Re: [OAUTH-WG] WGLC on Assertion Drafts

Brian Campbell <bcampbell@pingidentity.com> Mon, 23 April 2012 12:36 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10C7F21F84C3 for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 05:36:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.956
X-Spam-Level:
X-Spam-Status: No, score=-5.956 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JN6Laumbj0JX for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 05:36:17 -0700 (PDT)
Received: from na3sys009aog132.obsmtp.com (na3sys009aog132.obsmtp.com [74.125.149.250]) by ietfa.amsl.com (Postfix) with ESMTP id 8ECF921F8587 for <oauth@ietf.org>; Mon, 23 Apr 2012 05:36:16 -0700 (PDT)
Received: from mail-vb0-f44.google.com ([209.85.212.44]) (using TLSv1) by na3sys009aob132.postini.com ([74.125.148.12]) with SMTP ID DSNKT5VMuXq5SPBdfg1GCYNXfAFJO+ggakaG@postini.com; Mon, 23 Apr 2012 05:36:16 PDT
Received: by vbbez10 with SMTP id ez10so9397182vbb.31 for <oauth@ietf.org>; Mon, 23 Apr 2012 05:36:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=vb1WQ1bFNcqJUoj9VGe0l3IkGCdKElikrGlRtlf/0kI=; b=JP2IMnlfJ5+VMbPfKwv0POHSiBLuLo4ImAoulDmkUgMgZ9Gn6Rhz7eVvmraC/Yzzao i4aX6sYj/UiFkri0h6gsDbCQyJ10jHeHV0YVmX+loxTbOFbBx+NlrTn7omilX5TjRF0Z yrDcvpG3YQ85LQtVZ/+VBeNxbnXS3HRRBQjrnBZ4rWyjrbOkhCkRq7+K9Zr3hzK/mIQC 9HyrZmTEWZdDFl0fsHlGNf/1X0IDFBW0/2oOqzSFJjRXeDkY/2Eh2zP3Kdi6wKudOWnB HNdmdzNuBmm5wWrspGWwoc9p+s/ZtGE/1UN2slb4dxXEdokzannWCmW4042POeMMG8/K LumQ==
Received: by 10.52.65.69 with SMTP id v5mr13032949vds.14.1335184567103; Mon, 23 Apr 2012 05:36:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.38.104 with HTTP; Mon, 23 Apr 2012 05:35:36 -0700 (PDT)
In-Reply-To: <5710F82C0E73B04FA559560098BF95B1250E8BAD72@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
References: <5710F82C0E73B04FA559560098BF95B1250DE5716F@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <CBADAE5A.2A162%cmortimore@salesforce.com> <5710F82C0E73B04FA559560098BF95B1250E8BAD72@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 23 Apr 2012 06:35:36 -0600
Message-ID: <CA+k3eCQBc7nKo26N+4ETsQkAxbuk1iZMzXthOWv8bueTrHbj3g@mail.gmail.com>
To: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
Content-Type: multipart/alternative; boundary=20cf307f344ad4f2af04be57e1b1
X-Gm-Message-State: ALoCoQmXSx+h8V1hXEXvaet9UA/oKYXPAyRH3o4U7GOOHOytaMLSa18Dk7N9I4zFcvLle2zOcmp0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on Assertion Drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2012 12:36:18 -0000

Just a note (to myself as much as anything) that that same text is also in
§6.2, §6.3 & §6.4 and should updated for all occurrences.

On Fri, Apr 13, 2012 at 12:55 PM, Zeltsan, Zachary (Zachary) <
zachary.zeltsan@alcatel-lucent.com> wrote:

> Chuck,****
>
> ** **
>
> The intent is clear. Perhaps the following change would clarify the text:*
> ***
>
> Old: The Authorization Server MUST validate the assertion in order
> to establish a mapping between the Issuer and the secret used to generate
> the assertion.****
>
> New: The Authorization Server MUST validate the assertion’s signature in
> order to verify the Issuer of the assertion.****
>
> ** **
>
> Zachary****
>
> ** **
>
> ** **
>
> *From:* Chuck Mortimore [mailto:cmortimore@salesforce.com]
> *Sent:* Friday, April 13, 2012 1:20 PM
> *To:* Zeltsan, Zachary (Zachary); Tschofenig, Hannes (NSN - FI/Espoo);
> oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] WGLC on Assertion Drafts****
>
> ** **
>
> Hi Zachary – sorry about the delay in responding.
>
> Perhaps the language is a bit confusing – let me explain the intent and
> see if it makes sense and if you have a recommendation on how it could be
> made clearer.
>
> All this is really saying is that the Authorization server must validate
> the signature to make sure the Issuer is who they say they are.   The
> authorization server would use the Issuer as it’s mechanism for looking up
> either the shared secret for an HS256 or the public key for RS256.   It
> then checks the signature, and proves to itself that the generator of the
> assertion had possession of the expected keying material and identified
> itself as the issuer.
>
> Feedback welcome
>
> -cmort
>
> On 4/5/12 1:33 PM, "Zeltsan, Zachary (Zachary)" <
> zachary.zeltsan@alcatel-lucent.com> wrote:****
>
> Hello,
>
> The draft http://tools.ietf.org/html/draft-ietf-oauth-assertions-01,
> section 6.1 has the following requirement:
>
> The Authorization Server MUST validate the assertion in order to
>       establish a mapping between the Issuer and the secret used to
> generate the assertion.
>
> I thought that checking a signature is a part of the assertion validation,
> which cannot be done without knowing the mapping between the issuer and the
> secret used to generate the assertion.
> It appears that the quoted text requires validation of the assertion prior
> to checking the signature.
> What am I missing?
>
> Zachary
>
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org<oauth-bounces@ietf.org>]
> *On Behalf Of *Tschofenig, Hannes (NSN - FI/Espoo)
> *Sent:* Thursday, April 05, 2012 10:47 AM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] WGLC on Assertion Drafts
>
> Hi all,
>
> this is a Last Call for comments on these three documents:
>
> http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-10
>
> http://tools.ietf.org/html/draft-ietf-oauth-assertions-01
>
> http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-02
>
> Please have your comments in no later than April 23rd.
>
> Do remember to send a note in if you have read the document and have no
> other comments other than "it’s ready to go" - we need those as much as we
> need "I found a problem".
>
> Thanks!
>
> Hannes & Derek****
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>