Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)

Brian Campbell <bcampbell@pingidentity.com> Fri, 19 July 2019 16:06 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5644B1207DF for <oauth@ietfa.amsl.com>; Fri, 19 Jul 2019 09:06:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3YRxbABKhhxS for <oauth@ietfa.amsl.com>; Fri, 19 Jul 2019 09:06:24 -0700 (PDT)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7117712069B for <oauth@ietf.org>; Fri, 19 Jul 2019 09:06:24 -0700 (PDT)
Received: by mail-io1-xd2b.google.com with SMTP id j6so27179458ioa.5 for <oauth@ietf.org>; Fri, 19 Jul 2019 09:06:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eFocbs5JNBuNZM7ebaaPs2VuJbmp45tNyKML9IglWxo=; b=YisI1MWUHKcG0bZf96nQXbGn5M+QydPmaK01VaipHGogPE87e9kbpwEYuCLRwFFb5t 7mU4Vvwd32s73PlN99upIVjU6ayb6MAu/qF04PFcstJqj9ELGiatdmjc7syrZnKFDI86 IV15pOzLGm5ZGdzwzqZS0HuK/rP1EifpyAeS8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eFocbs5JNBuNZM7ebaaPs2VuJbmp45tNyKML9IglWxo=; b=W+a04owV3zg4mnaNxed0ijmB+FTtxmPsdUvqTKee4zaQGCYpBqc9xknftD73D42+jb ZUdY+/PBs5ffR5q0kkWo3pYCS7YBQcFkj6cW1TtrqCXkFShfpMwow1amm+rfZaxXYAJ/ iheQ6bJCjUsuFNHiQIMw228VSeVl9rZbsCsU4jzxX1DFCMfY+9a27/f662NE9uURhr4N uvCCRJTcUgNuyCxHcCoAp660MwAtPqZAUjc5UjfWQRK47S5f0CfwBt3UjFDCgWj3Qk7/ 6H8cYhUlmpNSF+wknPUmE2mOdCABZMiEdeVka2jJAJbjWMVNKGfQXgeaS77OMgGdE/dT 3zvA==
X-Gm-Message-State: APjAAAWq+tUm/UbdFZSQiwNONeeYCsVg1mKbqTXZqReTavZhtEYwJccr ni6asBNFtPsKiSdOfK8z+YcpybuqPnSYn4aQ5KDvugFCeo/aTyws0k6DIc2iCHtE+UdrRNTMnMa 2tVGWp3tmlKuuvw==
X-Google-Smtp-Source: APXvYqx2gfSQKe0kJskc3A6ayCJvbEecUpOUQkd5kDm4QTUK6Todm/EUa+hd5yHqCQm3Skeg50jBRSEVk3Cftd/0BNg=
X-Received: by 2002:a02:a595:: with SMTP id b21mr2154866jam.28.1563552383610; Fri, 19 Jul 2019 09:06:23 -0700 (PDT)
MIME-Version: 1.0
References: <156348397007.8464.8217832087905511031.idtracker@ietfa.amsl.com> <CA+k3eCQR_yVZJdw0CmPL0qVCA3S0x5gZAr6_BwvDrZDW0NOPWA@mail.gmail.com> <CALaySJJ3chNzsJvWgTpg-6GudK8ot=D8Fvguyr=kpFuiVWLSPw@mail.gmail.com>
In-Reply-To: <CALaySJJ3chNzsJvWgTpg-6GudK8ot=D8Fvguyr=kpFuiVWLSPw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 19 Jul 2019 10:05:57 -0600
Message-ID: <CA+k3eCR4yxwo1yGpjWHxjcs+=b3VAdJDsF-RZDSTTDArgGi3ew@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>, draft-ietf-oauth-token-exchange@ietf.org, oauth-chairs@ietf.org
Content-Type: multipart/alternative; boundary="00000000000069d44d058e0ae891"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fowBto5m7jca_j9VD3pXowVjZmU>
Subject: Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jul 2019 16:06:27 -0000

On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba <barryleiba@computer.org> wrote:

> >> and I trust the authors and responsible AD to do the right thing.
> >
> > I always endeavor to do the right thing.
>
> You do; hence, the trust.  :-)
>

I do appreciate that, thank you.


> And thanks for the quick responses.
>

I try. To varying degrees of success.


>
> >> — Section 1.1 —
> >> Given the extensive discussion of impersonation here, what strikes me as
> >> missing is pointing out that impersonation here is still controlled,
> that “A is
> >> B” but only to the extent that’s allowed by the token.  First, it might
> be
> >> limited by number of instances (one transaction only), by time of day
> (only for
> >> 10 minutes), and by scope (in regard to B’s address book, but not B’s
> email).
> >> Second, there is accountability: audit information still shows that the
> token
> >> authorized acting as B.  Is that not worth clarifying?
> >
> > My initial response was going to be "sure, I'll add some bits in sec 1.1
> along those lines to clarify
> > that." However, as I look again at that section for good opportunities
> to make such additions, I feel
> > like it is already said that impersonation is controlled.
> ...
> > So I think it already says that and I'm gonna have to flip it back and
> ask if you have concrete
> > suggestions for changes or additions that would say it more clearly or
> more to your liking?
>
> It is mentioned, true, and that might be enough.  But given that Eve
> also replied that she would like more here, let me suggest something,
> the use of which is entirely optional -- take it, don't take it,
> modify it, riff on it, ignore it completely, as you think best.  What
> do you think about changing the last sentence of the paragraph?: "For
> all intents and purposes, when A is impersonating B, A is B within the
> rights context authorized by the token, which could be limited in
> scope or time, or by a one-time-use restriction."
>

Sure, I think that or some slight modification thereof can work just fine.
I'll do that and get it and the rest of these changes published when the
I-D submission embargo is lifted for Montreal.



>
> >> — Section 6 —
> >> Should “TLS” here have a citation and normative reference?
> >
> > I didn't include an explicit reference here because TLS is transitively
> referenced by other
> > normative references (including 6749 of which this whole thing is an
> extension) and TLS
> > is pretty widely recognized even without citation.
> ...
> > I'm happy to add a citation here but it does raise the question of what
> the most appropriate
> > way to cite TLS is right now - 1.3, 1.2, or the BCP or some combination
> thereof?
>
> I wondered the same thing, and you're also right that it might not
> need a reference in this document.  I only even flagged it because
> it's the subject of a MUST.  I'll leave it to the Sec ADs (who
> obviously didn't flag it themselves, so maybe they agree that it's not
> necessary).
>

I'm gonna just leave it as-is then, unless I hear otherwise from the Sec
ADs.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._