IETF Logo Mail Archive

Re: [OAUTH-WG] Review of Assertions drafts

Brian Campbell <bcampbell@pingidentity.com> Wed, 07 November 2012 15:18 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB9C821F8BAE for <oauth@ietfa.amsl.com>; Wed, 7 Nov 2012 07:18:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.976
X-Spam-Level:
X-Spam-Status: No, score=-5.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tEal2lnrvFOW for <oauth@ietfa.amsl.com>; Wed, 7 Nov 2012 07:18:08 -0800 (PST)
Received: from na3sys009aog128.obsmtp.com (na3sys009aog128.obsmtp.com [74.125.149.141]) by ietfa.amsl.com (Postfix) with ESMTP id 24CCE21F8BDD for <oauth@ietf.org>; Wed, 7 Nov 2012 07:18:06 -0800 (PST)
Received: from mail-ye0-f198.google.com ([209.85.213.198]) (using TLSv1) by na3sys009aob128.postini.com ([74.125.148.12]) with SMTP ID DSNKUJp7rSYrNZCsveUxkF84uFmQPB8No/rY@postini.com; Wed, 07 Nov 2012 07:18:06 PST
Received: by mail-ye0-f198.google.com with SMTP id q10so3131963yen.1 for <oauth@ietf.org>; Wed, 07 Nov 2012 07:18:05 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=6o66zZ+NTkSmcc06d4jftUY/L9hq/+6vGnukEUNy9aY=; b=oqj4nbYJQFnIJK6rjLKdATqUnssZSwfXAQNXlS5B7S+jaDqrln9+ovNqG//ZzNauRt SzzyZLgZ6IUkm8KIu0alpRf1+qD5NCX7g9akM476UonFNaxcrscTE9VH2DCgYF7hG3cq gBNp9m/JKe2Ih/on+fxME80yS3FdT4trNsXuZUDbIEr0QzAKrVqAtzQCTnq0ATlXAyz8 dgqCQ9lqi2y9CgHIh/UrnJaTrh07SZaxfSoWVedwoAcZ/LVVEJ0JT0f5mi/24U46cCt4 U97YIWszntCKv43bxJKx1Aaa522n1K9FT/aghtguaknimb5o1xX4Hl5nYJqnU1VKf4YB VGUQ==
Received: by 10.220.157.75 with SMTP id a11mr4393047vcx.27.1352301485069; Wed, 07 Nov 2012 07:18:05 -0800 (PST)
Received: by 10.220.157.75 with SMTP id a11mr4393039vcx.27.1352301484949; Wed, 07 Nov 2012 07:18:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.151.44 with HTTP; Wed, 7 Nov 2012 07:17:34 -0800 (PST)
In-Reply-To: <B61A05DAABADEA4EA2F19424825286FA1E631087@IMCMBX04.MITRE.ORG>
References: <4E1F6AAD24975D4BA5B1680429673943668A4CF4@TK5EX14MBXC283.redmond.corp.microsoft.com> <B61A05DAABADEA4EA2F19424825286FA1E631087@IMCMBX04.MITRE.ORG>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 07 Nov 2012 08:17:34 -0700
Message-ID: <CA+k3eCQHHJZrNFgsO4irr+=KUczhCXMCOgDoytANvppKUhCp+w@mail.gmail.com>
To: "Anganes, Amanda L" <aanganes@mitre.org>
Content-Type: multipart/alternative; boundary="f46d043be1dea3c01804cde93907"
X-Gm-Message-State: ALoCoQlinlSJPj25CuSUSo2+x1SKfNtVUB0/Wn9YF2QWY6G93wHAnKk+CJ5Pyme2ki78BH0E4VnmD/1Pkk/Rw73ke6eWk9ddr3kxnkIoZrpYFY9C9hN+oYtttQqrMOHEWkkrwm8dHhzJ
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of Assertions drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2012 15:18:09 -0000

Fixed that one in -15 of the SAML draft. Thanks for the review.

FWIW, the requirement about only one client authentication mechanism being
used actually comes from core OAuth at
http://tools.ietf.org/html/rfc6749#section-2.3 and is worded pretty
strongly there where it says, "The client MUST NOT use more than one
authentication method in each request."


On Tue, Nov 6, 2012 at 2:46 PM, Anganes, Amanda L <aanganes@mitre.org>wrote:

>   Good catch, thanks for double-checking.
>
>  --Amanda
>
>   From: Mike Jones <Michael.Jones@microsoft.com>
> Date: Tuesday, November 6, 2012 4:40 PM
> To: "Anganes, Amanda L" <aanganes@mitre.org>, "oauth@ietf.org" <
> oauth@ietf.org>
> Subject: RE: Review of Assertions drafts
>
>   Amanda wrote: [3] Section 2.2 first sentence: "client authentication
> grant" should just be "client authentication".****
>
> ** **
>
> This change should also be applied to the first sentence of 2.2 in SAML
> draft, where the same phrase occurs.****
>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org<oauth-bounces@ietf.org>]
> *On Behalf Of *Anganes, Amanda L
> *Sent:* Tuesday, November 06, 2012 12:41 PM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] Review of Assertions drafts****
>
> ** **
>
> Hannes requested that some folks read through the assertion drafts and
> give feedback in light of the upcoming shepherd review.****
>
> ** **
>
> [1] http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/
> [2] http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/
> [3] http://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bearer/****
>
> ** **
>
> I can't speak to the security considerations or advisability of these
> drafts, but as far as the documents go I think they are well-organized,
> consistent (internally and across all 3 documents) and straightforward. **
> **
>
> ** **
>
> A few comments:****
>
> ** **
>
> [1] Section 4.2.1 says in passing that it is an error condition "if more
> than one client authentication mechanism is used". If this is a true
> requirement / error state I think it should be called out more strongly.
> Perhaps 4.2 should say at the top that "Other client authentication
> mechanisms MUST NOT be used in conjunction with an assertion". ****
>
> ** **
>
> If so, [2] 3.2 and [3] 3.2 should also indicate that additional client
> credentials MUST NOT be used in addition to the assertion for Client
> Authentication.****
>
> ** **
>
> [3] Section 2.2 first sentence: "client authentication grant" should just
> be "client authentication".****
>
> ** **
>
> --Amanda Anganes****
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email