Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sun, 20 July 2014 13:18 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C85361B2803 for <oauth@ietfa.amsl.com>; Sun, 20 Jul 2014 06:18:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v335p1oAAfIK for <oauth@ietfa.amsl.com>; Sun, 20 Jul 2014 06:18:43 -0700 (PDT)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A2661B27F2 for <oauth@ietf.org>; Sun, 20 Jul 2014 06:18:41 -0700 (PDT)
Received: by mail-lb0-f181.google.com with SMTP id 10so1999845lbg.40 for <oauth@ietf.org>; Sun, 20 Jul 2014 06:18:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6hgr6mGI53CCzNxZUyFklgN/EDcx6UYGIbkCZfrc+8w=; b=V7P5ObrPDs9qcOOsVkcHsiVg+h2Sxk+CnEzgmgcETDWMY9la507DqlLkyoZyozyJt/ RvQTeAcCHdQk1O+dZjP0UNTh07v/actIctWv9o3EYOKpKIzZfluKPGqUbPi7b/aXL0Cj 9Z+sCK6zYCYxJ042z9f2r0FM7QRDRirbyPOo/UvoZU8ElFYWA1U5kNvk7RoHbq2yFQWA M4fPRz9TZz+4yTGtleyTlMy33sYeMWY+kzW/Onc19fFBXtic9BuNWxVWJHOykOjk8+O6 PUZkww5czZapVFH+Z9WteOW1fUDbxobWtgqaFzYQ5LvXvY8vttQb0YqaVtXHMnS+j1pj N3nA==
MIME-Version: 1.0
X-Received: by 10.112.139.196 with SMTP id ra4mr17739271lbb.28.1405862320378; Sun, 20 Jul 2014 06:18:40 -0700 (PDT)
Received: by 10.112.207.73 with HTTP; Sun, 20 Jul 2014 06:18:40 -0700 (PDT)
In-Reply-To: <CA+k3eCTtSLoj5LbYyvXZ+HK8Dpe94CbuLqU=tBYg6Jmy0+B+Bg@mail.gmail.com>
References: <CAHbuEH6w9mfHLwN8WMJHHV5qZ8MzLJY6ky-Yp_xg39WfpGbC3g@mail.gmail.com> <CA+k3eCR__YW3e1Ca0+3ix3Y2MuGjdwaP=YHEjpnCcxshTOoRkA@mail.gmail.com> <60D7F5DB-0574-4F58-ADCB-C9E4D9850401@gmail.com> <CA+k3eCTtSLoj5LbYyvXZ+HK8Dpe94CbuLqU=tBYg6Jmy0+B+Bg@mail.gmail.com>
Date: Sun, 20 Jul 2014 09:18:40 -0400
Message-ID: <CAHbuEH4FBbnt==99uS=WKnP7zYL7=9yGZ_hHwRZvFXQh+RR5FA@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="001a11c33fcc35984404fe9fd49b"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/zU2KB9B2C5wl_HaAQE33RZ__4kc
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jul 2014 13:18:46 -0000
Thanks, Brian. That looks good to me. Kathleen On Sat, Jul 19, 2014 at 5:18 PM, Brian Campbell <bcampbell@pingidentity.com> wrote: > Thanks Kathleen, that makes sense. I do, however, think that a little > 'should' would be more appropriate there than a big 'SHOULD' as there's no > other use of RFC2119 language in that text. That okay by you? It would read > like this: > > > A SAML Assertion may contain privacy-sensitive information and, to prevent > disclosure of such information to unintended parties, should only be > transmitted over encrypted channels, such as TLS. In cases where it’s > desirable to prevent disclosure of certain information the client, the > Subject and/or individual attributes of a SAML Assertion should be > encrypted to the authorization server. > > > Deployments should determine the minimum amount of information necessary > to complete the exchange and include only that information in an Assertion > (typically by limiting what information is included in an > <AttributeStatement> or omitting it altogether). In some cases > the Subject can be a value representing an anonymous or pseudonymous user > as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 > Client Authentication and Authorization Grants [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1 > <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>* > ]. > > > On Sat, Jul 19, 2014 at 8:24 AM, Kathleen Moriarty < > kathleen.moriarty.ietf@gmail.com> wrote: > >> Thanks for the quick response, Brian. I think the text looks great. The >> only change I'd like to suggest is in the second sentence, to change the >> 'may' to 'SHOULD'. >> >> Best regards, >> Kathleen >> >> Sent from my iPhone >> >> On Jul 19, 2014, at 1:00 AM, Brian Campbell <bcampbell@pingidentity.com> >> wrote: >> >> How about the following (which is intentionally similar to the text I >> just put forth for your request for privacy consideration in >> draft-ietf-oauth-jwt-bearer-09)? >> >> A SAML Assertion may contain privacy-sensitive information and, to >> prevent disclosure of such information to unintended parties, should only >> be transmitted over encrypted channels, such as TLS. In cases where it’s >> desirable to prevent disclosure of certain information the client, the >> Subject and/or individual attributes of a SAML Assertion may be encrypted >> to the authorization server. >> >> Deployments should determine the minimum amount of information necessary >> to complete the exchange and include only that information in an Assertion >> (typically by limiting what information is included in an >> <AttributeStatement> or omitting it altogether). In some cases >> the Subject can be a value representing an anonymous or pseudonymous user >> as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 >> Client Authentication and Authorization Grants [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1 >> <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>* >> ]. >> >> >> On Tue, Jul 15, 2014 at 2:04 PM, Kathleen Moriarty < >> kathleen.moriarty.ietf@gmail.com> wrote: >> >>> Hello, >>> >>> I just finished my review of >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer. The >>> draft looks great, thank you for all of your efforts on it! >>> >>> I did notice that there were no privacy considerations pointing back to >>> RFC6973, could that text be added? The draft came after the Oauth >>> framework publication (refernced in the security considerations), so I am >>> guessing that is why this was missed as there are privacy considerations in >>> the oauth assertion draft (I competed that review as well and the draft >>> looked great. I don't have any comments to add prior to progressing the >>> draft). >>> >>> Thank you. >>> >>> -- >>> >>> Best regards, >>> Kathleen >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >> > -- Best regards, Kathleen
- [OAUTH-WG] AD Review of http://datatracker.ietf.o… Kathleen Moriarty
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Brian Campbell
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Kathleen Moriarty
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Mike Jones
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Brian Campbell
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Kathleen Moriarty
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Brian Campbell
- Re: [OAUTH-WG] AD Review of http://datatracker.ie… Brian Campbell