Re: [OAUTH-WG] Mirja Kühlewind's No Objection on draft-ietf-oauth-resource-indicators-05: (with COMMENT)
Brian Campbell <bcampbell@pingidentity.com> Wed, 28 August 2019 19:32 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 193161200CD for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2019 12:32:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qo8iYrEJJNsR for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2019 12:32:25 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 120681200A3 for <oauth@ietf.org>; Wed, 28 Aug 2019 12:32:25 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id t6so1891806ios.7 for <oauth@ietf.org>; Wed, 28 Aug 2019 12:32:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Lhu+jzLuK645Vef2rRZniKgaRwqUYAmRmIPMKiRyA74=; b=BkGV/8x6uCywNEqB7v4QISoKYz/sAkEP81I6nuns5VzjkOAuRnUB2qS2L+ENTOP3yv 0BV6YHuERDGgNcKn/Bgkj94gJKcH1ZbG1O+BCsGo+giH0EDi5oK37Hel4GXu2F8bPqTs iudkjnTEGcrEgIR0lHOcd5YijKbm3OmGff3Gg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Lhu+jzLuK645Vef2rRZniKgaRwqUYAmRmIPMKiRyA74=; b=q3G6GBFRgqkdokeCf6I7lBlZB1D+lyzkOeChsO6FQjmxG+BGL80vlhetmpGWkaLPXP XUYfv35ddYVU4oLhLPSDtzDOWscdfw2Z0RREeJhwkHXMsZ+CfETFtjAO1/SAWWhF6JWY BHOrvSFfCwCMCnRuzYpICjZ+ySaLzIyGfUhREyzc4e+BWYDI4ZouHxvoUxXxnSOAMLcb EEVZPyb6Ry7b/F82lG+uk9dVpa+Ur1+Ybah1DMA4e85qbxWtzck7h2QSAhLdcniYz254 NSjP0/61k7f3FjGXApC3oD6bqR8dFc93dWaCtNSCNEcM57phdxbxYMDd6xN3pyVc9YEp D4Aw==
X-Gm-Message-State: APjAAAWJaVHndb2iuvV78M6tyhfSZVMg1cgQIYirBeoOwujhdBjePZhn y5gi/rDuDVJmL05YJphcZX+txE/Jf11ngUut2nCBAdYAGRTUeMSIyU+Z98dQS4WrKOpxyVhWJqb N2C6oJb03dwjd0g==
X-Google-Smtp-Source: APXvYqxs9UwWpIqXjmB9EILoz5lZf1OMgnTjb76JDyKBe2Qw3hvxmv/QWim9X3gTTz1eMAvuPb+kpqtf9xB+WNBdXxY=
X-Received: by 2002:a5d:888a:: with SMTP id d10mr6551707ioo.201.1567020744232; Wed, 28 Aug 2019 12:32:24 -0700 (PDT)
MIME-Version: 1.0
References: <156699700827.32429.7834447943968133840.idtracker@ietfa.amsl.com>
In-Reply-To: <156699700827.32429.7834447943968133840.idtracker@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 28 Aug 2019 13:31:58 -0600
Message-ID: <CA+k3eCSJADHwVvsxF_7UY1Hemavb=zhag95jZ7rFpvP0Em+zmw@mail.gmail.com>
To: Mirja Kühlewind <ietf@kuehlewind.net>, Alexey Melnikov <aamelnikov@fastmail.fm>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-resource-indicators@ietf.org, oauth <oauth@ietf.org>, oauth-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d0f3ee0591327200"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jg5fqN87MYywaH7BYHylV70mesU>
Subject: Re: [OAUTH-WG] Mirja Kühlewind's No Objection on draft-ietf-oauth-resource-indicators-05: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 19:32:28 -0000
Thanks for the review and not objectionable ballot, Mirja. I wasn't aware of Alexey's comment until I saw your message here and went to the tracker https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-indicators/ballot/ to find it. I think maybe an email got lost somewhere or didn't send or something? Anyway, in an attempt at bringing some continuity to the discussion I've copied his comment here: "I like this document. Is tracking by authorization server a concern? I suspect on the balance it is less important than restricting token scope (and thus improving security of bearer tokens), but maybe this shoukd be mentioned in the Security Considerations." In all honesty, tracking by authorization server hasn't been a concern in my mind when working on this document because the authorization server is already squarely in the middle of everything and able to track a significant amount even in the absence of what this document describes. And, as you mention, the potential to improve security in an already track-able situation is more important in my mind. With that said, however, I suppose that the resource parameter in this document does, in some circumstances (like when token introspection is not being used), make tracking things at a more granular and specific level possible. And that might warrant a mention in the Security (or Privacy) Considerations. I'm honestly not too sure what exactly that mention would say or how it would say it but I can work on some text. On Wed, Aug 28, 2019 at 6:57 AM Mirja Kühlewind via Datatracker < noreply@ietf.org> wrote: > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I agree with Alexey that it would be good to mention any privacy > implications > of providing this additional information to the auth server in the security > consideration section; maybe also further advising clients on which > resources > to request when. > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Mirja Kühlewind's No Objection on draf… Mirja Kühlewind via Datatracker
- Re: [OAUTH-WG] Mirja Kühlewind's No Objection on … Brian Campbell