Re: [OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-resource-indicators-05: (with COMMENT)

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Wed, 04 September 2019 08:00 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFCAD1200CE; Wed, 4 Sep 2019 01:00:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Fih2Si8N; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=B9i4xWW2
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CyDmn7EoZdmd; Wed, 4 Sep 2019 00:59:58 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 915221200DB; Wed, 4 Sep 2019 00:59:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=16403; q=dns/txt; s=iport; t=1567583998; x=1568793598; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=fWUWfuAu2uZgpHAfO6X+8clNtXCFg5Lh54CVJjgDxaw=; b=Fih2Si8NBSR97IUAHCUnFMmOBNIqMEsnSuWTtaO+xrK87D6ilr5Hs4P9 ub/86t/hNobXChbPYjBZHsSG/DpaDNxDcv/yCqFe3thLZGVAZP4STfXOf /Nl1nWokeCI7ve7iRXpLoprzRjp6f55/9iyq+X5yjE5b8t2O0Vp9vn5u3 Q=;
IronPort-PHdr: =?us-ascii?q?9a23=3AowrGYBMoPxzNXTJUmcsl6mtXPHoupqn0MwgJ65?= =?us-ascii?q?Eul7NJdOG58o//OFDEu60/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETB?= =?us-ascii?q?oZkYMTlg0kDtSCDBj2Mu/sZC83NM9DT1RiuXq8NBsdFQ=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BsAgAXbm9d/4cNJK1cCRsBAQEBAwE?= =?us-ascii?q?BAQcDAQEBgWeBFi8kBScDbVYgBAsqhCGDRwOKe4I3JZMQhFyBQoEQA1QJAQE?= =?us-ascii?q?BDAEBLQIBAYQ/AheCZSM4EwIDCAEBBAEBAQIBBgRthS4MhUoBAQEBAxIRHQE?= =?us-ascii?q?BNwEPAgEIDgMDAQIkBAMCAgIwFAYDCAIEDgUigwABgR1NAx0BAp5AAoE4iGF?= =?us-ascii?q?zgTKCfAEBBYUMGIIWCYE0ilqBAR0YgUA/JmsnDBOBfFA+hAgJAQgKAQk2FoJ?= =?us-ascii?q?VMoImjDYcgl6FHpdXCoIfkA1Xg3gbgjQvhwcFhBmKYoM4owsCBAIEBQIOAQE?= =?us-ascii?q?FgWchZ3FwFTEPJQFVHYEmKYJCOG8BAoJIilNzgSmMGYJFAQE?=
X-IronPort-AV: E=Sophos;i="5.64,465,1559520000"; d="scan'208,217";a="538253943"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 04 Sep 2019 07:59:57 +0000
Received: from XCH-RCD-007.cisco.com (xch-rcd-007.cisco.com [173.37.102.17]) by alln-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x847xvIo031472 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 4 Sep 2019 07:59:57 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-007.cisco.com (173.37.102.17) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 4 Sep 2019 02:59:56 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 4 Sep 2019 02:59:56 -0500
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 4 Sep 2019 02:59:56 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aL39eV5tVN3FEhyIV9IzOvVvVu3aZnhIpuMy5icdEuuzShRrq3yzcoiOBxFGVISY45kVpjxLLv8DPjV4FGsfKMH/5icLx9zFH6ou7ao/3dNw43RhBNcljYdepkLkAJ8SwOWuQkqtMQDgoyYxH/CUjfs3Mj1zfxEOkzQ1sMlrIJZrC3xdz8ZvAKbNR6fefr9UEpwGP85/proiT/iKbuajYzs5P6JSa8j2a99AuJT1uoiGmusc28tOYeWY+B+JvY4KPAABJ9VSuMEht05ggGV49hTFrV3AqX4hEaxJaFzOg4w88apdRz8nST5XQvJABZRcnMWtF58Xw1UvX+MYLVjgYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fWUWfuAu2uZgpHAfO6X+8clNtXCFg5Lh54CVJjgDxaw=; b=Rl+TK2dAvX9+oq8yAItASL9P1/clK62cQiThQfy90EBwZCA7KXSUAx3EL/kJmOieShcUnuRSz6nuQPirANFJDjIN7WFELQi8yvJhwxSxlu9OFy0OhqJizdDVZThtG4hOtv8EWMetc2PsscOJE4Z6PZTzviC/f5oAOOdMwBCVCMzp86XM7YUzXG/tPseaIOoZpwKZbesK3WSRcWGkn0pH1ByLFc6XTyxTZ+nZbMtFUxxshYaxc57qOIZcwuADvlVBMtNccYUHgeIrowsRgog764SkxHxvpWb3Lbwn3GnGpZb8rg0I/tv9kJyBVLUI30ekh/Uv7DVevtWw0Ru7ka57ug==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fWUWfuAu2uZgpHAfO6X+8clNtXCFg5Lh54CVJjgDxaw=; b=B9i4xWW2uw/DVZLzE/XcGAFyDaIshUv/PF+8g3W4sjZt4GN8+oYDdpEoZhMk4M32eyncYsR3nsh01Cw5oPyqWt+qnrn0a5ALmhQfGw7eko988n7Zctyt0SY3DcsifAoaulex0J67646Ulwlv8+NzexQ6iDGZxrRxbHL3ovkdUcs=
Received: from MN2PR11MB4144.namprd11.prod.outlook.com (20.179.150.210) by MN2PR11MB3728.namprd11.prod.outlook.com (20.178.253.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2220.20; Wed, 4 Sep 2019 07:59:55 +0000
