Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-09

Brian Campbell <bcampbell@pingidentity.com> Sat, 19 July 2014 14:09 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E5611B2833 for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 07:09:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AmUchQKychYh for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 07:09:10 -0700 (PDT)
Received: from na3sys009aog125.obsmtp.com (na3sys009aog125.obsmtp.com [74.125.149.153]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC2591B282F for <oauth@ietf.org>; Sat, 19 Jul 2014 07:09:09 -0700 (PDT)
Received: from mail-ie0-f173.google.com ([209.85.223.173]) (using TLSv1) by na3sys009aob125.postini.com ([74.125.148.12]) with SMTP ID DSNKU8p8BbHQk0EW3oPTbU3sdJbtyUJ82Ewq@postini.com; Sat, 19 Jul 2014 07:09:09 PDT
Received: by mail-ie0-f173.google.com with SMTP id tr6so5439691ieb.4 for <oauth@ietf.org>; Sat, 19 Jul 2014 07:09:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=VqUVubBbUgnYhr428kItXPbKVgW2Y4aGxoaza9zuwJg=; b=gW4I3s+B1Kkn0m3uVSgTAB+Hd93N313NTo7BRJ1D+ZM7oBNHDa+GL1DGZuUZOMuKlP Me3o2/BbhWWAEE6x25cYy6v02yWg50DwAAzPs/kvW3IyC0oGrU7PppYUMof3sv4Z8diS TxgaUTGuebPoS13wbpGW4uaDJtAJRhaOBr5bIs8vgt9Y08wCgj4c+9z8PFok+V+/C7Xl XaQQyaqFpVlec7I8HWV7yONqfBpocHV3VH9SNtkIXk8mACLGs3Tk0rXY1Z/IsWiE78Bl 45EyKvOcHff+CdFPtbDTxXcCCk0LZ49ycESfF9atYxHPn5SZO0JnIajPVNLbzRsDKpR0 AyVQ==
X-Gm-Message-State: ALoCoQlFBkHUpaqpub+qpVdcRpL1YOMFxvNCJk8L/XgX/Sdqz2cbb+kDSTpUwIfKy96nbI5hstspltzbGquD20w+JKI0F8a+mjDA8XArWRJ4Wop5AA3df0+gyf1P/yLoxshdZDNMKwx2
X-Received: by 10.50.138.72 with SMTP id qo8mr12663178igb.2.1405778948926; Sat, 19 Jul 2014 07:09:08 -0700 (PDT)
X-Received: by 10.50.138.72 with SMTP id qo8mr12663159igb.2.1405778948767; Sat, 19 Jul 2014 07:09:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.233.170 with HTTP; Sat, 19 Jul 2014 07:08:38 -0700 (PDT)
In-Reply-To: <1452B71B-DB68-477E-BFE0-0765387B2934@ve7jtb.com>
References: <CAHbuEH5NdcWNrJ1JEpdSaBfCDbz+zUZyiNf_yfJ9zTHxG0G1PQ@mail.gmail.com> <CA+k3eCQp5mkSKsHV5T509ymd4MoA=7E3WdO_94cMPn+wByZknw@mail.gmail.com> <7DDBCE8B-4B39-432E-8925-B0C6D762A54C@oracle.com> <1452B71B-DB68-477E-BFE0-0765387B2934@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sat, 19 Jul 2014 08:08:38 -0600
Message-ID: <CA+k3eCS+PHtid=HpXMSZdN8FEFbGv1d4Us4noATSfrRKTJD7Aw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a1134c792e0236604fe8c6ac1"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/d2jSUYZFlLQKmuCQcoyi1rJWcVw
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-09
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2014 14:09:12 -0000

I agree that mentioning the RS in this context is only likely to cause
confusion.

This draft is only about sending a JWT to the token endpoint at an AS as an
authorization grant or as client authentication.


On Sat, Jul 19, 2014 at 6:37 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> While a JWT might generically have many different audiences like resource
> servers, this profile is about sending it to the token endpoint at an AS
> for authentication or authorization.
>
> I think adding something about the RS will confuse people.
>
> I think Brian's text is fine.
>
> John B.
>
> On Jul 18, 2014, at 11:45 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
> Should that be encrypted for the intended audience (aud) of the JWT which
> may be the AS and/or the resource server?
>
> Phil
>
> On Jul 18, 2014, at 21:52, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> Sorry for the slow response on this Kathleen, my day job has been keeping
> me busy recently. And, honestly, I was kind of hopeful someone would
> volunteer some text in the meantime. But that didn't happen so how about
> the following?
>
> A JWT may contain privacy-sensitive information and, to prevent disclosure
> of such information to unintended parties, should only be transmitted over
> encrypted channels, such as TLS. In cases where it’s desirable to prevent
> disclosure of certain information the client, the JWT may be be encrypted
> to the authorization server.
>
> Deployments should determine the minimum amount of information necessary
> to complete the exchange and include only such claims in the JWT. In some
> cases the "sub" (subject) claim can be a value representing an anonymous or
> pseudonymous user as described in Section 6.3.1 of the Assertion Framework
> for OAuth 2.0 Client Authentication and Authorization Grants [
> http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1].
>
>
> On Thu, Jul 3, 2014 at 3:26 PM, Kathleen Moriarty <
> kathleen.moriarty.ietf@gmail.com> wrote:
>
>>
>> Hello,
>>
>> I just read through draft-ietf-oauth-jwt-bearer-09 and it looks good.
>>  The only question/comment I have is that I don't see any mention of
>> privacy considerations in the referenced security sections.  COuld you add
>> something?  It is easily addressed by section 10.8 of RFC6749, but there is
>> no mention of privacy considerations.  I'm sure folks could generate great
>> stories about who accessing what causing privacy considerations to be
>> important.
>>
>> Thanks & have a nice weekend!
>>
>> --
>>
>> Best regards,
>> Kathleen
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>