[OAUTH-WG] (was Re: IETF 93 OAuth WG Meeting Minutes)

Brian Campbell <bcampbell@pingidentity.com> Fri, 06 November 2015 20:40 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67DE61B3047 for <oauth@ietfa.amsl.com>; Fri, 6 Nov 2015 12:40:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.778
X-Spam-Level:
X-Spam-Status: No, score=-0.778 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oHy9omnKnnZ1 for <oauth@ietfa.amsl.com>; Fri, 6 Nov 2015 12:40:14 -0800 (PST)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B94C1B3046 for <oauth@ietf.org>; Fri, 6 Nov 2015 12:40:14 -0800 (PST)
Received: by iodd200 with SMTP id d200so134184295iod.0 for <oauth@ietf.org>; Fri, 06 Nov 2015 12:40:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:from:date:message-id:subject:to:cc:content-type; bh=nGk7tFKs4kdxeN4xAvrgBTskCUtHGILF1WfIg34zhdI=; b=gkjfDMwErhOlKz4pLx/yxF2Vc0t5mwGzzqxHfgFDUjLbSjW3V1qQYIFR3pcbOCsKed LspsvnVxSZ18rAFcDk0KM7FdaRahYox9iWgYF2ic6j5NRTlvB+Q+jSn20H0Opu1AJRlL 4Vyi2srkgD5F5dIWBOz9u/PVq/xcXqATH+d64=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=nGk7tFKs4kdxeN4xAvrgBTskCUtHGILF1WfIg34zhdI=; b=JaupRTPrEl0QdXjGQNnlbm6Z+eD+o67tTVmgVwbrYD0RHRIaTRWp+x8LwdGkKMBEYl Zmbq+QuUWo8OsPa86atXqdWdmv+iC/sgH7JFJei0BIRlZu/rW4LWW9u5B6ekSJn8L9b6 G41BIuuq95H5HieZXxkkIgxe9WiYgQ9rgpKvaehTxR8gPFcf8rY+vOu/vn4pvODRgWax kpCbrkkjecbjwSc//tq9FsHDuBBVGKkl0p4XVFwG/Oh1Z9kwHEY4mvIprOEfE3JTCabR hlUkMaJ4yujkfN3aiOB7Jb6kFb999LIXY3oGdpTGzYVhcyizhBFIWPhDgITisqEuPCwY GU0A==
X-Gm-Message-State: ALoCoQkovLVl+rEXr9TYQaol4NRk5iR57ywehOxzWY0/TBp7h3rQeuxHslv95RsyvvKssP5ItMPZ
X-Received: by 10.107.7.24 with SMTP id 24mr12751177ioh.48.1446842413193; Fri, 06 Nov 2015 12:40:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.117.132 with HTTP; Fri, 6 Nov 2015 12:39:43 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 6 Nov 2015 13:39:43 -0700
Message-ID: <CA+k3eCRV7vwCsu9KMefYxJfEc_vC3RtDSOSg+eBYSVM=w5-r=Q@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=001a113f8b8215b9ab0523e54025
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/pYT7_8NoA3bTjWVdTVSiBH355xA>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: [OAUTH-WG] (was Re: IETF 93 OAuth WG Meeting Minutes)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2015 20:40:15 -0000

Adding those security considerations is probably a good idea but it doesn't
actually address the question from my WGLC comments on
draft-ietf-oauth-jwsreq-06
<http://www.ietf.org/mail-archive/web/oauth/current/msg15072.html>.

The question was about what from an encrypted only Request Object should
have. There's text in the draft that seems to suggest it must be a JWS with
alg=none nested inside a JWE. But there's also text that suggests a JWE
with JSON Claims directly as the payload is okay. I was asking what the
intent of the spec actually was and that it be clarified in the doc.

On Fri, Nov 6, 2015 at 6:03 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net
> wrote:

>
>         Brian raised a question whether the request object is only
> encrypted.
> This lead to a discussion of the difference between encryption and
> integrity protection (using symmetric and asymmetric cryptography). The
> conclusion was reached that the security consideration section needs to
> be updated to explain what properties the different methods for using
> JWS/JWE provide.
>
>