Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)
John Bradley <ve7jtb@ve7jtb.com> Sun, 21 July 2019 17:44 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 627CE12015F for <oauth@ietfa.amsl.com>; Sun, 21 Jul 2019 10:44:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4SkBTdfCiHg for <oauth@ietfa.amsl.com>; Sun, 21 Jul 2019 10:44:49 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40A05120154 for <oauth@ietf.org>; Sun, 21 Jul 2019 10:44:46 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id n9so37078188wru.0 for <oauth@ietf.org>; Sun, 21 Jul 2019 10:44:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WJspW9LICVAGK8+WsSuJezeneARxDVfrH81b/UUKdvA=; b=z8qFZC+yjs1GQLOBq7i0F1ctPvVj+2xSTL7uBHQ8MX0fCF1pRFGw9p/798uC+ZKmeR ZiGLlopfmYBxDGRTKrH+RICYpPdXyrubIX7T3I/BKS1fCkMUplS66ktmGlIzITGzlSrg 2mWUIKTal5hYyCILJ0FH3ve9o7bGResa0WaKzRro7oqpKjpTpyioj2rpPYLBWO5cxN0j MTf4UiPY8xQ6DvgjUUndoBEnT/b5sRgAR+9XibTt1BfnFnA148IX6G2UsODXPBiE9RGK bIT8ddnN2pT25V/Ak1xbZV8LLDz/id9SdrhJDmcLQxzPa7Opbk076bTKpOwTUQOsHhtX hxRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WJspW9LICVAGK8+WsSuJezeneARxDVfrH81b/UUKdvA=; b=Ciww/SdMj+V9PepD2s8ciBfSbPGsTVht/ztAd75rAD8FgrKKlJd4ZQLhSaRD47rMbd Wq4MV3v6RaIKbDF9EUzFys7yAFXLSIwhGgXgaeKrZMWkaPYRuQNcUJkXmraphSkTGXdb lnuJmm1XOXqdTfdOtmxGbU+uyq4YmtLQb5z/DtoSvwRwR3Y91Rgsa9LyYNaM59wigfyb SHzAOJj6gm5VOtXFFj0XVUzVhvLws3YSdezR7jYqdZndln0MwlVm4VLRYlBM8OcP5+hH HP4jplAshVQxrN6NzGd0ppN7q3Zg3dygw6qq8gwYdwyQNXcZyrAmsops7CwIEiQM3U4R zygg==
X-Gm-Message-State: APjAAAVm48R/68idFZYdr/X/cQiREN+U0SzGozcBin2UwRIwcCiv9jWa tk2Y4NAyZkw4xPZtl42dzfa16AaPt7YBBOvHJF1ZSg==
X-Google-Smtp-Source: APXvYqyIyLCAflw5axwwtp/TM9GnXi+27lBLMl7ehSKD651z5RG5qr/cFXqmTv/rN2FX4Jb7b6/1sq/jpbUs0LuuaH0=
X-Received: by 2002:adf:e883:: with SMTP id d3mr72647534wrm.330.1563731084064; Sun, 21 Jul 2019 10:44:44 -0700 (PDT)
MIME-Version: 1.0
References: <156348397007.8464.8217832087905511031.idtracker@ietfa.amsl.com> <CA+k3eCQR_yVZJdw0CmPL0qVCA3S0x5gZAr6_BwvDrZDW0NOPWA@mail.gmail.com> <CALaySJJ3chNzsJvWgTpg-6GudK8ot=D8Fvguyr=kpFuiVWLSPw@mail.gmail.com> <CA+k3eCR4yxwo1yGpjWHxjcs+=b3VAdJDsF-RZDSTTDArgGi3ew@mail.gmail.com> <20190721042841.GX23137@kduck.mit.edu> <CA+k3eCTB9hpmQvEnAHOV11w5tY6gKcedTD6mBXE=DzZk_o=fmA@mail.gmail.com> <CA+k3eCQqdPLcf1rUWnhh14L00PzvcTNwtF8VHTtj_WJac8NhWQ@mail.gmail.com> <CALaySJLCDU3dZQ3hA02tgBTW0NRFsc0RJfb0AHD82aAzxv-jRQ@mail.gmail.com>
In-Reply-To: <CALaySJLCDU3dZQ3hA02tgBTW0NRFsc0RJfb0AHD82aAzxv-jRQ@mail.gmail.com>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Sun, 21 Jul 2019 13:18:35 -0400
Message-ID: <CAANoGhKE+raDR9J4qu-n3cxmehZd1RdiuD-Mbyk9WtCqYY7aEw@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: Brian Campbell <bcampbell@pingidentity.com>, Benjamin Kaduk <kaduk@mit.edu>, oauth-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-oauth-token-exchange@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ca4fd0058e3483e2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jm9e3VNWJb513NQfpQiwnD9yEI8>
Subject: Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 17:44:51 -0000
