[OAUTH-WG] Re: Secdir last call review of draft-ietf-oauth-resource-metadata-08

Michael Jones <michael_b_jones@hotmail.com> Sat, 14 September 2024 00:22 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40349C14F6FA; Fri, 13 Sep 2024 17:22:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7zwXwDiacNL; Fri, 13 Sep 2024 17:22:16 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02olkn2101.outbound.protection.outlook.com [40.92.44.101]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65016C151524; Fri, 13 Sep 2024 17:22:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=c/y8bzicMbVnUbk1Dw1dnJ9eSfkpNev1uV4PKd2BftU+WtjEHcWdGyWg1c1YdKJP/0KjTv/VHW72we7uXZP1YJvji5DdT5l4umb2p56efHNHw2gQQX0S/W2NDemipBo46ZaHpuQpCj1fbJ67eCP8/aPb+NgpZTdzsKiAp2yiq+5u5Nc71i1zrCJWzru4ragNIhWshYQ99PbMY2zJc3PwmQ4val6ft/75a97fppAa7Jz2wJciKuqQ9kYslXGHnWaXhzLtBRY6aZenxVxZwld5oKpiInfqZPEsEKqvGtk+I/HHrdXmd90MBmcpFVvNfGUA/RHBvKSK+YCozc6MlpYc9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cKFpASj31LIE1KGhIy32kV8Neb5GCw39u3ZzKPzj314=; b=W2i2yJsD2V0gUPSY9zgPvHdEO09j0hM679SPH9PZOV1NqrMQtL7kMZh9J1kp9DzcJvMwlQgbN880pA0mhqfhDHMhxEAQNmc57QQYzKGPBrZLn7X0cvBknRUXG7430rpFPI05Z4Juvr+P6FJof/R6FhnfpLi5x8zjkN4wCQ7hp2kylzK9F5Dkoy4tcyWsRCAVL6QNbeTE3IE0pFob4TQ0pirFRZw1UfhynQSuLxFCSPMkWKZ5jPxbI276w1zd5nMv4smJDW/7x6CrzT9XbBAmHPF+RahmQJe9O2OAt7H9dkK1zvMU5rTFTsEmrpGDQAhngEhCSGjjArOlv6umOflEAg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cKFpASj31LIE1KGhIy32kV8Neb5GCw39u3ZzKPzj314=; b=gG9XfNA6RYCSmaRDBadcLEfucOcp6EqHPh6Er7B32SuNYomwt6UtWc47WfU7IOpRUbSi9rdamsnBnK6RVS4tSjNgUon8P0u5v+n0o3eUJDmAHhe/7R5/GQz2dEQ9TQ3BlJ6fHK/1DrRkp9aY4ELxSpM5O/uhj67dpulSXSbWm4p24rA34A8UVuSiADshWBNWc41UBGd+3h4PJ9JvQmh6WZJKNFCUZYsUKqyM031p95DZrBiIAjjYIZZ8UzvUH5Rn2pznKlUkNl2EgQaM7lUu5VyYh68K836bgqk1mDf0EcMbOlYOxs7cA/GnxCX7QoJu1UUnYJVyydnphGQQesvL6g==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by PH0PR02MB7143.namprd02.prod.outlook.com (2603:10b6:510:1f::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7962.21; Sat, 14 Sep 2024 00:22:14 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a%3]) with mapi id 15.20.7962.018; Sat, 14 Sep 2024 00:22:14 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: David Mandelberg <david@mandelberg.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-oauth-resource-metadata-08
Thread-Index: AQHa8C1zG7hDKr/w9kG++2NKyZyqxLJR7l1ggAMMBQCAAZ1/UA==
Date: Sat, 14 Sep 2024 00:22:14 +0000
Message-ID: <SJ0PR02MB743910267C8EF47E42ECEBF1B7662@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <172384809277.1449681.408544072139184106@dt-datatracker-6df4c9dcf5-t2x2k> <SJ0PR02MB743925A6D204478BE2A21C6CB79B2@SJ0PR02MB7439.namprd02.prod.outlook.com> <7d51f45f-4417-4143-a9c6-4ebffd375491@mandelberg.org>
In-Reply-To: <7d51f45f-4417-4143-a9c6-4ebffd375491@mandelberg.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|PH0PR02MB7143:EE_
x-ms-office365-filtering-correlation-id: e82d363f-a412-4ae4-3f90-08dcd4534881
x-microsoft-antispam: BCL:0;ARA:14566002|15080799006|461199028|8060799006|19110799003|7092599003|4302099013|440099028|102099032|3412199025|1602099012;
