Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 070A11A3BA6 for ; Tue, 2 Dec 2014 14:14:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URI_NOVOWEL=0.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kOFPYtJ4iA3O for ; Tue, 2 Dec 2014 14:13:56 -0800 (PST) Received: from mail-wg0-f48.google.com (mail-wg0-f48.google.com [74.125.82.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F0191A1BFE for ; Tue, 2 Dec 2014 14:13:56 -0800 (PST) Received: by mail-wg0-f48.google.com with SMTP id y19so18300483wgg.35 for ; Tue, 02 Dec 2014 14:13:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=ma2pTn/iRGzyV0hSSWzy7AU8vmki+d59e0xGZtaj+CE=; b=aHbGb5XZibAoYFdUHvKJcsQ2ki6NgT5k23J/Kt+K0mnsrF+3YKndUcYqflyx7AQvPx J2zwH+r9VwLZP1OK9/q5Lma+2N0m4+KQ2Sz3fLsH5wjTIfx5fyJAubqvrxx3UO3H8h8B 4E3zXNUympQ+1g0T7ZiHPlYxodwNs+UwlrM1vqAt4DdTN9ieJli9Izw4GDULaY1Fza/4 FHNZRoyufRUE0QvR+WNmCgUc3KlRLoVJukYCgxo38Huhl5RPfoya4zMDSJ5agrMjCg4x s2OJKz3brexc05/wXuh+A3RD8Ox3dq+dzrlmYXJtdjPuh0z/+zP87mT1lyZWDNE/UfgT 7f3w== X-Gm-Message-State: ALoCoQnpCE+Wz/T/g9nkAQFlCpqiKgexBkqP4CB8RW9/ihzM5swDBVH3IqeN46S+PLPaEhharbV1 X-Received: by 10.180.73.101 with SMTP id k5mr17431778wiv.43.1417558435001; Tue, 02 Dec 2014 14:13:55 -0800 (PST) Received: from [10.46.7.166] (188.29.165.81.threembb.co.uk. [188.29.165.81]) by mx.google.com with ESMTPSA id ec2sm34487305wib.23.2014.12.02.14.13.51 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 02 Dec 2014 14:13:53 -0800 (PST) Content-Type: multipart/alternative; boundary=Apple-Mail-E0357C18-8E5F-4C99-83FB-BA8E3C4BB896 Mime-Version: 1.0 (1.0) From: John Bradley X-Mailer: iPhone Mail (12B436) In-Reply-To: Date: Tue, 2 Dec 2014 22:13:49 +0000 Content-Transfer-Encoding: 7bit Message-Id: References: <46D29E35-5A69-4687-BC44-45462DEA8D47@mitre.org> <580238515.3962316.1417548302668.JavaMail.yahoo@jws10646.mail.bf1.yahoo.com> To: Eve Maler Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/m4-y0mfgp9BMW2wzZjgn3QZoK7w Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2014 22:14:00 -0000 --Apple-Mail-E0357C18-8E5F-4C99-83FB-BA8E3C4BB896 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Yes, but unless there is something new the introspection endpoint in UMA is= tied to the resource. =20 In some cases having the token indicate the introspection endpoint may be us= eful.=20 John B.=20 Sent from my iPhone > On Dec 2, 2014, at 10:02 PM, Eve Maler wrote: >=20 > FWIW, UMA goes ahead and standardizes a good deal about the trust establis= hment between the RS and the AS, and (of course) profiles and wraps the toke= n introspection spec as part of the resulting =E2=80=9Cauthorization API=E2=80= =9D that the AS presents to the RS. A big part of the motivation for this is= to support an n:n relationship between AS and RS entities. >=20 > EVe >=20 >> On 2 Dec 2014, at 12:14 PM, John Bradley wrote: >>=20 >> Many of the proprietary introspection protocols in use return scope, role= or other meta data for the RS to make its access policy decision on. >> One of the reasons for using opaque tokens rather than JWT is to prevent l= eakage of that info. >>=20 >> Making authentication to the introspection endpoint a MUST if additional a= ttributes are present is OK, I might even be inclined to say that authentic= ation of some sort is always required, but that might be going a bit far for= some use cases. >>=20 >> We have a lot of proprietary ways to do this from IBM, Layer 7, Ping etc.