Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sat, 19 July 2014 14:24 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 530921B2822 for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 07:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n0Qlij0b3pIi for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 07:24:09 -0700 (PDT)
Received: from mail-qg0-x22e.google.com (mail-qg0-x22e.google.com [IPv6:2607:f8b0:400d:c04::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 308A91A0348 for <oauth@ietf.org>; Sat, 19 Jul 2014 07:24:09 -0700 (PDT)
Received: by mail-qg0-f46.google.com with SMTP id z60so4044826qgd.19 for <oauth@ietf.org>; Sat, 19 Jul 2014 07:24:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=p3sNRRhUoYliQFwXws6j5nMPcRf+HNcVmjQUzsuPW+I=; b=JMZMR7zqdyO2RMjSQl0okXSItISfXzm1dkPzSv7pp7zn4Varz5bnEBoLbftd5vhs50 meKvpAsxWBHLj/L8i1Bfkr87XlojEoXbH6jfm6+ekjc/OeUnI5Fv6SBMxFMxj9tx2YeQ nN0wVgMFVBtgWsdJrEc+OnOyzF7NSpzLZD/PSIRECGWRgcmVW81zZdd6vYTbtmmEU/jS 0N5gdAPULWNVdDy5aKktng18g1KieRGmoHs2UK9jV+rAY54qMzRcvlf2qD7RnTTKVNn5 60OluvSYzMJIwI45L6+54uegCaomff3sttFvLIrqSJTE83mwjegAT062Z+GHYd3BdCXA qoIA==
X-Received: by 10.140.18.168 with SMTP id 37mr6986560qgf.105.1405779848293; Sat, 19 Jul 2014 07:24:08 -0700 (PDT)
Received: from [192.168.1.4] (209-6-114-252.c3-0.arl-ubr1.sbo-arl.ma.cable.rcn.com. [209.6.114.252]) by mx.google.com with ESMTPSA id j97sm9641239qgd.37.2014.07.19.07.24.06 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 19 Jul 2014 07:24:06 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-0DB84DB2-F483-4E3A-A740-7DC313A7A5D3"
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (11D167)
In-Reply-To: <CA+k3eCR__YW3e1Ca0+3ix3Y2MuGjdwaP=YHEjpnCcxshTOoRkA@mail.gmail.com>
Date: Sat, 19 Jul 2014 10:24:06 -0400
Content-Transfer-Encoding: 7bit
Message-Id: <60D7F5DB-0574-4F58-ADCB-C9E4D9850401@gmail.com>
References: <CAHbuEH6w9mfHLwN8WMJHHV5qZ8MzLJY6ky-Yp_xg39WfpGbC3g@mail.gmail.com> <CA+k3eCR__YW3e1Ca0+3ix3Y2MuGjdwaP=YHEjpnCcxshTOoRkA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/d7xGh3tzST2dqvmG1m2OKrj4OOg
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2014 14:24:11 -0000

Thanks for the quick response, Brian.  I think the text looks great.  The only change I'd like to suggest is in the second sentence, to change the 'may' to 'SHOULD'.

Best regards,
Kathleen 

Sent from my iPhone

> On Jul 19, 2014, at 1:00 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> How about the following (which is intentionally similar to the text I just put forth for your request for privacy consideration in draft-ietf-oauth-jwt-bearer-09)?
> 
> A SAML Assertion may contain privacy-sensitive information and, to prevent disclosure of such information to unintended parties, should only be transmitted over encrypted channels, such as TLS. In cases where it’s desirable to prevent disclosure of certain information the client, the Subject and/or individual attributes of a SAML Assertion may be encrypted to the authorization server. 
> 
> Deployments should determine the minimum amount of information necessary to complete the exchange and include only that information in an Assertion (typically by limiting what information is included in an <AttributeStatement> or omitting it altogether). In some cases the Subject can be a value representing an anonymous or pseudonymous user as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1] 
> 
> 
>> On Tue, Jul 15, 2014 at 2:04 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
>> Hello,
>> 
>> I just finished my review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer.  The draft looks great, thank you for all of your efforts on it!
>> 
>> I did notice that there were no privacy considerations pointing back to RFC6973, could that text be added?  The draft came after the Oauth framework publication (refernced in the security considerations), so I am guessing that is why this was missed as there are privacy considerations in the oauth assertion draft (I competed that review as well and the draft looked great.  I don't have any comments to add prior to progressing the draft).
>> 
>> Thank you.
>> 
>> -- 
>> 
>> Best regards,
>> Kathleen
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>