Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-09
Brian Campbell <bcampbell@pingidentity.com> Sat, 19 July 2014 04:52 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 624321A03F6 for <oauth@ietfa.amsl.com>; Fri, 18 Jul 2014 21:52:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VPTLMEbs0tnR for <oauth@ietfa.amsl.com>; Fri, 18 Jul 2014 21:52:56 -0700 (PDT)
Received: from na3sys009aog136.obsmtp.com (na3sys009aog136.obsmtp.com [74.125.149.85]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 942801A03FD for <oauth@ietf.org>; Fri, 18 Jul 2014 21:52:56 -0700 (PDT)
Received: from mail-ie0-f180.google.com ([209.85.223.180]) (using TLSv1) by na3sys009aob136.postini.com ([74.125.148.12]) with SMTP ID DSNKU8n5qHdCNPGvh0Hyg8MtXXp+KIBcb1OT@postini.com; Fri, 18 Jul 2014 21:52:56 PDT
Received: by mail-ie0-f180.google.com with SMTP id at20so5324651iec.11 for <oauth@ietf.org>; Fri, 18 Jul 2014 21:52:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=xcjCMTHMNr1zZt02SR1KjzXqPmFLambClW0PMjwffu4=; b=cQ48dkW/Mvo9+g9dvLyx3qCVe5EpEBSxuLuKdwWDL5q9N9bQJHOWp9LkdFaivv24mp Cs//ALRKz4aQY+MDeqVwHyBQ4UAgvPAhk9JUO6fBU+JwUkJv46Y/Ugl14rBNze2MyTv5 nBDdZhoMs0Gs6LjqtwmVgFW9Cdy8FEoieolbYBSWceqG50NAWnsoa4dOH43GMoRPtGH/ jH6m14mNBK6YIlGYBVWBLPpZ69X/IBbbRNUyCEcERLzNL9Zzchud+pS4Ag6DSRxB4aaz 2D2cR4w4mNuVoHIXTHd+/FsSthc0G2TSqqZ316LBGqNBTXDGhRMMlXdDFAzyh10k++F/ PG7w==
X-Gm-Message-State: ALoCoQkNHoFtiv/oVtPCwg+DEcchE8Igqq5wf3F9BzaAivNfTBzpB5teZJ9QAbXSzlJEV2wubGIZ8u1hyrFip3D0Kw7SyHLQK8+RVSzwSxbDmzxJZ8kjrOBAlI2+nQkRn9HHXx2Shi75
X-Received: by 10.50.164.201 with SMTP id ys9mr47123261igb.40.1405745575892; Fri, 18 Jul 2014 21:52:55 -0700 (PDT)
X-Received: by 10.50.164.201 with SMTP id ys9mr47123245igb.40.1405745575713; Fri, 18 Jul 2014 21:52:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.233.170 with HTTP; Fri, 18 Jul 2014 21:52:25 -0700 (PDT)
In-Reply-To: <CAHbuEH5NdcWNrJ1JEpdSaBfCDbz+zUZyiNf_yfJ9zTHxG0G1PQ@mail.gmail.com>
References: <CAHbuEH5NdcWNrJ1JEpdSaBfCDbz+zUZyiNf_yfJ9zTHxG0G1PQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 18 Jul 2014 22:52:25 -0600
Message-ID: <CA+k3eCQp5mkSKsHV5T509ymd4MoA=7E3WdO_94cMPn+wByZknw@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="089e0149c1deaf857a04fe84a5e9"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/wEmHytar8GmuNyWvvgMH-lHKxag
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-09
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2014 04:52:58 -0000
Sorry for the slow response on this Kathleen, my day job has been keeping me busy recently. And, honestly, I was kind of hopeful someone would volunteer some text in the meantime. But that didn't happen so how about the following? A JWT may contain privacy-sensitive information and, to prevent disclosure of such information to unintended parties, should only be transmitted over encrypted channels, such as TLS. In cases where it’s desirable to prevent disclosure of certain information the client, the JWT may be be encrypted to the authorization server. Deployments should determine the minimum amount of information necessary to complete the exchange and include only such claims in the JWT. In some cases the "sub" (subject) claim can be a value representing an anonymous or pseudonymous user as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [ http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1]. On Thu, Jul 3, 2014 at 3:26 PM, Kathleen Moriarty < kathleen.moriarty.ietf@gmail.com> wrote: > > Hello, > > I just read through draft-ietf-oauth-jwt-bearer-09 and it looks good. The > only question/comment I have is that I don't see any mention of privacy > considerations in the referenced security sections. COuld you add > something? It is easily addressed by section 10.8 of RFC6749, but there is > no mention of privacy considerations. I'm sure folks could generate great > stories about who accessing what causing privacy considerations to be > important. > > Thanks & have a nice weekend! > > -- > > Best regards, > Kathleen > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-… Kathleen Moriarty
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Brian Campbell
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Phil Hunt
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… John Bradley
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Brian Campbell
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Kathleen Moriarty
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Mike Jones