Re: [OAUTH-WG] Review of Assertions drafts
Brian Campbell <bcampbell@pingidentity.com> Wed, 07 November 2012 15:18 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB9C821F8BAE for <oauth@ietfa.amsl.com>; Wed, 7 Nov 2012 07:18:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.976
X-Spam-Level:
X-Spam-Status: No, score=-5.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tEal2lnrvFOW for <oauth@ietfa.amsl.com>; Wed, 7 Nov 2012 07:18:08 -0800 (PST)
Received: from na3sys009aog128.obsmtp.com (na3sys009aog128.obsmtp.com [74.125.149.141]) by ietfa.amsl.com (Postfix) with ESMTP id 24CCE21F8BDD for <oauth@ietf.org>; Wed, 7 Nov 2012 07:18:06 -0800 (PST)
Received: from mail-ye0-f198.google.com ([209.85.213.198]) (using TLSv1) by na3sys009aob128.postini.com ([74.125.148.12]) with SMTP ID DSNKUJp7rSYrNZCsveUxkF84uFmQPB8No/rY@postini.com; Wed, 07 Nov 2012 07:18:06 PST
Received: by mail-ye0-f198.google.com with SMTP id q10so3131963yen.1 for <oauth@ietf.org>; Wed, 07 Nov 2012 07:18:05 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=6o66zZ+NTkSmcc06d4jftUY/L9hq/+6vGnukEUNy9aY=; b=oqj4nbYJQFnIJK6rjLKdATqUnssZSwfXAQNXlS5B7S+jaDqrln9+ovNqG//ZzNauRt SzzyZLgZ6IUkm8KIu0alpRf1+qD5NCX7g9akM476UonFNaxcrscTE9VH2DCgYF7hG3cq gBNp9m/JKe2Ih/on+fxME80yS3FdT4trNsXuZUDbIEr0QzAKrVqAtzQCTnq0ATlXAyz8 dgqCQ9lqi2y9CgHIh/UrnJaTrh07SZaxfSoWVedwoAcZ/LVVEJ0JT0f5mi/24U46cCt4 U97YIWszntCKv43bxJKx1Aaa522n1K9FT/aghtguaknimb5o1xX4Hl5nYJqnU1VKf4YB VGUQ==
Received: by 10.220.157.75 with SMTP id a11mr4393047vcx.27.1352301485069; Wed, 07 Nov 2012 07:18:05 -0800 (PST)
Received: by 10.220.157.75 with SMTP id a11mr4393039vcx.27.1352301484949; Wed, 07 Nov 2012 07:18:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.151.44 with HTTP; Wed, 7 Nov 2012 07:17:34 -0800 (PST)
In-Reply-To: <B61A05DAABADEA4EA2F19424825286FA1E631087@IMCMBX04.MITRE.ORG>
References: <4E1F6AAD24975D4BA5B1680429673943668A4CF4@TK5EX14MBXC283.redmond.corp.microsoft.com> <B61A05DAABADEA4EA2F19424825286FA1E631087@IMCMBX04.MITRE.ORG>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 07 Nov 2012 08:17:34 -0700
Message-ID: <CA+k3eCQHHJZrNFgsO4irr+=KUczhCXMCOgDoytANvppKUhCp+w@mail.gmail.com>
To: "Anganes, Amanda L" <aanganes@mitre.org>
Content-Type: multipart/alternative; boundary="f46d043be1dea3c01804cde93907"
X-Gm-Message-State: ALoCoQlinlSJPj25CuSUSo2+x1SKfNtVUB0/Wn9YF2QWY6G93wHAnKk+CJ5Pyme2ki78BH0E4VnmD/1Pkk/Rw73ke6eWk9ddr3kxnkIoZrpYFY9C9hN+oYtttQqrMOHEWkkrwm8dHhzJ
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of Assertions drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2012 15:18:09 -0000
Fixed that one in -15 of the SAML draft. Thanks for the review. FWIW, the requirement about only one client authentication mechanism being used actually comes from core OAuth at http://tools.ietf.org/html/rfc6749#section-2.3 and is worded pretty strongly there where it says, "The client MUST NOT use more than one authentication method in each request." On Tue, Nov 6, 2012 at 2:46 PM, Anganes, Amanda L <aanganes@mitre.org>wrote: > Good catch, thanks for double-checking. > > --Amanda > > From: Mike Jones <Michael.Jones@microsoft.com> > Date: Tuesday, November 6, 2012 4:40 PM > To: "Anganes, Amanda L" <aanganes@mitre.org>, "oauth@ietf.org" < > oauth@ietf.org> > Subject: RE: Review of Assertions drafts > > Amanda wrote: [3] Section 2.2 first sentence: "client authentication > grant" should just be "client authentication".**** > > ** ** > > This change should also be applied to the first sentence of 2.2 in SAML > draft, where the same phrase occurs.**** > > ** ** > > -- Mike**** > > ** ** > > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org<oauth-bounces@ietf.org>] > *On Behalf Of *Anganes, Amanda L > *Sent:* Tuesday, November 06, 2012 12:41 PM > *To:* oauth@ietf.org > *Subject:* [OAUTH-WG] Review of Assertions drafts**** > > ** ** > > Hannes requested that some folks read through the assertion drafts and > give feedback in light of the upcoming shepherd review.**** > > ** ** > > [1] http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ > [2] http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/ > [3] http://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bearer/**** > > ** ** > > I can't speak to the security considerations or advisability of these > drafts, but as far as the documents go I think they are well-organized, > consistent (internally and across all 3 documents) and straightforward. ** > ** > > ** ** > > A few comments:**** > > ** ** > > [1] Section 4.2.1 says in passing that it is an error condition "if more > than one client authentication mechanism is used". If this is a true > requirement / error state I think it should be called out more strongly. > Perhaps 4.2 should say at the top that "Other client authentication > mechanisms MUST NOT be used in conjunction with an assertion". **** > > ** ** > > If so, [2] 3.2 and [3] 3.2 should also indicate that additional client > credentials MUST NOT be used in addition to the assertion for Client > Authentication.**** > > ** ** > > [3] Section 2.2 first sentence: "client authentication grant" should just > be "client authentication".**** > > ** ** > > --Amanda Anganes**** > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Review of Assertions drafts Anganes, Amanda L
- Re: [OAUTH-WG] Review of Assertions drafts Anganes, Amanda L
- Re: [OAUTH-WG] Review of Assertions drafts Brian Campbell