Thanks On Sun, Jul 21, 2019, 12:31 PM Barry Leiba <barryleiba@computer.org> wrote: > Thanks, Brian! > > Barry > > On Sun, Jul 21, 2019 at 11:43 AM Brian Campbell > <bcampbell@pingidentity.com> wrote: > > > > https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-19 has been > published with the updates discussed in this thread. > > > > On Sun, Jul 21, 2019 at 6:14 AM Brian Campbell < > bcampbell@pingidentity.com> wrote: > >> > >> That works for me. > >> > >> On Sat, Jul 20, 2019 at 10:28 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > >>> > >>> On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote: > >>> > On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba <barryleiba@computer.org> > wrote: > >>> > > >>> > > > >>> > > >> — Section 1.1 — > >>> > > >> Given the extensive discussion of impersonation here, what > strikes me as > >>> > > >> missing is pointing out that impersonation here is still > controlled, > >>> > > that “A is > >>> > > >> B” but only to the extent that’s allowed by the token. First, > it might > >>> > > be > >>> > > >> limited by number of instances (one transaction only), by time > of day > >>> > > (only for > >>> > > >> 10 minutes), and by scope (in regard to B’s address book, but > not B’s > >>> > > email). > >>> > > >> Second, there is accountability: audit information still shows > that the > >>> > > token > >>> > > >> authorized acting as B. Is that not worth clarifying? > >>> > > > > >>> > > > My initial response was going to be "sure, I'll add some bits in > sec 1.1 > >>> > > along those lines to clarify > >>> > > > that." However, as I look again at that section for good > opportunities > >>> > > to make such additions, I feel > >>> > > > like it is already said that impersonation is controlled. > >>> > > ... > >>> > > > So I think it already says that and I'm gonna have to flip it > back and > >>> > > ask if you have concrete > >>> > > > suggestions for changes or additions that would say it more > clearly or > >>> > > more to your liking? > >>> > > > >>> > > It is mentioned, true, and that might be enough. But given that > Eve > >>> > > also replied that she would like more here, let me suggest > something, > >>> > > the use of which is entirely optional -- take it, don't take it, > >>> > > modify it, riff on it, ignore it completely, as you think best. > What > >>> > > do you think about changing the last sentence of the paragraph?: > "For > >>> > > all intents and purposes, when A is impersonating B, A is B within > the > >>> > > rights context authorized by the token, which could be limited in > >>> > > scope or time, or by a one-time-use restriction." > >>> > > > >>> > > >>> > Sure, I think that or some slight modification thereof can work just > fine. > >>> > I'll do that and get it and the rest of these changes published when > the > >>> > I-D submission embargo is lifted for Montreal. > >>> > >>> My brain is apparntly storming and not sleeping. Another option for > >>> consideration, is to have two sentences: > >>> > >>> For all intents and purposes, when A is impersonating B, A is B within > the > >>> rights context authorized by the token. A's ability to impersonate B > could > >>> be limited in scope or time, or even with a one-time-use restriction, > >>> whether via the contents of the token or an out-of-band mechanism. > >>> > >>> -Ben > > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you. >
- [OAUTH-WG] Barry Leiba's No Objection on draft-ie… Barry Leiba via Datatracker
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Benjamin Kaduk
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Eve Maler
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Brian Campbell
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Brian Campbell
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Benjamin Kaduk
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Benjamin Kaduk
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Brian Campbell
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Brian Campbell
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… John Bradley