IETF Logo Mail Archive

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

John Bradley <ve7jtb@ve7jtb.com> Fri, 17 October 2014 18:26 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39ABF1A19F2 for <oauth@ietfa.amsl.com>; Fri, 17 Oct 2014 11:26:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CyHMN96gm8dt for <oauth@ietfa.amsl.com>; Fri, 17 Oct 2014 11:26:32 -0700 (PDT)
Received: from mail-qc0-f171.google.com (mail-qc0-f171.google.com [209.85.216.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24CC21A19F5 for <oauth@ietf.org>; Fri, 17 Oct 2014 11:26:29 -0700 (PDT)
Received: by mail-qc0-f171.google.com with SMTP id i17so1057335qcy.30 for <oauth@ietf.org>; Fri, 17 Oct 2014 11:26:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=yVvEI+OP69ZhVhaLipVnh25E/3UCz3zbacxdPPJ8Ipc=; b=j1d7lgknPsztiOYJ/2wbDe6ySZPgvd1LoO6+kai0tVKigdo1sv5K2IrI92rkdN1af9 PaVVMkhUHhx2JlsK/eF88eUVmSji1vkdq03T7oR3RJuJAJZUdZmQg7i/hAlFOmR9VRaY F9iBfypLhXr5LFuYEUvo1hR/AiHHBZQbztFJr19PQheolTaUnPS7mOHqNrxt9HVhMn7a OWvOOagVN1xrpt9E9lcvh9t3D2nNrPAhC35Mb8BJOdNyRe0HzuFfZHSGwCAOFwbLOmH8 wHaQ8lUfoQPJRsXrop9binNuPdwjiamDBpdJgFLEk9bmewubTbSQ9SkI97sVNDXo9Okm RHww==
X-Gm-Message-State: ALoCoQmHn/Tuarreqfue2bXw+wdQq7I8yDxmAAZFmhRQ/M/ul0D4gtQJjUFcGblCHSOLTwg92iuh
X-Received: by 10.224.36.200 with SMTP id u8mr14131393qad.47.1413570388252; Fri, 17 Oct 2014 11:26:28 -0700 (PDT)
Received: from [192.168.8.100] ([201.188.100.219]) by mx.google.com with ESMTPSA id 11sm1486928qgp.2.2014.10.17.11.26.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 17 Oct 2014 11:26:27 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_F3D98E0A-CF7C-4C65-83E9-5F5975CE2010"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CA+k3eCQWo7FxTcjO7qQLmB6Qi6y0LKGO_iUvPjsz0dV2LX6uog@mail.gmail.com>
Date: Fri, 17 Oct 2014 15:26:23 -0300
Message-Id: <D0B804BB-53F3-4F33-BDD5-F119D1018FEA@ve7jtb.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> <CA+k3eCQKxWri1kjjig90AhrsQ=D0H=CLfKGuSa513sKDar52Rw@mail.gmail.com> <A9B4CF00-6D06-4FE1-83EE-CC0D141C9AD3@oracle.com> <CAL02cgQO1nuozW-F6riDgo4QFkp3Gv89SSWzJcbO-0eayyGufg@mail.gmail.com> <28A05FEA-9EEA-4E95-9B9F-587120A74BAA@ve7jtb.com> <CA+k3eCS=TRmfR2to2wfJsQrkyRd3gGEPJ-x7ao4dLcN-V7ctiA@mail.gmail.com> <19E82AEC-A5DA-41E9-9370-3FF16264DEAE@ve7jtb.com> <F47576F0-9B71-4CDE-88BB-487993A2E661@oracle.com> <4E1F6AAD24975D4BA5B16804296739439BB16289@TK5EX14MBXC286.redmond.corp.microsoft.com> <54415122.9030902@qti.qualcomm.com> <3E356AAD-8B64-42DF-8DAF-054DDFC58A30@ve7jtb.com> <CAL02cgTQvAonog5+TX8RDqjipbLMCfxRopuiCd0p8kyqJJrMvg@mail.gmail.com> <CA+k3eCQWo7FxTcjO7qQLmB6Qi6y0LKGO_iUvPjsz0dV2LX6uog@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/lyuYbyGISq5JQ37jRf-bK83kUfI
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, Richard Barnes <rlb@ipv.sx>, Pete Resnick <presnick@qti.qualcomm.com>, oauth <oauth@ietf.org>, The IESG <iesg@ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 18:26:39 -0000

+1
On Oct 17, 2014, at 3:23 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:

> That text works for me, Richard. Thanks. 
> 
> I will go with Richard's text in the next draft, unless I hear objections.
> 
> 
> FWIW, the mention of HoK was a result of a review and suggestions from Hannes some time ago.
> 
> http://www.ietf.org/mail-archive/web/oauth/current/msg09437.html 
> https://tools.ietf.org/rfcdiff?url2=draft-ietf-oauth-assertions-04.txt
> 
> It could be removed, to your point, but I think your proposed text is very clear about the scope and might help prevent confusion.
> 
> 
> On Fri, Oct 17, 2014 at 12:04 PM, Richard Barnes <rlb@ipv.sx> wrote:
> On Fri, Oct 17, 2014 at 10:32 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
> I think this part of sec 3 of assertions states that:
> 
>  The protocol parameters and processing rules defined in this document
>    are intended to support a client presenting a bearer assertion to an
>    authorization server.  The use of holder-of-key assertions are not
>    precluded by this document, but additional protocol details would
>    need to be specified.
> 
> 
> As part of defining the additional protocol details for holder-of-key/PoP we can relax the must for audience in the profile that defines how to use those assertion types.
> 
> I think we're on a path to convergence here.
> 
> Given all this, is there any point to even mentioning HoK credentials here?  The entire remainder of the spec is written as if they didn't exist.  And as the text above notes, you can't actually use them with this specification.
> 
> If we're going to keep the mention, could we augment the text above to make it clearer that HoK assertions are out of scope.
> 
> """
> The protocol parameters and processing rules defined in this document
> are intended to support a client presenting a bearer assertion to an
> authorization server.  They are not suitable for use with holder-of-key
> assertions.  While they could be used as a baseline for a holder-of-key
> assertion system, there would be a need for additional mechanisms
> (to support proof of possession of the secret key), and possibly changes
> to the security model (e.g., to relax the requirement for an Audience).
> """
> 
> --Richard
> 
> 
>  
> 
> John B.
> 
> On Oct 17, 2014, at 2:25 PM, Pete Resnick <presnick@qti.qualcomm.com> wrote:
> 
>> On 10/17/14 12:09 PM, Mike Jones wrote:
>>> 
>>> This is the standard mitigation for a known set of actual attacks.  We shouldn’t even consider making it optional.
>>> 
>>> 
>> 
>> Do you mean you shouldn't consider making it optional for HoK? Again, making it clear that the MUST applies only to bearer assertions, and that future extensions for HoK might have different requirements, is all that is being asked for here.
>> 
>> pr
>> -- 
>> Pete Resnick <http://www.qualcomm.com/~presnick/>
>> Qualcomm Technologies, Inc. - +1 (858)651-4478
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
>

v2.23.0 | Report a Bug | By Email