IETF Logo Mail Archive

Re: [OAUTH-WG] Review of dynamic registration draft

"Richer, Justin P." <jricher@mitre.org> Thu, 20 November 2014 20:47 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46D321A19E4 for <oauth@ietfa.amsl.com>; Thu, 20 Nov 2014 12:47:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.493
X-Spam-Level:
X-Spam-Status: No, score=-2.493 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.594] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XepDZQ-pVFTm for <oauth@ietfa.amsl.com>; Thu, 20 Nov 2014 12:47:11 -0800 (PST)
Received: from smtpvbsrv1.mitre.org (smtpvbsrv1.mitre.org [198.49.146.234]) by ietfa.amsl.com (Postfix) with ESMTP id BFD321A0396 for <oauth@ietf.org>; Thu, 20 Nov 2014 12:47:10 -0800 (PST)
Received: from smtpvbsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 61CEFB2E26B; Thu, 20 Nov 2014 15:47:10 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpvbsrv1.mitre.org (Postfix) with ESMTP id 35631B2E269; Thu, 20 Nov 2014 15:47:10 -0500 (EST)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.102]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.03.0174.001; Thu, 20 Nov 2014 15:47:10 -0500
From: "Richer, Justin P." <jricher@mitre.org>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: [OAUTH-WG] Review of dynamic registration draft
Thread-Index: AQHQBG2u4GGEKte2aESbjkNIkmIov5xqTdAAgAADgIA=
Date: Thu, 20 Nov 2014 20:47:08 +0000
Message-ID: <69636E15-B340-4E1B-A859-330876EC8539@mitre.org>
References: <DAF10981-A944-46B5-ACA9-696152C11C9A@gmail.com> <527AD765-4F4F-4DFB-A127-EB9B7DAB1F61@mitre.org>
In-Reply-To: <527AD765-4F4F-4DFB-A127-EB9B7DAB1F61@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.146.15.76]
Content-Type: multipart/alternative; boundary="_000_69636E15B3404E1BA859330876EC8539mitreorg_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/fWKweOw9_RmBgG5ccnosZYvv4Mg
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of dynamic registration draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 20:47:14 -0000

Sorry, a sentence trailed off -- I meant to say:


Sect 6 paragraph 7
What makes it 'valid and trusted'?  The flow of this paragraph could be improved so the terms valid and trusted are connected to earlier statements to separate it better from the plain JSON objects.

On the first level, this includes validating the JWS on the statement itself, but as is usually the case, determining "trust" of a source is going to be very application specific. I'm not quite

... convinced that we can really do much more than that, though we can explicitly state that this is the case if that would help. I agree that "valid and trusted" is a bit vague.

-- Justin



On Nov 20, 2014, at 3:34 PM, Justin Richer <jricher@mitre.org<mailto:jricher@mitre.org>> wrote:

Kathleen, thanks for your review. Responses inline.

On Nov 19, 2014, at 9:56 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote:

Hi,

I reviewed draft-Ietf-oauth-dyn-reg-20 and have the following questions before we move this to IETF last call.

Sect 2, Has there been any consideration in the WG of using alternate auth methods from HTTPAuth like HOBA?  I realize this is referencing Oauth defined methods from the framework draft, but would like to know what was considered or not.  HOBA is heading to IETF last call soon.

Nobody brought up HOBA in this working group. This field is intentionally extensible, so if there's interest in defining how to use HOBA for OAuth client authentication it will make a perfectly reasonable extension document.


Section 6:  why is there a choice on TLS?  I'd recommend you make it require 1.2 unless there is a really compelling argument to have that must as either 1.2 or 1.0

We copied this text straight from RFC6749. I know that a similar section exists in JWS with updated language, and we could adopt that directly here:


   Which TLS version(s) ought to be implemented will
   vary over time, and depend on the widespread deployment and known
   security vulnerabilities at the time of implementation.  At the time
   of this writing, TLS version 1.2 [RFC5246<https://tools.ietf.org/html/rfc5246>] is the most recent
   version.

   To protect against information disclosure and tampering,
   confidentiality protection MUST be applied using TLS with a
   ciphersuite that provides confidentiality and integrity protection.
   See current publications by the IETF TLS working group, including RFC<https://tools.ietf.org/html/rfc6176>
   6176<https://tools.ietf.org/html/rfc6176> [RFC6176<https://tools.ietf.org/html/rfc6176>], for guidance on the ciphersuites currently considered
   to be appropriate for use.  Also, see Recommendations for Secure Use
   of TLS and DTLS [I-D.ietf-uta-tls-bcp<https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-37#ref-I-D.ietf-uta-tls-bcp>] for recommendations on
   improving the security of software and services using TLS.

   Whenever TLS is used, the identity of the service provider encoded in
   the TLS server certificate MUST be verified using the procedures
   described in Section 6 of RFC 6125<https://tools.ietf.org/html/rfc6125#section-6> [RFC6125<https://tools.ietf.org/html/rfc6125>].

Will that work?

Sect 6 paragraph 5
Why are the security recommendations listed as 'could'?

Things listed as 'could' in this section were seen to be non-normative recommendations of possible mitigating behaviors. In other words, not trying to be prescriptive with the actions here but providing guidance. Most of these were relaxed from normative requirements in earlier drafts from WG feedback


Sect 6 paragraph 7
What makes it 'valid and trusted'?  The flow of this paragraph could be improved so the terms valid and trusted are connected to earlier statements to separate it better from the plain JSON objects.

On the first level, this includes validating the JWS on the statement itself, but as is usually the case, determining "trust" of a source is going to be very application specific. I'm not quite






Please add a section or interspersed statements on privacy considerations.  Include text on what may be of concern (names, contacts, etc.) and what can be done to protect the values (interspersed may be easier) or that they may be left out to remove concerns.

Most of this protocol doesn't deal with any user information, and so I don't think there are any privacy considerations for most of the document. The one part of this protocol that I can see being a possible privacy consideration is the "contacts" meatadata field, which contains user contact information. Since this field is self-asserted by the client or developer (whoever's doing the registration) for the express purpose of providing a means of contacting the developer of the client, I'm not sure what concerns this might have, if any.

Do you have any other specific parts that you think would have privacy concerns that you'd like to address?

Thanks for the review and the thoughtful comments.

 -- Justin



Thank you,
Kathleen

Sent from my iPhone
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email