Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)

[John Bradley <ve7jtb@ve7jtb.com>]

Thanks

On Sun, Jul 21, 2019, 12:31 PM Barry Leiba <barryleiba@computer.org> wrote:

> Thanks, Brian!
>
> Barry
>
> On Sun, Jul 21, 2019 at 11:43 AM Brian Campbell
> <bcampbell@pingidentity.com> wrote:
> >
> > https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-19 has been
> published with the updates discussed in this thread.
> >
> > On Sun, Jul 21, 2019 at 6:14 AM Brian Campbell <
> bcampbell@pingidentity.com> wrote:
> >>
> >> That works for me.
> >>
> >> On Sat, Jul 20, 2019 at 10:28 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
> >>>
> >>> On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote:
> >>> > On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba <barryleiba@computer.org>
> wrote:
> >>> >
> >>> > >
> >>> > > >> — Section 1.1 —
> >>> > > >> Given the extensive discussion of impersonation here, what
> strikes me as
> >>> > > >> missing is pointing out that impersonation here is still
> controlled,
> >>> > > that “A is
> >>> > > >> B” but only to the extent that’s allowed by the token.  First,
> it might
> >>> > > be
> >>> > > >> limited by number of instances (one transaction only), by time
> of day
> >>> > > (only for
> >>> > > >> 10 minutes), and by scope (in regard to B’s address book, but
> not B’s
> >>> > > email).
> >>> > > >> Second, there is accountability: audit information still shows
> that the
> >>> > > token
> >>> > > >> authorized acting as B.  Is that not worth clarifying?
> >>> > > >
> >>> > > > My initial response was going to be "sure, I'll add some bits in
> sec 1.1
> >>> > > along those lines to clarify
> >>> > > > that." However, as I look again at that section for good
> opportunities
> >>> > > to make such additions, I feel
> >>> > > > like it is already said that impersonation is controlled.
> >>> > > ...
> >>> > > > So I think it already says that and I'm gonna have to flip it
> back and
> >>> > > ask if you have concrete
> >>> > > > suggestions for changes or additions that would say it more
> clearly or
> >>> > > more to your liking?
> >>> > >
> >>> > > It is mentioned, true, and that might be enough.  But given that
> Eve
> >>> > > also replied that she would like more here, let me suggest
> something,
> >>> > > the use of which is entirely optional -- take it, don't take it,
> >>> > > modify it, riff on it, ignore it completely, as you think best.
> What
> >>> > > do you think about changing the last sentence of the paragraph?:
> "For
> >>> > > all intents and purposes, when A is impersonating B, A is B within
> the
> >>> > > rights context authorized by the token, which could be limited in
> >>> > > scope or time, or by a one-time-use restriction."
> >>> > >
> >>> >
> >>> > Sure, I think that or some slight modification thereof can work just
> fine.
> >>> > I'll do that and get it and the rest of these changes published when
> the
> >>> > I-D submission embargo is lifted for Montreal.
> >>>
> >>> My brain is apparntly storming and not sleeping.  Another option for
> >>> consideration, is to have two sentences:
> >>>
> >>> For all intents and purposes, when A is impersonating B, A is B within
> the
> >>> rights context authorized by the token.  A's ability to impersonate B
> could
> >>> be limited in scope or time, or even with a one-time-use restriction,
> >>> whether via the contents of the token or an out-of-band mechanism.
> >>>
> >>> -Ben
> >
> >
> > CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.
>