IETF Logo Mail Archive

Re: [OAUTH-WG] Benjamin Kaduk's Yes on draft-ietf-oauth-token-exchange-17: (with COMMENT)

Brian Campbell <bcampbell@pingidentity.com> Sun, 07 July 2019 13:32 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4289712003E for <oauth@ietfa.amsl.com>; Sun, 7 Jul 2019 06:32:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BiUmwWC1pxD2 for <oauth@ietfa.amsl.com>; Sun, 7 Jul 2019 06:32:44 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49848120058 for <oauth@ietf.org>; Sun, 7 Jul 2019 06:32:42 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id f4so13435591ioh.6 for <oauth@ietf.org>; Sun, 07 Jul 2019 06:32:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iczYxVLZnRRlfiQtZYM5J+uFP5CeB50Exzo2Ez+MQl4=; b=P50aw+1+FETtmR45WYjWL1bqTyA3EXn06lKLrXkanMt2L1KTjxbbs4z6HeHwXqXZWt UBh8V46E53oulielmsSh8UEzgMQ+klkZHqWOYR3qmDomWXyuTKO+hqKjP0J0J1czVhlA MZwcFvcjKEkVEfEjtjakbC+nihltxV0JH85D0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iczYxVLZnRRlfiQtZYM5J+uFP5CeB50Exzo2Ez+MQl4=; b=hlSBjHGdSnC5BIORIIWbGq4vJWqqRs9JNVya8iWR2GE/P6D/6jaH+VGMoqRDHColyV 1222euujZb5QH4CiosHy6A+OMmEZALyMlIYvzSO5pDS3RC+uQ47jeXmP5tvj39mboh9f lUCDkot1KCbV2wIM/FrU3Prbt5puk2Lgn5NEQxaiPv6FNCOvowmRGgnV88zDfyIJI9Fr JSZ+/vHrzbpa9PeVUxTk239fZrhSZet905ePFge4ZPLiZJK38Zc8iyVWz1nxj7C/6fg4 d2ruiC9wSadyinT2ASemWoq0LWqwCtI7x9CUYSYj+WQvvkF3c10YTcdCBEEje0vjBqxh SecQ==
X-Gm-Message-State: APjAAAWB86HZ/6c2SgDmUGHDd8DtCf+8pt/50SfQ/4ygIfMJ9iRAeHsE B3YbYbwARy32qu+O3uCPrZs1Uak/P4gNQ+t9cUwrIk1nMto9E8B/9vo/gSy2lDZZlm40o8I6zrz eW/5yyDHyQrH/Mt9r67g=
X-Google-Smtp-Source: APXvYqynaK2EZyRfxphv5/Y9ncepaYifi9SKEMsBILyTfSJO+kH6DPh7/glT0pE/cVo0MbuDf6wHCYI2ZL4dMkRRk6o=
X-Received: by 2002:a5e:d60a:: with SMTP id w10mr14547328iom.78.1562506361439; Sun, 07 Jul 2019 06:32:41 -0700 (PDT)
MIME-Version: 1.0
References: <156238540273.21781.4146676340197499618.idtracker@ietfa.amsl.com> <CA+k3eCR4HfiOusEfFsE-T7-PguvJMZr7_K-nGgm3F9y0593E+Q@mail.gmail.com> <20190706184226.GA13047@kduck.mit.edu>
In-Reply-To: <20190706184226.GA13047@kduck.mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 07 Jul 2019 09:32:15 -0400
Message-ID: <CA+k3eCS3zd9Qir5joMuP4-hn8L-8jAU=gy9StOraA7uH5ouMkw@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>, draft-ietf-oauth-token-exchange@ietf.org, oauth-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a22e19058d175c4f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gpsNn3ol3-6yqX0EBAoMLrxFxpk>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's Yes on draft-ietf-oauth-token-exchange-17: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jul 2019 13:32:47 -0000

On Sat, Jul 6, 2019 at 2:42 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

>
> > Not to my recollection. I'm honestly not even sure what an array would
> mean
> > for "may_act". Do you mean for "act"?
>
> Currently we can say that admin@example.com "may act" as user@example.com.
> But IIUC we don't have a way to say that either admin1@example.com or
> admin2@example.com may do so.  An array would let us indicate multiple
> authorized parties.  I'm reluctant to actually make such a change at this
> point, though, since this is already deployed some places, right?
>

Okay, sorry, I'm a bit slow but I follow you now.

Indeed this has been deployed in a number of places already. I'd honestly
don't know if anyone is making use of this particular claim but changing
from an object to array of objects would be a breaking change. And a
breaking change is something I'd really like to avoid unless there's a very
compelling reason to do so.  And while your point here is taken, I don't
think it rises to that level of compelling.

I see two options at this point:
1) leave it as is
2) adjust the language around  "may_act" such that it could also identify
an eligible group - this would allow for it to indicate multiple authorized
parties but just not by one by one name, which is maybe more desirable
anyway

What do you think?

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email