x-microsoft-antispam-message-info: O16VR29sii68wrBwb3pHvNbQKqnIHLmltLPNy4GWjybSguBCCmJtFQ3DROsVjqS5eTY/SNNVumctBj2FWO5wr5+Gf6mC8aV2iS47CKPIOki85NSBmZCojaUJBRw3/9cT3/+/12s3oXsAsntXW518j0tYX63ZB8xiQ9TRppgTIYX1LcTHaNjeGRrkdXrGU4aSlzJs+yJrvwtXYrJJXArS0wPfNpOPuEuFFZH5KtNYScY0EZhcOdXTQ9w0Uy1hztROxgsXo1K57bKUTQkCOxs2v/Il6y8adNXmVTgr4QBrFGzw0Dc1TwK6uM1TexkeI+l3uzgqSnZ2YaOgKFD1mcWQ9lVRDZ6j8Pzkblgq3lvHG0GA8AUpFV8N/DS2+jttm5sWToYlZ7KRD62gfz8+MeVXXhm6UVpRcwtNYg7ToS1MxhTgdl3TpPu8URr9QKVVtl5KVTOT8zWRaDC/I58EHhBTfN91YfN6L44iLuPkqe8l5V5xStbZfy1KC9AQssWzut6YkpHf4MeNqJ7moLuaBLI62uD/hGiajaRM/1Jv+WepyI3iIenHoii34bHIYBH8gn0TSgLswHnNZAST1FLTAGaJi0rO75zx9KSdIPdR57e/pFwE51dvu35PemUG+Q3YHj80cIATKsNedo2HYGYpWYeWfCpum6NPcL92tinlPPSnpN4PJ7xEMyWW+RNCSUjUU0PmcsbivgvfZBH4boXnXQ1wkj2cmGv678gHHP+OgUshBrYemaOyJyUU17jJ5JmsdfF9bLGRjU5HAEusxRhH1/pzT33Pd7E4B0SMj1BBNjaETNm5zodTMiyltoFVEBj40zlANQkqPfEY2xSq6k7pB0ZFVgJT75qEQrzWHYawbS76/wAewfM50juJXdH9GR1MJUF1
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Y2CHw+DyYQOvRcNqakoQ62ueITZ5EyVbkZNbnuQzxyc4PhRyzk/uxKENo2uWQ7KNgFqz3UbKx16pDVMH2wMFeJe2QZovQ6O5pB1Q80PFMtFxoNG8cn9bs3attip/FDq5Mx98EbcRk4qdI9GYC3tkyxnTgeyhwDpP1BXEiD57SRTOQWUB2pPsKyTverDNZi5D5qERcZoxfHIllvUzhu/kSK4/RKRHI0yFrPlpbnuja96yB484bPIkyl4g/BQ0tZWQPJFiWXqx1w+xxllC8397HxNSWvPTmFB9piHwX/EWa5MLVsMQBfkfzihWBmQs13ZRx+A36rISDeJAfMN9rFGBYr0gRGPCfefdRW2bVIgxXEG2+WvIMXRRGrMZx1hehpZDGUl21lxexT21XbZDFdVwTJ393gfEjYcS4bjuJMeje4GgI2xQLA3iyygOh4Km9WP9miZTF/Fafa7gQlL+E1bUMaGK3LCUQjvxk9Txuo4ozG5z+DIJbnN6h5DcUY3Nt7UMQncw2ldMkvRLiErwZa2xtGp8VYa05YziTCgKKOHsP8AYfptDzyd6bBG7PFWTlRdX05Dt93rGCKowTw12CCuWYcvSop0yndjYt80Hc33TDZ5tRmRORpA+X0UQBHK09vy2lvs4sOmWGCvueVkU+R6CeXFoThW9ezVug5vrMH4/uuoh6sTu2K2WsJId1rKcc1RDBXKnCsEc1/nuZP5O7r4tLlA6eZTJT+KOQF28+Wf4Hm7G8yZeOoljcohjB6oQfQHV/IUvgo6wzguUZbBoqM/6mN4lqMdabFnNy9Tf8jSXG+yeDej35K8EyJ0h2G9vsL64BmWNQUuysw1yAeNqjuAn+3RD//IHc671Vj8u3cK/AGAy6KeYW+vGMIPqoOUtnVDJeZz7PvyYK34LEG8X2QAxWz86VuXN73cWmRVNo20ZB9iJqvx1NWkpYUlCDP7+TRP/cMMYSOzLh31KknsPBQ/3balgmeq8pwZdE/8YU83Pj3oTKLVp4s46MWYVKl1ow9jnn5t6RtjwwPfl/wyGEItfhany3YTaqOGRj3j1KHPBK9zFw/O9oYC98IPekBxwYBf5r6X6CscqC/2sECRAfk8LaGxebcZ7y5qmKn68fPR+SXG9Lb9L5gEQmWgkNbc6JglFubBBmsrFEV4XYrmdKyBjLZQyZFlOQX64YYIlldohWBpraExHuGcXfLuRpo3vYo+K8yxsb22yFFk6hnTzmJYJ948WKH4c7q4ACcKjDtyJmp8=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-3d941.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: e82d363f-a412-4ae4-3f90-08dcd4534881
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Sep 2024 00:22:14.3385 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR02MB7143
Message-ID-Hash: CGUA2WH7RHII3VXUV2DYHAC6E3FY3ZBA
X-Message-ID-Hash: CGUA2WH7RHII3VXUV2DYHAC6E3FY3ZBA
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-oauth-resource-metadata.all@ietf.org" <draft-ietf-oauth-resource-metadata.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Secdir last call review of draft-ietf-oauth-resource-metadata-08
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eMlcaljmBz7YMvL26la8BW9pMiw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

