[OAUTH-WG] (was Re: IETF 93 OAuth WG Meeting Minutes)

Brian Campbell <bcampbell@pingidentity.com> Fri, 06 November 2015 20:40 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 67DE61B3047 for <oauth@ietfa.amsl.com>; Fri, 6 Nov 2015 12:40:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.778
X-Spam-Status: No, score=-0.778 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id oHy9omnKnnZ1 for <oauth@ietfa.amsl.com>; Fri, 6 Nov 2015 12:40:14 -0800 (PST)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B94C1B3046 for <oauth@ietf.org>; Fri, 6 Nov 2015 12:40:14 -0800 (PST)
Received: by iodd200 with SMTP id d200so134184295iod.0 for <oauth@ietf.org>; Fri, 06 Nov 2015 12:40:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:from:date:message-id:subject:to:cc:content-type; bh=nGk7tFKs4kdxeN4xAvrgBTskCUtHGILF1WfIg34zhdI=; b=gkjfDMwErhOlKz4pLx/yxF2Vc0t5mwGzzqxHfgFDUjLbSjW3V1qQYIFR3pcbOCsKed LspsvnVxSZ18rAFcDk0KM7FdaRahYox9iWgYF2ic6j5NRTlvB+Q+jSn20H0Opu1AJRlL 4Vyi2srkgD5F5dIWBOz9u/PVq/xcXqATH+d64=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=nGk7tFKs4kdxeN4xAvrgBTskCUtHGILF1WfIg34zhdI=; b=JaupRTPrEl0QdXjGQNnlbm6Z+eD+o67tTVmgVwbrYD0RHRIaTRWp+x8LwdGkKMBEYl Zmbq+QuUWo8OsPa86atXqdWdmv+iC/sgH7JFJei0BIRlZu/rW4LWW9u5B6ekSJn8L9b6 G41BIuuq95H5HieZXxkkIgxe9WiYgQ9rgpKvaehTxR8gPFcf8rY+vOu/vn4pvODRgWax kpCbrkkjecbjwSc//tq9FsHDuBBVGKkl0p4XVFwG/Oh1Z9kwHEY4mvIprOEfE3JTCabR hlUkMaJ4yujkfN3aiOB7Jb6kFb999LIXY3oGdpTGzYVhcyizhBFIWPhDgITisqEuPCwY GU0A==
X-Gm-Message-State: ALoCoQkovLVl+rEXr9TYQaol4NRk5iR57ywehOxzWY0/TBp7h3rQeuxHslv95RsyvvKssP5ItMPZ
X-Received: by with SMTP id 24mr12751177ioh.48.1446842413193; Fri, 06 Nov 2015 12:40:13 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Fri, 6 Nov 2015 12:39:43 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 06 Nov 2015 13:39:43 -0700
Message-ID: <CA+k3eCRV7vwCsu9KMefYxJfEc_vC3RtDSOSg+eBYSVM=w5-r=Q@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="001a113f8b8215b9ab0523e54025"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/pYT7_8NoA3bTjWVdTVSiBH355xA>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: [OAUTH-WG] (was Re: IETF 93 OAuth WG Meeting Minutes)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2015 20:40:15 -0000

Adding those security considerations is probably a good idea but it doesn't
actually address the question from my WGLC comments on

The question was about what from an encrypted only Request Object should
have. There's text in the draft that seems to suggest it must be a JWS with
alg=none nested inside a JWE. But there's also text that suggests a JWE
with JSON Claims directly as the payload is okay. I was asking what the
intent of the spec actually was and that it be clarified in the doc.

On Fri, Nov 6, 2015 at 6:03 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net
> wrote:

>         Brian raised a question whether the request object is only
> encrypted.
> This lead to a discussion of the difference between encryption and
> integrity protection (using symmetric and asymmetric cryptography). The
> conclusion was reached that the security consideration section needs to
> be updated to explain what properties the different methods for using
> JWS/JWE provide.