[OAUTH-WG] Fwd: Ted Lemon's Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS)
Brian Campbell <bcampbell@pingidentity.com> Thu, 16 October 2014 15:00 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF4D11A1BC7 for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 08:00:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43RyZYPPGkIh for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 08:00:33 -0700 (PDT)
Received: from na3sys009aog117.obsmtp.com (na3sys009aog117.obsmtp.com [74.125.149.242]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF0C11A1A75 for <oauth@ietf.org>; Thu, 16 Oct 2014 08:00:32 -0700 (PDT)
Received: from mail-ie0-f175.google.com ([209.85.223.175]) (using TLSv1) by na3sys009aob117.postini.com ([74.125.148.12]) with SMTP ID DSNKVD/djlU1Rz6i/sCe+XfYC7UKbIZIpwQ2@postini.com; Thu, 16 Oct 2014 08:00:32 PDT
Received: by mail-ie0-f175.google.com with SMTP id x19so3506245ier.6 for <oauth@ietf.org>; Thu, 16 Oct 2014 08:00:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=aJZnZkhva8qw7/Vm1W06YcVQ/O9teBJTP6CPCxKp07o=; b=lxyVvzo/erreLMFXVboeM/HLmPVUKTUGj30vgFkNpdv6rQWJvS4IE4n9YA4M1upKPu ASMSUacWYfsAeG2ynajpqlgjTFDa8sEzJm/s6L/otYhrKQX0eyY2LfRZM2VxhacK4CSj J6jc/aZVb8pH3wo4xMbTzMJJGJN5Qc2/EO/m2UxJ3HXtxaNC6KjDJ7JQ6NmQQhbFJsqN FbGUpmaGZYCARZMSVPhKS1g/1knsT9EDx61lnVv5Mxn+z4+AC6MNX01GJWI5FF03wscc qK7zfXFzpRVtJ8WoCrEmE8Qa0YMc/uYPqvzcsM2x6tsUz18r8i5YzF9AejLp8Ed9viAY 8S5A==
X-Gm-Message-State: ALoCoQkrMEuPv0IirHmpPyUvH3fDmgOqaw3yKRwJf+EET58in4hBun9DmhuEOAt5biNTVC8BDsZMvbkSgBlt6/ZnJVtF+6SjRVDVL2ccXYjClQCtsce9/EDZMVJC+cbZtqETp+FY+mzn
X-Received: by 10.50.66.179 with SMTP id g19mr22760424igt.40.1413471629947; Thu, 16 Oct 2014 08:00:29 -0700 (PDT)
X-Received: by 10.50.66.179 with SMTP id g19mr22760402igt.40.1413471629727; Thu, 16 Oct 2014 08:00:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.12.137 with HTTP; Thu, 16 Oct 2014 07:59:59 -0700 (PDT)
In-Reply-To: <CA+k3eCSvmkCv=Tedh5BjxO3qLi2qj9N4Fs4Qk9CUdAr+fJBTSw@mail.gmail.com>
References: <20141016130758.20410.20976.idtracker@ietfa.amsl.com> <CA+k3eCQ-660tEQcC2XmzSuBEe-=LdHn6x=mdLn2JSiy+x6eMKw@mail.gmail.com> <21BD317F-7AEC-46BF-A31A-7002653F9430@nominum.com> <CA+k3eCSvmkCv=Tedh5BjxO3qLi2qj9N4Fs4Qk9CUdAr+fJBTSw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 16 Oct 2014 08:59:59 -0600
Message-ID: <CA+k3eCQSwSeWhHeLOP6puiOrmm-KuSp98c45FEMsvC83wMJ_9w@mail.gmail.com>
To: The IESG <iesg@ietf.org>, "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="047d7bdc15b264131805058b8202"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/tv4-OI3BCUFpkeHnLkal2UH2h60
Subject: [OAUTH-WG] Fwd: Ted Lemon's Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 15:00:34 -0000
I realized that I'd accidentally replied only to Ted in this thread (email is hard!). So I wanted to send our discussion to the original cc list so it'd be more on the record and also because I believe this discussion is related to, and may help inform, some other comments that came in this morning. ---------- Forwarded message ---------- From: Brian Campbell <bcampbell@pingidentity.com> Date: Thu, Oct 16, 2014 at 8:34 AM Subject: Re: [OAUTH-WG] Ted Lemon's Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS) To: Ted Lemon <Ted.Lemon@nominum.com> On Thu, Oct 16, 2014 at 7:42 AM, Ted Lemon <Ted.Lemon@nominum.com> wrote: > On Oct 16, 2014, at 8:37 AM, Brian Campbell <bcampbell@pingidentity.com> > wrote: > > It's a good question Ted, thanks for your review. The concern is > mitigated by the requirement in §5.2 (third bullet > https://tools.ietf.org/html/draft-ietf-oauth-assertions-17#section-5.2) > which requires that these bearer assertions be audience restricted. > Assertions with audience restrictions can only be used at the specific > relying party(s) to whom they were addressed. > > > > So I think the concern is addressed in processing rules of the draft. > But do you think it should also be mentioned in the security considerations? > > Hm, interesting. I didn't connect that, because I assumed that while a > bearer assertion could be issued for a particular relying party, other > assertions might be issued for other relying parties using the same token. > This could be either because of some policy on the client, or because the > end-user just types in the same token in several places, as is > unfortunately common practice with user passwords. > > So I guess I think a bit more discussion is warranted, but it may be that > my concern is based on a misunderstanding of how bearer assertions are > generated, in which case the discussion may not be necessary. So I guess > the question is, am I misunderstanding something here that makes this > concern not an issue? > > Typically an assertion will be issued for use at a specific relying party in a specific context (like one of these profiles or for web single sign-on) . And it will be time limited to something on the order of minutes or maybe hours but not longer. The assertion is the token. It carries information about the user and how they authenticated (how is not dictated here but the assertion can describe it to the relying party) with the assertion issuer. But it's not something that the user would ever type in or even see or be aware of in most cases. The audience restriction let's the issuer say specifically what relying party is allowed to consume the assertion, which ensures that the client can't use it somewhere that it wasn't intended and that the relying party that receives the assertion can't turn around and use it to access some other service. Is this helping your understanding or just confusing matters?
- [OAUTH-WG] Ted Lemon's Discuss on draft-ietf-oaut… Ted Lemon
- [OAUTH-WG] Fwd: Ted Lemon's Discuss on draft-ietf… Brian Campbell