IETF Logo Mail Archive

Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)

Brian Campbell <bcampbell@pingidentity.com> Sun, 21 July 2019 15:43 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94F7412004D for <oauth@ietfa.amsl.com>; Sun, 21 Jul 2019 08:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tWWXJgkT7b6d for <oauth@ietfa.amsl.com>; Sun, 21 Jul 2019 08:43:48 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E66D120075 for <oauth@ietf.org>; Sun, 21 Jul 2019 08:43:46 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id m24so68616116ioo.2 for <oauth@ietf.org>; Sun, 21 Jul 2019 08:43:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=grZPRrHWrBJMdJI0vvTGFuzgv5aQ5nvcycgXluT3Zpo=; b=eM+aLcYXOez5vHsaOuIMaXymrk+7ytdD9gfThOHiO7qkEYzAakHSZPx3xdTfjQNHaZ XT/I5KwMO1l5XH00Mv49q6cK3hFv2Igc+vk1kYOvLUbNfloJ1hXf6IV7tPs1kpqHjmZI As10s+5RmS5yMS4GVclaS3I36KBz11R3t6LVU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=grZPRrHWrBJMdJI0vvTGFuzgv5aQ5nvcycgXluT3Zpo=; b=ppX1u8BT9wZz/KbmSi6MFzGfKJYd0XkBYhF1NTL4Es+ALCvrT/Kh+YXcsz7OLyesQu pIoTfl7HcfUQMhdT/lk6r7tLBwufdseYPl3N3/buJ7Jr/Y0c0NhhZMlyZFYvEDugwgHm I50pNdSKvVgQHR1gNP60NPUaJ2VJ3G3Z16CR10unVmecU8LaEop+3Vt9Aduo+dqPwhoB jsff77g8sf52p0/eE4K16NYiT3BVh61DKRxH8VT/xzh4FZgsPyeEePKvH/eIeEVRLHmF s8NwnrzbAgIJS0LglYEVzeHEWrPsaZ5gqw63iyr2FzT3KpgDT4OWKmUly94X1YEcxBaD q4xQ==
X-Gm-Message-State: APjAAAUm2eLyfX4cGw9v9UcedpoyxLIRwqX4lVYkrct90bYIs4Rtlvtj 7wxENvUacIY3t58xvm6Ba5xYXAt1b9A1PtaJ3D8LOUZQ+ZHQFpSVTd/7Xpd35+yQCOhnji92J1v 2IBuafFPfllWADw==
X-Google-Smtp-Source: APXvYqz4SHrF0xXxUHOzOoh53iuGVLq2/JhzQsL+e6LUDPHp9ifnPGElNNfMsoAenxx6hfSwgWA90N/5t/X3YkiaTJw=
X-Received: by 2002:a6b:621a:: with SMTP id f26mr53361716iog.127.1563723825265; Sun, 21 Jul 2019 08:43:45 -0700 (PDT)
MIME-Version: 1.0
References: <156348397007.8464.8217832087905511031.idtracker@ietfa.amsl.com> <CA+k3eCQR_yVZJdw0CmPL0qVCA3S0x5gZAr6_BwvDrZDW0NOPWA@mail.gmail.com> <CALaySJJ3chNzsJvWgTpg-6GudK8ot=D8Fvguyr=kpFuiVWLSPw@mail.gmail.com> <CA+k3eCR4yxwo1yGpjWHxjcs+=b3VAdJDsF-RZDSTTDArgGi3ew@mail.gmail.com> <20190721042841.GX23137@kduck.mit.edu> <CA+k3eCTB9hpmQvEnAHOV11w5tY6gKcedTD6mBXE=DzZk_o=fmA@mail.gmail.com>
In-Reply-To: <CA+k3eCTB9hpmQvEnAHOV11w5tY6gKcedTD6mBXE=DzZk_o=fmA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 21 Jul 2019 09:43:19 -0600
Message-ID: <CA+k3eCQqdPLcf1rUWnhh14L00PzvcTNwtF8VHTtj_WJac8NhWQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Barry Leiba <barryleiba@computer.org>, oauth-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-oauth-token-exchange@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000021dd59058e32d396"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/m9C-NF1P97cMdVb2aZC6u0SuZKI>
Subject: Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 15:43:51 -0000

https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-19 has been
published with the updates discussed in this thread.

On Sun, Jul 21, 2019 at 6:14 AM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> That works for me.
>
> On Sat, Jul 20, 2019 at 10:28 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>
>> On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote:
>> > On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba <barryleiba@computer.org>
>> wrote:
>> >
>> > >
>> > > >> — Section 1.1 —
>> > > >> Given the extensive discussion of impersonation here, what strikes
>> me as
>> > > >> missing is pointing out that impersonation here is still
>> controlled,
>> > > that “A is
>> > > >> B” but only to the extent that’s allowed by the token.  First, it
>> might
>> > > be
>> > > >> limited by number of instances (one transaction only), by time of
>> day
>> > > (only for
>> > > >> 10 minutes), and by scope (in regard to B’s address book, but not
>> B’s
>> > > email).
>> > > >> Second, there is accountability: audit information still shows
>> that the
>> > > token
>> > > >> authorized acting as B.  Is that not worth clarifying?
>> > > >
>> > > > My initial response was going to be "sure, I'll add some bits in
>> sec 1.1
>> > > along those lines to clarify
>> > > > that." However, as I look again at that section for good
>> opportunities
>> > > to make such additions, I feel
>> > > > like it is already said that impersonation is controlled.
>> > > ...
>> > > > So I think it already says that and I'm gonna have to flip it back
>> and
>> > > ask if you have concrete
>> > > > suggestions for changes or additions that would say it more clearly
>> or
>> > > more to your liking?
>> > >
>> > > It is mentioned, true, and that might be enough.  But given that Eve
>> > > also replied that she would like more here, let me suggest something,
>> > > the use of which is entirely optional -- take it, don't take it,
>> > > modify it, riff on it, ignore it completely, as you think best.  What
>> > > do you think about changing the last sentence of the paragraph?: "For
>> > > all intents and purposes, when A is impersonating B, A is B within the
>> > > rights context authorized by the token, which could be limited in
>> > > scope or time, or by a one-time-use restriction."
>> > >
>> >
>> > Sure, I think that or some slight modification thereof can work just
>> fine.
>> > I'll do that and get it and the rest of these changes published when the
>> > I-D submission embargo is lifted for Montreal.
>>
>> My brain is apparntly storming and not sleeping.  Another option for
>> consideration, is to have two sentences:
>>
>> For all intents and purposes, when A is impersonating B, A is B within the
>> rights context authorized by the token.  A's ability to impersonate B
>> could
>> be limited in scope or time, or even with a one-time-use restriction,
>> whether via the contents of the token or an out-of-band mechanism.
>>
>> -Ben
>>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email