Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sun, 20 July 2014 13:18 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C85361B2803 for <oauth@ietfa.amsl.com>; Sun, 20 Jul 2014 06:18:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v335p1oAAfIK for <oauth@ietfa.amsl.com>; Sun, 20 Jul 2014 06:18:43 -0700 (PDT)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A2661B27F2 for <oauth@ietf.org>; Sun, 20 Jul 2014 06:18:41 -0700 (PDT)
Received: by mail-lb0-f181.google.com with SMTP id 10so1999845lbg.40 for <oauth@ietf.org>; Sun, 20 Jul 2014 06:18:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6hgr6mGI53CCzNxZUyFklgN/EDcx6UYGIbkCZfrc+8w=; b=V7P5ObrPDs9qcOOsVkcHsiVg+h2Sxk+CnEzgmgcETDWMY9la507DqlLkyoZyozyJt/ RvQTeAcCHdQk1O+dZjP0UNTh07v/actIctWv9o3EYOKpKIzZfluKPGqUbPi7b/aXL0Cj 9Z+sCK6zYCYxJ042z9f2r0FM7QRDRirbyPOo/UvoZU8ElFYWA1U5kNvk7RoHbq2yFQWA M4fPRz9TZz+4yTGtleyTlMy33sYeMWY+kzW/Onc19fFBXtic9BuNWxVWJHOykOjk8+O6 PUZkww5czZapVFH+Z9WteOW1fUDbxobWtgqaFzYQ5LvXvY8vttQb0YqaVtXHMnS+j1pj N3nA==
MIME-Version: 1.0
X-Received: by 10.112.139.196 with SMTP id ra4mr17739271lbb.28.1405862320378; Sun, 20 Jul 2014 06:18:40 -0700 (PDT)
Received: by 10.112.207.73 with HTTP; Sun, 20 Jul 2014 06:18:40 -0700 (PDT)
In-Reply-To: <CA+k3eCTtSLoj5LbYyvXZ+HK8Dpe94CbuLqU=tBYg6Jmy0+B+Bg@mail.gmail.com>
References: <CAHbuEH6w9mfHLwN8WMJHHV5qZ8MzLJY6ky-Yp_xg39WfpGbC3g@mail.gmail.com> <CA+k3eCR__YW3e1Ca0+3ix3Y2MuGjdwaP=YHEjpnCcxshTOoRkA@mail.gmail.com> <60D7F5DB-0574-4F58-ADCB-C9E4D9850401@gmail.com> <CA+k3eCTtSLoj5LbYyvXZ+HK8Dpe94CbuLqU=tBYg6Jmy0+B+Bg@mail.gmail.com>
Date: Sun, 20 Jul 2014 09:18:40 -0400
Message-ID: <CAHbuEH4FBbnt==99uS=WKnP7zYL7=9yGZ_hHwRZvFXQh+RR5FA@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="001a11c33fcc35984404fe9fd49b"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/zU2KB9B2C5wl_HaAQE33RZ__4kc
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jul 2014 13:18:46 -0000

Thanks, Brian.  That looks good to me.

Kathleen


On Sat, Jul 19, 2014 at 5:18 PM, Brian Campbell <bcampbell@pingidentity.com>
wrote:

> Thanks Kathleen, that makes sense. I do, however, think that a little
> 'should' would be more appropriate there than a big 'SHOULD' as there's no
> other use of RFC2119 language in that text. That okay by you? It would read
> like this:
>
>
> A SAML Assertion may contain privacy-sensitive information and, to prevent
> disclosure of such information to unintended parties, should only be
> transmitted over encrypted channels, such as TLS. In cases where it’s
> desirable to prevent disclosure of certain information the client, the
> Subject and/or individual attributes of a SAML Assertion should be
> encrypted to the authorization server.
>
>
> Deployments should determine the minimum amount of information necessary
> to complete the exchange and include only that information in an Assertion
> (typically by limiting what information is included in an
> <AttributeStatement> or omitting it altogether). In some cases
> the Subject can be a value representing an anonymous or pseudonymous user
> as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0
> Client Authentication and Authorization Grants [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1
> <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>*
> ].
>
>
> On Sat, Jul 19, 2014 at 8:24 AM, Kathleen Moriarty <
> kathleen.moriarty.ietf@gmail.com> wrote:
>
>> Thanks for the quick response, Brian.  I think the text looks great.  The
>> only change I'd like to suggest is in the second sentence, to change the
>> 'may' to 'SHOULD'.
>>
>> Best regards,
>> Kathleen
>>
>> Sent from my iPhone
>>
>> On Jul 19, 2014, at 1:00 AM, Brian Campbell <bcampbell@pingidentity.com>
>> wrote:
>>
>> How about the following (which is intentionally similar to the text I
>> just put forth for your request for privacy consideration in
>> draft-ietf-oauth-jwt-bearer-09)?
>>
>> A SAML Assertion may contain privacy-sensitive information and, to
>> prevent disclosure of such information to unintended parties, should only
>> be transmitted over encrypted channels, such as TLS. In cases where it’s
>> desirable to prevent disclosure of certain information the client, the
>> Subject and/or individual attributes of a SAML Assertion may be encrypted
>> to the authorization server.
>>
>> Deployments should determine the minimum amount of information necessary
>> to complete the exchange and include only that information in an Assertion
>> (typically by limiting what information is included in an
>> <AttributeStatement> or omitting it altogether). In some cases
>> the Subject can be a value representing an anonymous or pseudonymous user
>> as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0
>> Client Authentication and Authorization Grants [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1
>> <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>*
>> ].
>>
>>
>> On Tue, Jul 15, 2014 at 2:04 PM, Kathleen Moriarty <
>> kathleen.moriarty.ietf@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I just finished my review of
>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer.  The
>>> draft looks great, thank you for all of your efforts on it!
>>>
>>> I did notice that there were no privacy considerations pointing back to
>>> RFC6973, could that text be added?  The draft came after the Oauth
>>> framework publication (refernced in the security considerations), so I am
>>> guessing that is why this was missed as there are privacy considerations in
>>> the oauth assertion draft (I competed that review as well and the draft
>>> looked great.  I don't have any comments to add prior to progressing the
>>> draft).
>>>
>>> Thank you.
>>>
>>> --
>>>
>>> Best regards,
>>> Kathleen
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>


-- 

Best regards,
Kathleen