Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 02 October 2014 15:21 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6FB61A1B42; Thu, 2 Oct 2014 08:21:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0vJCuIysQ_bH; Thu, 2 Oct 2014 08:21:31 -0700 (PDT)
Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7A271A01F6; Thu, 2 Oct 2014 08:21:30 -0700 (PDT)
Received: by mail-lb0-f179.google.com with SMTP id l4so2459881lbv.10 for <multiple recipients>; Thu, 02 Oct 2014 08:21:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8dw5yBPm+/Qzz8w4x9kdMDYO0ld/OffhxJHl3evV2Ts=; b=MnYCz1U1MTOsoeiEA6dI+wOYXoDKsDz6VEaF8/a0dNs2TVPNPQBKimxchbx3r3585q pBT5st6iAZoEUHp6KEyDC/6BPezuDqHBulNSwEgvQM459iUmbENci41GlQw+/E5hFHNo xjzpiHhQMaFuFi6ERYK9Nn+mwypMWxAWFi0rIAHHjrHksjk0T0yJ6G7Ii42Hy/Fioj1h WkSvJ6VTj9J7F0CTADAojh52EXHmOiZr8VbxzD5HBNpyIT4czbuKUPTgea9KOZ9NfabX lNzPFinkEPlWBn17pOjdoo3AuFfu3FFKlk+DCR9/DJGfCAhOArg4878xrOukhVN0fOVF 1k7g==
MIME-Version: 1.0
X-Received: by 10.112.156.227 with SMTP id wh3mr4124557lbb.23.1412263288974; Thu, 02 Oct 2014 08:21:28 -0700 (PDT)
Received: by 10.112.95.36 with HTTP; Thu, 2 Oct 2014 08:21:28 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BAB371E@TK5EX14MBXC288.redmond.corp.microsoft.com>
References: <20141001192433.1934.82385.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439BAB371E@TK5EX14MBXC288.redmond.corp.microsoft.com>
Date: Thu, 02 Oct 2014 11:21:28 -0400
Message-ID: <CAHbuEH4kdhaqdsz3ZAzuNiXXrOO+qOsLvC2PW+tDdWX+8504fg@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11c34408ab32c90504722ba8"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/zWAxwkRmQTcyeNsQI3VJXIlEjCE
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>, "draft-ietf-oauth-json-web-token@tools.ietf.org" <draft-ietf-oauth-json-web-token@tools.ietf.org>
Subject: Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 15:21:34 -0000
On Thu, Oct 2, 2014 at 11:14 AM, Mike Jones <Michael.Jones@microsoft.com> wrote: > Responding to the DISCUSS below… > > > > -----Original Message----- > From: Alissa Cooper [mailto:alissa@cooperw.in] > Sent: Wednesday, October 01, 2014 12:25 PM > To: The IESG > Cc: oauth-chairs@tools.ietf.org; > draft-ietf-oauth-json-web-token@tools.ietf.org > Subject: Alissa Cooper's Discuss on draft-ietf-oauth-json-web-token-27: > (with DISCUSS) > > > > Alissa Cooper has entered the following ballot position for > > draft-ietf-oauth-json-web-token-27: Discuss > > > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > == Section 12 == > > > > "A JWT may contain privacy-sensitive information. When this is the > > case, measures must be taken to prevent disclosure of this > > information to unintended parties." > > > > It seems to me that this should be a normative MUST, particularly in light > of the fact that claims are being defined that are meant to directly > identify users (e.g., sub) and other claims defined here or later could do > so as well. > > > > There seems to be debate whether a 2119 language should be used other than > when describing protocol requirements. Jim Schaad (the JOSE chair) > believes that they shouldn’t and these documents have followed that > convention. > > With other documents, there is RFC2119 language used for security & privacy considerations. At some point there was a trend to have a separate "Security Requirements" section from "Security Considerations", but I don't think there was any requirement for this, just a preference. I agree that this should be a MUST, but with Stephen as well that you should discourage putting in privacy related information to begin with. > > > "One way to achieve this is to use > > an encrypted JWT. Another way is to ensure that JWTs containing > > unencrypted privacy-sensitive information are only transmitted over > > encrypted channels or protocols, such as TLS." > > > > Since sensitive JWTs should be protected from both intermediary > observation and from being sent to unintended recipients, I would > > suggest: > > > > One way to achieve this is to use an encrypted JWT and authenticate the > recipient. Another way is to ensure that JWTs containing unencrypted > privacy-sensitive information are only transmitted over encrypted channels > or protocols that also support endpoint authentication, such as TLS. > > > > Thanks for this suggested language. We can incorporate something like > that. > OK, this makes sense and will feed into Pete's discuss on where TLS should be required. Thanks! > > -- Best regards, Kathleen
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Kathleen Moriarty
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Stephen Farrell
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Stephen Farrell
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Kathleen Moriarty