Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer

Brian Campbell <bcampbell@pingidentity.com> Sat, 19 July 2014 08:25 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 206851B27D5 for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 01:25:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.986
X-Spam-Level:
X-Spam-Status: No, score=-1.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nCau6m2HX0vm for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 01:25:26 -0700 (PDT)
Received: from na3sys009aog132.obsmtp.com (na3sys009aog132.obsmtp.com [74.125.149.250]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9F7F1B27E5 for <oauth@ietf.org>; Sat, 19 Jul 2014 01:25:25 -0700 (PDT)
Received: from mail-ie0-f170.google.com ([209.85.223.170]) (using TLSv1) by na3sys009aob132.postini.com ([74.125.148.12]) with SMTP ID DSNKU8ordYeLu6DKyL3fQNlJFzd8O94sbuBv@postini.com; Sat, 19 Jul 2014 01:25:25 PDT
Received: by mail-ie0-f170.google.com with SMTP id rl12so5408642iec.1 for <oauth@ietf.org>; Sat, 19 Jul 2014 01:25:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Rh237GAy+aqDtVPSPonxE66VEIuUu+O3AJqUVIHPZSg=; b=DkteE97chdXIlQqoTVUaVILshRRuagHzswR71s95+bL40wkcjU/XJXoWvfO3HHz/Sj Fu4qNdjIH3zpXbxrIX6LT0WUOlQaMLTs1RTzDe8mgK826QoslT4fFPfDuwK7T8U8EDc5 pTHAMQNv06YNTy3aCUSej7jtjdViE4W2QvATN+nFuACtaHrFDxKKNvxIAZb5eyzy3CwP dD3rP5DVXRXif/wFmLXzrx5uWgMfZdwDOpMNKL2TSLjryBLS7ZQpfDvArhQGkcZMQaQ3 j/3y3rulGmba8OzTLFUYkk61IbolBM2GACCnzdh2M4hgddVupvfowcjiUNQr5+9tq/tw +7Pw==
X-Gm-Message-State: ALoCoQlsd95+os90O9tyQ4HD5I+howiEfRCRPXCvHCilNJZhCMYO29+PFnMvMb60cFn5nQPj2DqKIbH/Z+V5YORViLPGCwY7IupLbVFZ5uZoimf+9vCKMBT6S+gUex02bOzlBoKtRq6b
X-Received: by 10.50.41.6 with SMTP id b6mr17872862igl.40.1405758325122; Sat, 19 Jul 2014 01:25:25 -0700 (PDT)
X-Received: by 10.50.41.6 with SMTP id b6mr17872842igl.40.1405758324992; Sat, 19 Jul 2014 01:25:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.233.170 with HTTP; Fri, 18 Jul 2014 22:00:50 -0700 (PDT)
In-Reply-To: <CAHbuEH6w9mfHLwN8WMJHHV5qZ8MzLJY6ky-Yp_xg39WfpGbC3g@mail.gmail.com>
References: <CAHbuEH6w9mfHLwN8WMJHHV5qZ8MzLJY6ky-Yp_xg39WfpGbC3g@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 18 Jul 2014 23:00:50 -0600
Message-ID: <CA+k3eCR__YW3e1Ca0+3ix3Y2MuGjdwaP=YHEjpnCcxshTOoRkA@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="089e011614149a0bda04fe879d1c"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/fCyTpt3wqo8BwVVOd1S30UfpJ3U
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2014 08:25:28 -0000

How about the following (which is intentionally similar to the text I just
put forth for your request for privacy consideration in
draft-ietf-oauth-jwt-bearer-09)?

A SAML Assertion may contain privacy-sensitive information and, to prevent
disclosure of such information to unintended parties, should only be
transmitted over encrypted channels, such as TLS. In cases where it’s
desirable to prevent disclosure of certain information the client, the
Subject and/or individual attributes of a SAML Assertion may be encrypted
to the authorization server.

Deployments should determine the minimum amount of information necessary to
complete the exchange and include only that information in an Assertion
(typically by limiting what information is included in an
<AttributeStatement> or omitting it altogether). In some cases
the Subject can be a value representing an anonymous or pseudonymous user
as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0
Client Authentication and Authorization Grants
[*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1
<http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>*].


On Tue, Jul 15, 2014 at 2:04 PM, Kathleen Moriarty <
kathleen.moriarty.ietf@gmail.com> wrote:

> Hello,
>
> I just finished my review of
> http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer.  The draft
> looks great, thank you for all of your efforts on it!
>
> I did notice that there were no privacy considerations pointing back to
> RFC6973, could that text be added?  The draft came after the Oauth
> framework publication (refernced in the security considerations), so I am
> guessing that is why this was missed as there are privacy considerations in
> the oauth assertion draft (I competed that review as well and the draft
> looked great.  I don't have any comments to add prior to progressing the
> draft).
>
> Thank you.
>
> --
>
> Best regards,
> Kathleen
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>