= It would be nice if we could standardize it. Precluding other attributes= would not be helpful for adoption. >>=20 >>=20 >> One issue that we haven=E2=80=99t addressed in this spec is what happens i= f there are multiple AS for the RS and how it would decide what introspectio= n endpoint to use. >> Perhaps that needs to be a extension, leaving this for the simple case. >>=20 >> However having more than on e AS per RS is not as unusual as it once was i= n larger environments. >>=20 >> John B. >>=20 >>=20 >>> On Dec 2, 2014, at 4:56 PM, Richer, Justin P. wrote:= >>>=20 >>> Agreed, which is why we've got space for the "sub" and "user_id" fields b= ut not anything else about the user, and we've got a privacy considerations s= ection for dealing with that. If you can help make the wording on that secti= on stronger, I'd appreciate it. >>>=20 >>> -- Justin >>>=20 >>>> On Dec 2, 2014, at 2:25 PM, Bill Mills wrote: >>>>=20 >>>> If introspection returns any other user data beyond what is strictly re= quired to validate the token based solely on possession of the public part i= t would be a mistake. >>>>=20 >>>>=20 >>>> On Tuesday, December 2, 2014 11:13 AM, "Richer, Justin P." wrote: >>>>=20 >>>>=20 >>>> That's all fine -- it's all going over TLS anyway (RS->AS) just like th= e original token fetch by the client (C->AS). Doesn't mean you need TLS *int= o* the RS (C->RS) with a good PoP token.=20 >>>>=20 >>>> Can you explain how this is related to "act on behalf of"? I don't see a= ny connection. >>>>=20 >>>> -- Justin >>>>=20 >>>>> On Dec 2, 2014, at 2:09 PM, Bill Mills wrote:= >>>>>=20 >>>>> Fetching the public key for a token might be fine, but what if the int= rospection endpoint returns the symmetric key? Data about the user? Where d= oes this blur the line between this and "act on behalf of"? >>>>>=20 >>>>>=20 >>>>> On Tuesday, December 2, 2014 11:05 AM, "Richer, Justin P." wrote: >>>>>=20 >>>>>=20 >>>>> The call to introspection has a TLS requirement, but the call to the R= S wouldn't necessarily have that requirement. The signature and the token id= entifier are two different things. The identifier doesn't do an attacker any= good on its own without the verifiable signature that's associated with it a= nd the request. What I'm saying is that you introspect the identifier and ge= t back something that lets you, the RS, check the signature. >>>>>=20 >>>>> -- Justin >>>>>=20 >>>>>> On Dec 2, 2014, at 1:40 PM, Bill Mills wrote= : >>>>>>=20 >>>>>> "However, I think it's very clear how PoP tokens would work. ..." >>>>>>=20 >>>>>> I don't know if that's true. POP tokens (as yet to be fully defined)= would then also have a TLS or transport security requirement unless there i= s token introspection client auth in play I think. Otherwise I can as an at= tacker take that toklen and get info about it that might be useful, and I do= n't think that's what we want. >>>>>>=20 >>>>>> -bill >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 > Eve Maler http://www.xmlgrrl.com/blog > +1 425 345 6756 http://www.twitter.com/xmlgrrl >=20 --Apple-Mail-E0357C18-8E5F-4C99-83FB-BA8E3C4BB896 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Yes,  but unless there is somethi= ng new the introspection endpoint in UMA is tied to the resource.  &nbs= p;

