[OAUTH-WG] audience (was draft-ietf-oauth-saml2-bearer-17)

Brian Campbell <bcampbell@pingidentity.com> Mon, 04 November 2013 19:58 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 400C721E8220 for <oauth@ietfa.amsl.com>; Mon, 4 Nov 2013 11:58:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.921
X-Spam-Level:
X-Spam-Status: No, score=-5.921 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nFppq4z1gAdn for <oauth@ietfa.amsl.com>; Mon, 4 Nov 2013 11:58:37 -0800 (PST)
Received: from na3sys009aog134.obsmtp.com (na3sys009aog134.obsmtp.com [74.125.149.83]) by ietfa.amsl.com (Postfix) with ESMTP id E2F3811E8224 for <oauth@ietf.org>; Mon, 4 Nov 2013 11:58:36 -0800 (PST)
Received: from mail-ie0-f173.google.com ([209.85.223.173]) (using TLSv1) by na3sys009aob134.postini.com ([74.125.148.12]) with SMTP ID DSNKUnf8bBmBqQ9rTuj+oQUfz6G8jHAXLAfq@postini.com; Mon, 04 Nov 2013 11:58:37 PST
Received: by mail-ie0-f173.google.com with SMTP id u16so12969330iet.4 for <oauth@ietf.org>; Mon, 04 Nov 2013 11:58:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=AzgDWptuPn4QOIg0KVGPa34fDTqJLoICa+6lq1cBVhk=; b=RIJz+AK9bLtRpRXZT4gnwr3jONEUJnRYMEpP7ViYLi2Ht34NbP94psRQDUU3d8ikUc nPupSaiwj4+F6+e4m752kpCjm1zbHK1SPt7I7eE01iQLHIDGq5lVCIIQ20ccGwVq3Aod XVdZ7LPux+nMfwyVKd6BDbvMLtsYazql04UWjvCytLX4eFwl0rzQ519ZeO1tf6j4f6w1 kz6cuOw/Mzfv2qcG6Kh/mqK8MRro3NE45k7BNWBqD/gkhzyDVLDON+VslC0aw11gKwqv GFaehDf5IQcrzARLmc6bKlYHhrP6ZJOEl2ooRocOx4y69SO6cVCK/25aKI8UXFxGeiII 5olg==
X-Gm-Message-State: ALoCoQmYUO/kNZpxhXRPa15mjITbR9FVBkrxei0ehBYYDxKacdxXUsOYhJrWhlUqW5wREuHs3SDHJWPQw9TxFS7oSc3EP5hrqgQ8g4UBM+Ur0g+4QLcjk/F8HxG1dkYoaCjAwdc8s/PCLPKvYJT403WahX28aqvw7Q==
X-Received: by 10.43.138.8 with SMTP id iq8mr4678011icc.37.1383595112518; Mon, 04 Nov 2013 11:58:32 -0800 (PST)
X-Received: by 10.43.138.8 with SMTP id iq8mr4678000icc.37.1383595112351; Mon, 04 Nov 2013 11:58:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.245.233 with HTTP; Mon, 4 Nov 2013 11:58:02 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 4 Nov 2013 11:58:02 -0800
Message-ID: <CA+k3eCRu4v=++_OcC2PzMbKRdcH6fV0Rb0F6Lgpu5oJ8a6g-Rg@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: [OAUTH-WG] audience (was draft-ietf-oauth-saml2-bearer-17)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2013 19:58:42 -0000

On Sat, Nov 2, 2013 at 2:07 AM, Hannes Tschofenig
<hannes.tschofenig@gmx.net> wrote
> Item #2: You wrote:
>
> "
> Section 2.5.1.4 of Assertions and Protocols for the OASIS
>         Security Assertion Markup Language [OASIS.saml-core-2.0-os]
>         defines the <AudienceRestriction> and <Audience> elements and,
>         in addition to the URI references discussed there, the token
>         endpoint URL of the authorization server MAY be used as a URI
>         that identifies the authorization server as an intended
>         audience.  Assertions that do not identify the Authorization
>         Server as an intended audience MUST be rejected.
> "
>
> The 'MAY' is extremely weak here. If you make it a MUST that there has to be
> the endpoint URL of the authorization server in there then that would
> provide so much more interoperability. As a reader I wouldn't know what
> other options I have and systems that provision necessary databases / tables
> to ensure that the comparison takes place will also struggle.

The "MAY" is intended to be weak and is only a suggestion for
deployments which don't already have a suitable identifier (like a
SAML 2 entity ID) for an audience value.

I understand that you'd like this to be tighter but the suggestion is
not viable and it wouldn't provide the perceived interoperability
panacea anyway. Some information needs to be agreed upon for this to
work. How is out of scope here. The audience is one such value. Even
if mandating one specific thing for audience was feasible, it wouldn't
add to interoperability because there is other information that has to
be agreed on anyway.


> Then, there is again this SHOULD regarding the comparison operation, see
> "
>  Audience
>         values SHOULD be compared using the Simple String Comparison
>         method defined in Section 6.2.1 of RFC 3986 [RFC3986], unless
>         otherwise specified by the application.
> "
>
> I would replace it with a MUST, as I argued in
> draft-ietf-oauth-jwt-bearer-06.

As I said there [1], I think I'm okay with that but would like to hear
from others in the WG.

[1] http://www.ietf.org/mail-archive/web/oauth/current/msg12251.html