Received: from MN2PR11MB4144.namprd11.prod.outlook.com ([fe80::d5c4:be39:66cb:449b]) by MN2PR11MB4144.namprd11.prod.outlook.com ([fe80::d5c4:be39:66cb:449b%6]) with mapi id 15.20.2220.020; Wed, 4 Sep 2019 07:59:55 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Brian Campbell <bcampbell@pingidentity.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-oauth-resource-indicators@ietf.org" <draft-ietf-oauth-resource-indicators@ietf.org>, oauth <oauth@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>
Thread-Topic: =?utf-8?B?W09BVVRILVdHXSDDiXJpYyBWeW5ja2UncyBObyBPYmplY3Rpb24gb24gZHJh?= =?utf-8?B?ZnQtaWV0Zi1vYXV0aC1yZXNvdXJjZS1pbmRpY2F0b3JzLTA1OiAod2l0aCBD?= =?utf-8?Q?OMMENT)?=
Thread-Index: AQHVYo3HnIoMp3iLFEG4o8ReFMdTgKcbSeOA
Date: Wed, 4 Sep 2019 07:59:54 +0000
Message-ID: <F9495E20-5386-4F12-8479-391A36502C89@cisco.com>
References: <156741723195.13041.3519982606374763447.idtracker@ietfa.amsl.com> <CA+k3eCTJpyO2DOFr9NpGrE9S6QRVHTLhFJbZDhZpsODtxd2X3Q@mail.gmail.com>
In-Reply-To: <CA+k3eCTJpyO2DOFr9NpGrE9S6QRVHTLhFJbZDhZpsODtxd2X3Q@mail.gmail.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1c.0.190812
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [2001:420:c0c1:36:dddd:960:a05c:9f22]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2df76331-927f-4d5d-db61-08d7310ddfa6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MN2PR11MB3728;
x-ms-traffictypediagnostic: MN2PR11MB3728:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <MN2PR11MB37280EB6AAAD5D1171297A81A9B80@MN2PR11MB3728.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0150F3F97D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(366004)(39860400002)(346002)(376002)(199004)(189003)(476003)(76116006)(6486002)(91956017)(14454004)(5660300002)(478600001)(11346002)(2906002)(58126008)(53936002)(54906003)(66946007)(186003)(7736002)(66476007)(2616005)(6916009)(86362001)(66556008)(64756008)(66446008)(229853002)(224303003)(8936002)(256004)(236005)(446003)(46003)(66574012)(4326008)(6246003)(316002)(102836004)(76176011)(81166006)(53546011)(6512007)(71200400001)(6116002)(33656002)(5024004)(14444005)(36756003)(6436002)(486006)(71190400001)(6506007)(99286004)(54896002)(6306002)(81156014)(25786009); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3728; H:MN2PR11MB4144.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: xn571MCzNe3J9+iDIEEQYIAMBA4wEGtXzXCQ743vHt3d02f5+e2Tv/IcshARW6gg0iJhFBTq5qoXaoRIGEFRpUzf9+XthqjqYZYWNEg3MEYVbNW5kr4Xiskv2Wi7XuDlou90SYduc0q689D+xeYOyDb/2tUYsmgdioKdLCYf0GmakRmMXmm9q4Q2u8tqTYFikrgl6+LLCds6M+4tmj1GPO90l12S5SfApYx7o/zrMjLACxLoAvHLRSZO4Lh18G3I4D/Qb1a7HDH9q+hXdzpmcmNuf4po5DzPy9chEK7H3a3xOkRphDuCEL741P2Tl6kq9fuzGYyEKq+yXimef+y+eF7Il47sTXfqORG96Jjyi/nPq0m0p/E5B87RPU6L2L5bCBNvoI7a+YxtO0BB4/3f/ASNBb0MnZ77TqgIEQOc7Qg=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_F9495E2053864F128479391A36502C89ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2df76331-927f-4d5d-db61-08d7310ddfa6
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2019 07:59:55.0565 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nx2G9NrRqvrN2RcBHQF/xzKAVz+4kbA62/ckohAIGn/Ta+yL7ydb/tWXC/98PDPUWs3qvxiAQGHaB0cCFCIInA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3728
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.17, xch-rcd-007.cisco.com
X-Outbound-Node: alln-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/u-7aUKAi3dnD5spNNO0B0UKZ1cQ>
Subject: Re: [OAUTH-WG] =?utf-8?q?=C3=89ric_Vyncke=27s_No_Objection_on_draft-?= =?utf-8?q?ietf-oauth-resource-indicators-05=3A_=28with_COMMENT=29?=
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 08:00:03 -0000

