Re: [OAUTH-WG] Robert Wilton's Discuss on draft-ietf-oauth-jwt-introspection-response-10: (with DISCUSS)
Vladimir Dzhuvinov <vladimir@connect2id.com> Wed, 12 May 2021 11:18 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3978A3A0744 for <oauth@ietfa.amsl.com>; Wed, 12 May 2021 04:18:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GBvFo2nGEaq for <oauth@ietfa.amsl.com>; Wed, 12 May 2021 04:17:58 -0700 (PDT)
Received: from p3plsmtpa07-07.prod.phx3.secureserver.net (p3plsmtpa07-07.prod.phx3.secureserver.net [173.201.192.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 367B43A0691 for <oauth@ietf.org>; Wed, 12 May 2021 04:17:57 -0700 (PDT)
Received: from [192.168.88.211] ([94.155.17.31]) by :SMTPAUTH: with ESMTPSA id gmq2lUrZwid7Ggmq3lRCnP; Wed, 12 May 2021 04:15:41 -0700
X-CMAE-Analysis: v=2.4 cv=F9+SyotN c=1 sm=1 tr=0 ts=609bb8dd a=+I3yL00+yDwT8KNLgfs+4A==:117 a=+I3yL00+yDwT8KNLgfs+4A==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=Wo1p0_sIAAAA:20 a=48vgC7mUAAAA:8 a=TlOuqL5XwXYNxHTFYhoA:9 a=QEXdDO2ut3YA:10 a=n_SoRSHWDVAA:10 a=mYAOWqAtFUkA:10 a=1dbGxDndw2gA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: vladimir@connect2id.com
To: Roman Danyliw <rdd@cert.org>, Robert Wilton <rwilton@cisco.com>, The IESG <iesg@ietf.org>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-jwt-introspection-response@ietf.org" <draft-ietf-oauth-jwt-introspection-response@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
References: <161243759330.21901.3347578006693687311@ietfa.amsl.com> <212be5c70c6542a5ac7efeea3a5b392e@cert.org>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <3cc9c85e-3501-f04f-48fe-dc338092b2b9@connect2id.com>
Date: Wed, 12 May 2021 14:15:37 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1
MIME-Version: 1.0
In-Reply-To: <212be5c70c6542a5ac7efeea3a5b392e@cert.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms090606070901060004060002"
X-CMAE-Envelope: MS4xfPWy9gM7FnCw+LFFnfFnPmGI4kD4iBxQZ2B2VM13rwlj7129GfYJ9optYS2GMKhSnNPP3F9Xkfw6E5OC8AJh4vzeVq9UgJIyntLrWsAWaONe6gssxfcU kULgGvo0bwF5wRj9NEo48ORpt440Izoe2mfFmiBsjBgi+D9c8EWt/i4c16OlsOG21T7JnRgeR9ILrXnz7m5MhqYJJ6RNCcX1NJaLMAvMv+Zj5mUvafBsZ/ef G74rdB2ZajAqraYVkrKOfSV/5BkVtGc9XDnhP1/z5a0VjlRQ63mB6TBt6UckxsPq1TFjswR4xIYMnYP5rEYDqrTBZOiwU6Wy9XXTuLlX/ZWoj0TDWKR7mrce G94egXjlvunzQaUHbsPMJvC79J5KRw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mmHjScPXwTPwUGPCohBWURYl45g>
Subject: Re: [OAUTH-WG] Robert Wilton's Discuss on draft-ietf-oauth-jwt-introspection-response-10: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2021 11:18:02 -0000
Hi all, In preparation for a new v11 of the draft the language regarding the adherence to privacy regulations was updated along the lines of Roman's suggestion (thanks for that!): """ The token introspection response can be used to transfer personal identifiable information (PII) from the AS to the RS. The AS MUST conform to legal and jurisdictional constraints for the data transfer before any data is released to a particular RS. The details and determining of these constraints varies by jurisdiction and is outside the scope of this document. """ The diff for this edit is here: https://github.com/oauthstuff/draft-ietf-oauth-jwt-introspection-response/commit/48911a1afff9f3120773a157c4e14cbf3aa9f3de#diff-c4d976e7848e055731f69102bf2d6e4e7cf7d997efc1f202eb3b940d44746274 The current doc: https://github.com/oauthstuff/draft-ietf-oauth-jwt-introspection-response/blob/master/draft-ietf-oauth-jwt-introspection-response.xml Vladimir Vladimir Dzhuvinov On 04/02/2021 16:40, Roman Danyliw wrote: > Hi! Rob! > >> -----Original Message----- >> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Robert Wilton via >> Datatracker >> Sent: Thursday, February 4, 2021 6:20 AM >> To: The IESG <iesg@ietf.org> >> Cc: oauth-chairs@ietf.org; draft-ietf-oauth-jwt-introspection- >> response@ietf.org; oauth@ietf.org >> Subject: [OAUTH-WG] Robert Wilton's Discuss on draft-ietf-oauth-jwt- >> introspection-response-10: (with DISCUSS) >> >> Robert Wilton has entered the following ballot position for >> draft-ietf-oauth-jwt-introspection-response-10: Discuss >> >> When responding, please keep the subject line intact and reply to all email >> addresses included in the To and CC lines. (Feel free to cut this introductory >> paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-introspection-response/ >> >> >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> Hi, >> >> Thank you for this document. >> >> I have a couple of process related questions regarding the legal aspects >> considered in chapter 9 on privacy that I would like to discuss with the other >> ADs on the telechat (hence raising it as a Discuss). >> >> My two questions are: >> >> (1) Is it appropriate for an RFC to specifying requirements relating to legal >> issues and laws? Note, I think that the guidance that is provides is really >> helpful and should be included in the document, but I'm a bit concerned as to >> whether a standards track RFC should be stating formal >> requirements/constraints related to enforcing legal requirements rather that >> providing non-normative guidance. >> >> (2) Related to the first question, if the IESG believes believes that providing >> such requirements is okay, a further question is whether using RFC 2119 >> language is appropriate, or whether this should use regular English? >> >> An example from section 9: >> >> The AS MUST ensure a >> legal basis exists for the data transfer before any data is released >> to a particular RS. The way the legal basis is established might >> vary among jurisdictions and MUST consider the legal entities >> involved. > I can see your point. I believe this language is here to make a very strong statement on the needed for operational policies that conform to the variety of privacy laws which often governs some of this data. > > I'll let the authors/co-chairs comment. To start the discussion, let me propose rough text that dilutes the legal mandate a bit but tries to keep the spirit of the intent. > > NEW > The AS MUST conform to jurisdictional constraints for the data transfer before any data is released to a particular RS. These constraints will vary by jurisdictions; and their details and determining which apply to this release to RSs is outside the scope of this document. > > Regards, > Roman > >
- [OAUTH-WG] Robert Wilton's Discuss on draft-ietf-… Robert Wilton via Datatracker
- Re: [OAUTH-WG] Robert Wilton's Discuss on draft-i… Roman Danyliw
- Re: [OAUTH-WG] Robert Wilton's Discuss on draft-i… Vladimir Dzhuvinov