Re: [OAUTH-WG] About Big Brother and draft-campbell-oauth-resource-indicators-00
Mike Jones <Michael.Jones@microsoft.com> Tue, 22 November 2016 17:21 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55A011288B8 for <oauth@ietfa.amsl.com>; Tue, 22 Nov 2016 09:21:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KA9QBdZEwtyw for <oauth@ietfa.amsl.com>; Tue, 22 Nov 2016 09:21:48 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0121.outbound.protection.outlook.com [104.47.36.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5C9D129529 for <oauth@ietf.org>; Tue, 22 Nov 2016 09:21:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=MMJaChbu3xvZfaqRtXI1CwFZ1UbOU2ioh6eL5+/bysA=; b=kNNOBW/rc+G3JLyLxT012GTD9ZhAxhYZs/7QTxdgLLSbgjctMLCgSA2P7j3227oFH/utqCBWECK7z7EAIAu1mq4E+ZD9iA2HmGzswuirlJ8buVU9X2wRWc9e+V/gKLO4J2PZguyFzRSsLIlp0pnHmOVZMBuNss4BfwAVAGe2t/0=
Received: from BN3PR03MB2355.namprd03.prod.outlook.com (10.166.74.150) by BN3PR03MB2353.namprd03.prod.outlook.com (10.166.74.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.734.8; Tue, 22 Nov 2016 17:21:46 +0000
Received: from BN3PR03MB2355.namprd03.prod.outlook.com ([10.166.74.150]) by BN3PR03MB2355.namprd03.prod.outlook.com ([10.166.74.150]) with mapi id 15.01.0734.014; Tue, 22 Nov 2016 17:21:46 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Steinegger, Roland Heinz (TM)" <roland.steinegger@kit.edu>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] About Big Brother and draft-campbell-oauth-resource-indicators-00
Thread-Index: AdJBeJlrUbLBw81fnEK2+Zll4wsQGQDa6ZGg
Date: Tue, 22 Nov 2016 17:21:46 +0000
Message-ID: <BN3PR03MB2355252AEFBED003A0EB6298F5B40@BN3PR03MB2355.namprd03.prod.outlook.com>
References: <101a8d47f64f453da9b0c08a6964ba51@kit-msx-27.kit.edu>
In-Reply-To: <101a8d47f64f453da9b0c08a6964ba51@kit-msx-27.kit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.80.137]
x-microsoft-exchange-diagnostics: 1; BN3PR03MB2353; 7:tgPTKUsUeHo1w6UmuCmSc5NOCI52aBdGg5dZ3T2xQZteRZv7dtduFoqDDYhA9BXfMTzX1d/ER2u9HfxEk/wwnZy4SR9NkV1fyBFnQ3UvW2qKRSe9PuJOJq7R5RUI6WtaFg2C6AhjrMire5/W1lL3oEIPcUF/kEiUZydG70CgU9Nr1qjx0kNYdgx8XVGQVU9BhLdw6euPTEYVcbXjUg8rE9A51iARx3CI2XOm4i3HKIoO8z83Y4t5viHzDNHoIEuzQ2aNL4uP6peWo39f1e1skPAi4BoaRP93Rj199/dvWogwoi2aQRHDU32eH8F+7OEqyrMZFgFZr41jdFBhPFJ9XaIC3B+dQXW4M/W31lLuqW5V7cwYFPeBMHHBDWCUE82H
x-ms-office365-filtering-correlation-id: 553d2cbb-8c54-47be-0ad8-08d412fc095e
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:BN3PR03MB2353;
x-microsoft-antispam-prvs: <BN3PR03MB235322458ACD67589F3C1C45F5B40@BN3PR03MB2353.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(191636701735510)(158342451672863)(192374486261705)(146099531331640);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6045199)(6040307)(6060326)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6046074)(6041248)(6061324)(6042181)(6072148)(6047074); SRVR:BN3PR03MB2353; BCL:0; PCL:0; RULEID:; SRVR:BN3PR03MB2353;
x-forefront-prvs: 0134AD334F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(24454002)(199003)(377454003)(53754006)(13464003)(189002)(8990500004)(7736002)(305945005)(3660700001)(3280700002)(9686002)(5005710100001)(74316002)(10290500002)(8936002)(7846002)(2906002)(66066001)(2171001)(86362001)(230783001)(68736007)(4326007)(5660300001)(38730400001)(76576001)(3846002)(122556002)(2950100002)(33656002)(6116002)(102836003)(92566002)(86612001)(2900100001)(189998001)(2501003)(101416001)(50986999)(8676002)(77096005)(81156014)(97736004)(5001770100001)(229853002)(99286002)(6506003)(81166006)(10090500001)(105586002)(7696004)(76176999)(54356999)(106356001)(15866825004); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR03MB2353; H:BN3PR03MB2355.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Nov 2016 17:21:46.0616 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR03MB2353
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/g25mhEPxlQ6hTZ7h0nmlCPDVGWU>
Subject: Re: [OAUTH-WG] About Big Brother and draft-campbell-oauth-resource-indicators-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 17:21:50 -0000
I believe that the parameter name should remain "resource". It's identifying a concrete protected resource and so is already correctly named. Besides, that name is already in production use for this purpose. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Steinegger, Roland Heinz (TM) Sent: Friday, November 18, 2016 12:49 AM To: oauth@ietf.org Subject: Re: [OAUTH-WG] About Big Brother and draft-campbell-oauth-resource-indicators-00 On the new parameter. I agree. The description of a "Collision-Resistant Name" sounds great to me and would give developers good guidance. Perhaps the parameter may be called "resource-type". "resource" is ambiguous to me. It may refer to the kind of resource or to a concrete resource. (But I don't know how this is typically handled in RFCs.) On the topic privacy. In my opinion, it depends on how you implement the authorization server (AS). In many cases, the AS already knows what the user wants to access. The scope often contains this information, e.g. "calendar_read" - we are carrying out a study on how the scope is used currently. If you use OAuth just for delegation, it may be a privacy problem. But, if your AS authorizes based on authorization rules, where it has to know the protected resource as well as who wants to access it, privacy may not be a problem from my point of view. > Date: Thu, 17 Nov 2016 11:25:15 -0800 > From: Jim Willeke <jim@willeke.com> > To: oauth@ietf.org > Subject: Re: [OAUTH-WG] About Big Brother and > draft-campbell-oauth-resource-indicators-00 > > I liked the usage in https://tools.ietf.org/html/rfc7515 > > Collision-Resistant Name > A name in a namespace that enables names to be allocated in a > manner such that they are highly unlikely to collide with other > names. Examples of collision-resistant namespaces include: Domain > Names, Object Identifiers (OIDs) as defined in the ITU-T X.660 and > X.670 Recommendation series, and Universally Unique IDentifiers > (UUIDs) [RFC4122 <https://tools.ietf.org/html/rfc4122>]. When > using an > administratively delegated > namespace, the definer of a name needs to take reasonable > precautions to ensure they are in control of the portion of the > namespace they use to define the name. > > > > -- > -jim > Jim Willeke > > On Thu, Nov 17, 2016 at 10:23 AM, Vivek Biswas > <vivek.biswas@oracle.com> > wrote: > > > +1 to *It MAY be an absolute URI*, as specified by Section 4.3 of > > [RFC3986]". > > > > Since the Audience Restriction can be a logical name to be > > interpreted by the Resource Server, if it really wants to enforce > > the audience check for a set of Resources it wants to protect. > > Hence, a logical name can be an absolute URI or a String as well. > > > > Regards > > Vivek Biswas, CISSP > > Consulting Member, Security > > Oracle Corporation. > > > > > > > > *From:* Denis [mailto:denis.ietf@free.fr] > > *Sent:* Tuesday, November 15, 2016 3:50 AM > > *To:* oauth@ietf.org > > *Subject:* [OAUTH-WG] About Big Brother and > > draft-campbell-oauth-resource- > > indicators-00 > > > > > > > > Hello everybody, > > > > Since I am not present at the meeting, I read the minutes from the > > first session, in particular: > > > > Brian Campbell and John did a draft allowing the client to tell the > > AS where it plans to use the token > > draft-campbell-oauth-resource-indicators > > > > This enables the AS to audience restrict the access > > token to the resource > > Phil Hunt: We should keep the audience restriction > > idea on the table > > > > The introduction contains the following sentences: > > > > Several years of deployment and implementation experience with OAuth > > 2.0 [RFC6749] has uncovered a need, in some circumstances, for the > > client to explicitly signal to the authorization sever where it > > intends to use the access token it is requesting. > > > > A means for the client to signal to the authorization sever where it > > intends to use the access token it's requesting is important and useful. > > > > The document contains a "security considerations" section but > > unfortunately no "privacy considerations" section. > > > > Clause 2 states: > > > > The client may indicate the resource server(s) for which it is > > requesting an access token by including the following parameter in > > the request. > > > > resource > > > > OPTIONAL. The value of the resource parameter indicates a resource > > server where the requested access token will be used.* It MUST be an > > absolute URI*, as specified by Section 4.3 of[RFC3986], > > > > With such an approach, the authorization server would have the > > ability to *act as a Big Brother *and hence to know exactly where > > the user will be performing activities. > > > > However, some users might be concerned with their privacy, and would > > like to restrict the use of the access token to some resource > > servers without the authorization server knowing which are these > > resource servers. > > > > The key point is whether the information is primarily intended to > > the authorization server or to the resource server(s). > > > > I believe that it is primarily intended to the resource server(s) > > rather than to the authorization server in order to be included in > > an access token. Obviously, the information needs to transit through > > the authorization sever, that should simply be copied and pasted > > into the access token. Its semantics, if any, does not necessarily > > needs to be interpreted by the authorization sever. > > > > I believe that a "privacy considerations" section should be added. > > > > The sentence "*It MUST be an absolute URI*, as specified by Section > > 4.3 of [RFC3986]" should be removed or replaced by : "*It MAY be an > > absolute URI*, as specified by Section 4.3 of [RFC3986]". > > > > Obviously, other changes would be necessary too. > > > > Denis > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] About Big Brother and draft-campbell-o… Denis
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Brian Campbell
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Vivek Biswas
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Jim Willeke
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Steinegger, Roland Heinz (TM)
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Denis
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Hannes Tschofenig
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Denis
- Re: [OAUTH-WG] About Big Brother and draft-campbe… John Bradley
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Mike Jones
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Denis
- Re: [OAUTH-WG] About Big Brother and draft-campbe… George Fletcher
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Denis
- [OAUTH-WG] Comments on draft-ietf-oauth-token-bin… Denis
- [OAUTH-WG] Comments on draft-ietf-oauth-pop-archi… Denis