In some cases having the token indicate the intr= ospection endpoint may be useful. 

John B.&nbs= p;

Sent from my iPhone

On Dec 2, 2014, at 10:02 PM, Eve= Maler <eve@xmlgrrl.com> wrote:=

FWIW, UMA goes ahea= d and standardizes a good deal about the trust establishment between the RS a= nd the AS, and (of course) profiles and wraps the token introspection spec a= s part of the resulting =E2=80=9Cauthorization API=E2=80=9D that the AS pres= ents to the RS. A big part of the motivation for this is to support an n:n r= elationship between AS and RS entities.

=
EVe

On 2 Dec 2014, at 12:14 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
=
Many of the proprietary introspection protocols in u= se return scope, role or other meta data for the RS to make its access polic= y decision on.
One of the reasons for using opaque tokens rat= her than JWT is to prevent leakage of that info.

Making authentication to the introspection en= dpoint a MUST if additional attributes are present is OK,  I might even= be inclined to say that authentication of some sort is always required, but= that might be going a bit far for some use cases.

We have a lot of proprietary ways to do this= from IBM, Layer 7, Ping etc.  It would be nice if we could standardize= it.   Precluding other attributes would not be helpful for adoption.


One issue that we haven=E2=80=99t addressed in this spec i= s what happens if there are multiple AS for the RS and how it would decide w= hat introspection endpoint to use.
Perhaps that needs t= o be a extension, leaving this for the simple case.
However having more than on e AS per RS is= not as unusual as it once was in larger environments.
=
John B.


On Dec 2, 2014, at 4:56 PM, Richer, Justin P= . <jricher@mitre.org&= gt; wrote:

Agreed, which is why we've got space for the "sub" and "user_id" fields but n= ot anything else about the user, and we've got a privacy considerations sect= ion for dealing with that. If you can help make the wording on that section s= tronger, I'd appreciate it.

 -- Justin

On Dec 2, 2014, at 2:25 PM, Bill Mills <wmills_92105@yahoo.com> wrote:
If introspection returns a= ny other user data beyond what is strictly required to validate the token ba= sed solely on possession of the public part it would be a mistake.


On Tu= esday, December 2, 2014 11:13 AM, "Richer, Justin P." <jricher@mitre.org> wrote:


That's all fine -- it's all going over T= LS anyway (RS->AS) just like the original token fetch by the client (C-&g= t;AS). Doesn't mean you need TLS *into* the RS (C->RS) with a good PoP to= ken. 

Can you explain how this is related to "act on behalf of"? I= don't see any connection.

 -- Justin

On Dec 2, 2014, at 2:09 PM, Bill Mills <wmills_92105@yahoo.com> wrote:

Fetching the public key for a token might be fine, but what if the introspe= ction endpoint returns the symmetric key?  Data about the user?  Where does this blur the line between this and "act on behalf o= f"?




The ca= ll to introspection has a TLS requirement, but the call to the RS wouldn't n= ecessarily have that requirement. The signature and the token identifier are= two different things. The identifier doesn't do an attacker any good on its own without the verifiable signature that's a= ssociated with it and the request. What I'm saying is that you introspect th= e identifier and get back something that lets you, the RS, check the signatu= re.

 = -- Justin

On Dec= 2, 2014, at 1:40 PM, Bill Mills <wmills_92105@yahoo.com> wrote:

"However, I t= hink it's very clear how PoP tokens would work. ..."

I don't know if that's true.  POP tokens (as yet to be fully defined) w= ould then also have a TLS or transport security requirement unless there is t= oken introspection client auth in play I think.  Otherwise I can as an a= ttacker take that toklen and get info about it that might be useful, and I don't think that's what we want.
=

-bill








_______________________________________________
OAuth mailing l= ist
OAuth@ietf.or= g
https://www.ietf.org/mailman/listinfo/oauth

____________________________= ___________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/l= istinfo/oauth


Eve Maler  =                      = ;          http://www.xmlgrrl.com/blog
+1 425 345 6756 &nbs= p;                     &nb= sp; http://www.tw= itter.com/xmlgrrl

= --Apple-Mail-E0357C18-8E5F-4C99-83FB-BA8E3C4BB896--