David, the newly published version of https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/ incorporates the changes to address your review comments.

				Thanks again!
				-- Mike

-----Original Message-----
From: David Mandelberg <david@mandelberg.org> 
Sent: Thursday, September 12, 2024 4:42 PM
To: Michael Jones <michael_b_jones@hotmail.com>; secdir@ietf.org
Cc: draft-ietf-oauth-resource-metadata.all@ietf.org; last-call@ietf.org; oauth@ietf.org; Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>; Deb Cooley <debcooley1@gmail.com>
Subject: Re: Secdir last call review of draft-ietf-oauth-resource-metadata-08

Those changes sound good, thanks!

Op 2024-09-10 om 22:22 schreef Michael Jones:
> Thanks David.  My replies are inline below, prefixed by "Mike>".
> 
> -----Original Message-----
> From: David Mandelberg via Datatracker <noreply@ietf.org>
> Sent: Friday, August 16, 2024 3:42 PM
> To: secdir@ietf.org
> Cc: draft-ietf-oauth-resource-metadata.all@ietf.org; last-call@ietf.org; oauth@ietf.org
> Subject: Secdir last call review of draft-ietf-oauth-resource-metadata-08
> 
> Reviewer: David Mandelberg
> Review result: Has Nits
> 
> Overall, looks good. I just have a couple of questions that might not need any changes to the doc.
> 
> Section 5.2 says "SHOULD retrieve the updated protected resource metadata and use the new metadata values obtained" which makes sense for the values included directly in the metadata.
> 
> Mike> How about if we make this change to 5.2?  Change "and use the new metadata values obtained" to "and use the new metadata values obtained after validating them as described in Section 3.3"
> 
> For the URLs like jwks_uri though, is the client expected to retrieve those again even if the URL itself didn't change? Or does that not need to be specified?
> 
> Mike> URLs such as jwks_uri are governed by HTTP caching rules, as is the primary metadata itself.  I'd already told Arnt Gulbrandsen in my reply to his ART review that I'd add something about caching lifetimes in the Security Considerations.
> 
> What do you think about adding something to section 5.2 about redoing all validation (like checking the resource field and validating the signature in
> signed_metadata) before using new values? I'd hope that any implementations would do that without it being specified, but I could see some bugs if the code path for fetching initial values is different than the code path for updating values.
> 
> Mike> Your comment about signature validation made me realize that we don't say anything about validating the signature of signed metadata!  I propose to add something like this:  "The recipient MUST validate the signature of the signed metadata using a key belonging to the issuer.  If the signature does not validate or the issuer is not trusted, the recipient SHOULD consider this an error condition."
> 
> Thanks for your useful review!
> 
> 				-- Mike
>