Brian,

Thank you for your reply and the explanation about the URI vs. an opaque value (still wondering though about the privacy leaks but perhaps less important in the world of OAuth).

I believe that the document would benefit if you could add some more examples/use cases in section 1. Up to the authors.

Regards

-éric

From: Brian Campbell <bcampbell@pingidentity.com>;
Date: Tuesday, 3 September 2019 at 21:29
To: Eric Vyncke <evyncke@cisco.com>;
Cc: The IESG <iesg@ietf.org>;, "draft-ietf-oauth-resource-indicators@ietf.org"; <draft-ietf-oauth-resource-indicators@ietf.org>;, oauth <oauth@ietf.org>;, "oauth-chairs@ietf.org"; <oauth-chairs@ietf.org>;
Subject: Re: [OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-resource-indicators-05: (with COMMENT)

Thank you, Éric, for the review and ballot position.


On Mon, Sep 2, 2019 at 3:40 AM Éric Vyncke via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
Éric Vyncke has entered the following ballot position for
draft-ietf-oauth-resource-indicators-05: No Objection
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thank you for the hard work put into this easy to read document.

Thanks, I'm happy to hear that you found it readable.


== COMMENTS ==

-- Section 1 --
"has uncovered a need, in some circumstances" (and similar sentences in section
1), it is rather vague for a standard track document... Please add some facts
and data, this could be a companion document about requirements/use cases.

Sec 1 is intended to be a general (though not vague) introduction with some explanation about what an authorization server might be able to accomplish with an understanding of the location/identity of the protected resource for which the client is requesting an access token. Which effectively boils down to being able to produce the token appropriate for the indicated resource (including the type of token, if and how it's encrypted, what information is contained or referenced, to whom it is audience restricted). I've no doubt that the writing could stand to be improved (which is always the case with content I've written) but those are the use cases and I don't have more specific facts or data.



-- Section 2 --
It is rather a question of mine, why does the resource need to be a URI (which
usually bears some visible semantics) rather than an opaque string known only
by the resource owner/server ? This is similar to Mirja's comment about privacy.

The motivation behind the draft is largely to facilitate this explicit signal to the authorization server (AS) about the location or identity of the protected resource for which the client is requesting an access token. For the reasons previously mentioned. Something that's opaque to the AS would negate the ability of the AS to do most of that stuff (admittedly not all but most).



CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.