[OAUTH-WG] Adam Roach's Discuss on draft-ietf-oauth-jwt-introspection-response-07: (with DISCUSS and COMMENT)

Adam Roach via Datatracker <noreply@ietf.org> Wed, 04 September 2019 07:44 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 42BB31200CE; Wed, 4 Sep 2019 00:44:21 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Adam Roach via Datatracker <noreply@ietf.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-oauth-jwt-introspection-response@ietf.org, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth-chairs@ietf.org, rifaat.ietf@gmail.com, oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.100.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Adam Roach <adam@nostrum.com>
Message-ID: <156758306119.22796.7625113709709674898.idtracker@ietfa.amsl.com>
Date: Wed, 04 Sep 2019 00:44:21 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zyufJ9r_JBJ3jZF0iR2df6B2x-A>
Subject: [OAUTH-WG] Adam Roach's Discuss on draft-ietf-oauth-jwt-introspection-response-07: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 07:44:22 -0000

Adam Roach has entered the following ballot position for
draft-ietf-oauth-jwt-introspection-response-07: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-introspection-response/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Thanks for the work the authors and other contributors have
put into creating this document.

I have a privacy concern that I think warrants text in the document.

Section 8.3.1 introduces a significant amount of personally-identifiable
information. While I understand that this is needed for the use case
cited in the introduction (issuing certificated for electronic signatures),
I think the document needs some treatment of the sensitivity of this
information, the basis that the server uses to decide whether to include
it, and how consent to disclose it might be obtained from the user.

I'm putting this in as a DISCUSS, because I really do think this is
a showstopper for publication. I am quite aware, however, that I might
simply be missing some important aspect of the solution that makes my
concerns moot. Please point me in the right direction if this is the
case, and I'll be happy to clear.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

ยง3:

>  The example response contains the following JSON document:
>
>  {
>    "sub": "Z5O3upPC88QrAjx00dis",
>    "aud": "https://protected.example.net/resource",
>    "scope": "read write dolphin",
>    "iss": "https://server.example.com/",
>    "active": true,
>    "exp": 1419356238,
>    "iat": 1419350238,
>    "client_id": "l238j323ds-23ij4",
>    "given_name": "John",
>    "family_name":"Doe",
>    "birthdate":"1982-02-01"
>  }

The example response actually contains the following JSON document:

{
   "sub":"Z5O3upPC88QrAjx00dis",
   "aud":"https:\/\/protected.example.net\/resource",
   "extension_field":"twenty-seven",
   "scope":"read write dolphin",
   "iss":"https:\/\/server.example.com\/",
   "active":true,
   "exp":1419356238,
   "iat":1419350238,
   "client_id":"l238j323ds-23ij4",
   "username":"jdoe"
}

Note the presence of "extension_field" and "username" fields, and the
absence of "given_name", "family_name", and "birthdate" fields. There's
also a bunch of unnecessarily escaped "/" characters in the document
in the JWT, but not the expanded example; and while these are semantically
insignificant, the discrepancy seems gratuitous.

It is probably worthwhile updating either the JWT or the expanded
example so that they match.