Re: [OAUTH-WG] About Big Brother and draft-campbell-oauth-resource-indicators-00
Brian Campbell <bcampbell@pingidentity.com> Tue, 15 November 2016 23:12 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 689631295C8 for <oauth@ietfa.amsl.com>; Tue, 15 Nov 2016 15:12:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8faIf970m3l0 for <oauth@ietfa.amsl.com>; Tue, 15 Nov 2016 15:12:03 -0800 (PST)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93B6A1295B7 for <oauth@ietf.org>; Tue, 15 Nov 2016 15:12:03 -0800 (PST)
Received: by mail-it0-x236.google.com with SMTP id b123so27349183itb.0 for <oauth@ietf.org>; Tue, 15 Nov 2016 15:12:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YeWCdFFFz73OB/O5iBGBk0AJWqIvYwH4yPkc2BIn7ck=; b=Cwfy/wWTLgJ5l00JlEqTvESA8aOm623a5RKqzSG4BvbOae0nEyUccIe6VJuCr76h7y qupw68iZ2V4OWgzujMx0vjwo+JccyG/jqIRD+l1MUVI1QNP3Yd93Jw7Ta0z3+QpG1z2w Yje/WCCspSvSm7rzsTsy3qtQGsTWNt7d0bBes=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YeWCdFFFz73OB/O5iBGBk0AJWqIvYwH4yPkc2BIn7ck=; b=VgPEXZ3g/00b1BUcL7IQ61brd4uLvfJqprFjbcb6Ban6ngYLc8ajqqAagUWx9XYEcm u4OOB7fWLwOnChjlzzsnJvIDKhYU8gEu3vjsKr8ZjTnhb+LJ98Wu7ZAqnCq0+JOX86VE qx9jOvP/8DbnVbI7ZZfkYGZyNIQwL0DzOK921soCN0DeIRBDSvkHvJIZuW4Z6qByppSk v4NlvMPQIadcvExUbJn9vRBl9N9wnGaVrrdkMq9suw3Q+MWc/bPzOZst1SzDTRwyWF+B EEKybEH9wsQJRhJF1v8V0ecaNQNXNYWO83fEuGkfIgagqA/v+PjWOmF/2ZO+GmXmCLu7 YizQ==
X-Gm-Message-State: ABUngvfKuGamfBzGIb9PgIeDO+A3zu+j34tsOLoiPRbq5kNCFyzxmKPuJc7I4oD0IMqF7D5vSRJ07vDlx97P+RWy
X-Received: by 10.107.141.211 with SMTP id p202mr342813iod.47.1479251522976; Tue, 15 Nov 2016 15:12:02 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.156.74 with HTTP; Tue, 15 Nov 2016 15:11:32 -0800 (PST)
In-Reply-To: <f5f049b9-1aca-9949-ffd6-c9ce1396ef31@free.fr>
References: <f5f049b9-1aca-9949-ffd6-c9ce1396ef31@free.fr>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 15 Nov 2016 16:11:32 -0700
Message-ID: <CA+k3eCRM2Eai+irMAcPr5ALNf1fjcTLMedLeDzhnVK8XKDSEYw@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Content-Type: multipart/alternative; boundary="94eb2c062c9e8fa2f305415f1597"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xxDxvlmjRy3nyBhgsF7ptItuDwY>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] About Big Brother and draft-campbell-oauth-resource-indicators-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2016 23:12:05 -0000
In this document the information is very much intended for the authorization server so that it can make appropriate policy choices about the token to be issued. On Tue, Nov 15, 2016 at 4:50 AM, Denis <denis.ietf@free.fr> wrote: > Hello everybody, > > Since I am not present at the meeting, I read the minutes from the first > session, in particular: > > Brian Campbell and John did a draft allowing the client to tell the AS > where it plans to use the token > draft-campbell-oauth-resource-indicators > > This enables the AS to audience restrict the access token to > the resource > Phil Hunt: We should keep the audience restriction idea on > the table > > The introduction contains the following sentences: > > Several years of deployment and implementation experience with OAuth 2.0 > [RFC6749] has uncovered a need, in some circumstances, > for the client to explicitly signal to the authorization sever where it > intends to use the access token it is requesting. > > A means for the client to signal to the authorization sever where it > intends to use the access token it's requesting is important and useful. > > The document contains a "security considerations" section but > unfortunately no "privacy considerations" section. > > Clause 2 states: > > The client may indicate the resource server(s) for which it is requesting > an access token by including the > following parameter in the request. > > resource > > OPTIONAL. The value of the resource parameter indicates a resource server > where the requested > access token will be used.* It MUST be an absolute URI*, as specified by > Section 4.3 of[RFC3986], > > With such an approach, the authorization server would have the ability to *act > as a Big Brother *and hence to know exactly > where the user will be performing activities. > > However, some users might be concerned with their privacy, and would like > to restrict the use of the access token > to some resource servers without the authorization server knowing which > are these resource servers. > > The key point is whether the information is primarily intended to the > authorization server or to the resource server(s). > > I believe that it is primarily intended to the resource server(s) rather > than to the authorization server in order to be included > in an access token. Obviously, the information needs to transit through > the authorization sever, that should simply be copied > and pasted into the access token. Its semantics, if any, does not > necessarily needs to be interpreted by the authorization sever. > > I believe that a "privacy considerations" section should be added. > > The sentence "*It MUST be an absolute URI*, as specified by Section 4.3 > of [RFC3986]" should be removed or > replaced by : "*It MAY be an absolute URI*, as specified by Section 4.3 > of [RFC3986]". > > Obviously, other changes would be necessary too. > > Denis > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] About Big Brother and draft-campbell-o… Denis
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Brian Campbell
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Vivek Biswas
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Jim Willeke
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Steinegger, Roland Heinz (TM)
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Denis
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Hannes Tschofenig
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Denis
- Re: [OAUTH-WG] About Big Brother and draft-campbe… John Bradley
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Mike Jones
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Denis
- Re: [OAUTH-WG] About Big Brother and draft-campbe… George Fletcher
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Denis
- [OAUTH-WG] Comments on draft-ietf-oauth-token-bin… Denis
- [OAUTH-WG] Comments on draft-ietf-oauth-pop-archi… Denis