a bit of 
>>>>> thought along those lines can be much simpler than putting in 
>>>>> place the key management to handle thoughtlessly included PII.
>>>>
>>>> We can include a discussion of that point,
>>>
>>> Great. "Just say no" is workable here:-) I'll clear when we get such text.
>>>
>>>> but sometimes the very
>>>> point of a JWT is to securely deliver PII from a verifiable party 
>>>> to an intended party with appropriate rights to receive it.
>>>
>>> Hmm. Its a moot point (so let's not argue it) but I wonder how often 
>>> PII is really needed for authorization with oauth. My guess would be 
>>> that its needed far less often than its found to be profitable 
>>> perhaps, or that carelessness plays a big role in using PII for such purposes.

I've cleared on this as you added this text:

  "Of course, including	
   only necessary privacy-sensitive information in a JWT is the most	
   basic means of minimizing any potential privacy issues."

That seems to me like a fairly offputting way to phrase it. I'd suggest instead:

  "Omitting privacy-sensitive information from a JWT is the
  simplest way of minimizing privacy issues."

Cheers,
S.

PS: I didn't check the comments.

>>>
>>> S.
>>>
>>>
>>>
>>>>
>>>>> ------------------------------------------------------------------
>>>>> -
>>>>> --
>>>>> -
>>>>>
>>>>>
>>> COMMENT:
>>>>> ------------------------------------------------------------------
>>>>> -
>>>>> --
>>>>> -
>>>>>
>>>>>
>>>>>
>>>>>
>>> - abstract: 2nd sentence isn't needed here, in intro would be fine.
>>>>
>>>> I don't know - I think it's a big deal that the claims can be 
>>>> digitally signed or MACed and/or encrypted.  That's the reason we 
>>>> have JWTs, rather than just JSON.
>>>>
>>>>> - 4.1.7: maybe worth adding that jti+iss being unique enough is 
>>>>> not sufficient and jti alone has to meet that need. In X.509 the 
>>>>> issuer/serial has the equivalent property so someone might assume 
>>>>> sequential jti values starting at 0 are ok.
>>>>
>>>> Makes sense to add a warning of some kind along these lines.  I 
>>>> think I know the reasons you say that, but can you expand on that 
>>>> thought a bit before I take a stab on writing this up?  For 
>>>> instance, while normally true, I don't think your observation is 
>>>> true if a relying party will only accept tokens from a single issuer.
>>>>
>>>>> - section 6: yuk
>>>>>
>>>>> - again I think the secdir comments are being handled by Kathleen 
>>>>> and the authors.
>>>>
>>>> Again, this is there because multiple applications asked for the 
>>>> ability to represent content that is optionally signed, sometimes 
>>>> securing it another way, such as with TLS.  JWTs are used specific 
>>>> application protocol contexts - not in isolation.
>>>>
>>>> Thanks again, -- Mike
>>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email