[secdir] Secdir Review of draft-ietf-oauth-jwt-bearer-10
Radia Perlman <radiaperlman@gmail.com> Mon, 29 September 2014 23:46 UTC
Return-Path: <radiaperlman@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44FDD1ACDF0; Mon, 29 Sep 2014 16:46:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RbbPVLGFL98r; Mon, 29 Sep 2014 16:46:08 -0700 (PDT)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C97A91ACDE9; Mon, 29 Sep 2014 16:46:07 -0700 (PDT)
Received: by mail-lb0-f176.google.com with SMTP id p9so3318073lbv.7 for <multiple recipients>; Mon, 29 Sep 2014 16:46:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=+UO6SB708Fe5q7UZqPU94caOjt+PJiYXuIhs9Bz+Ktc=; b=izqqTmpeYj5ep+DQ6LoyNtZnPLrh7raQ1M1ZU4ZpN5FoILeH2UDhlz+6W0m3ljcEzo YulnUhdwRUFdZwRqHgOa2JV/RF4f4vHcWRMhJghPWDB6LhFCPafPXTS8ir9mNnYYkJP2 +It6i7IRLeBwFshqV5TNeYFtHnWGJLmLB6SkjluY2MlBbz0ki/AVfB/OYMKnEHuCb4oR Qm6itFXmoywTmMVkcl9d3YSeq2OHuKZ1TqASp/e9r4GKoPqD5yDra7RL4i1oUIH0boUt 3wRANkVDNCYGtloz7m2FOLF6mqPCwqY5u3h0JsOfXpaSLsyrb2yW6qso6+kqJvfWF5+q xXyw==
MIME-Version: 1.0
X-Received: by 10.152.27.200 with SMTP id v8mr43141762lag.53.1412034366109; Mon, 29 Sep 2014 16:46:06 -0700 (PDT)
Received: by 10.112.160.226 with HTTP; Mon, 29 Sep 2014 16:46:06 -0700 (PDT)
Date: Mon, 29 Sep 2014 19:46:06 -0400
Message-ID: <CAFOuuo7jBohCUm7izrRxCZyQdTnCxWMtjsueHYRhf1PxZDvarg@mail.gmail.com>
From: Radia Perlman <radiaperlman@gmail.com>
To: "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-oauth-jwt-bearer.all@tools.ietf.org
Content-Type: multipart/alternative; boundary="089e0160a3becd7f8d05043cde5c"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/-t5_EUdqKYLyYZNi4Yc-OysF5SI
Subject: [secdir] Secdir Review of draft-ietf-oauth-jwt-bearer-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Sep 2014 23:46:10 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document is one of a set of documents specifying how to use JSON formatted OAuth bearer tokens in the context of HTTP requests. It specifies two contexts in which these JSON tokens can be used: as Authorization Grants or for Client Authentication. It specifies the to-be-IANA-registered parameters used to specify that the type of token presented is a JSON token (within the HTTP header). It also specifies the checks to be done to validate that the JSON token is valid (though I would expect this information would also be specified in the JSON token specification itself). There are security considerations and privacy considerations sections, but they are very light. That is because it refers to draft-ietf-oauth-assertions-17, which has a more complete security considerations section. I guess it's appropriate to have more detailed security considerations there, since all this specification adds is some labels. Would it make sense to merge this document with the other specs, rather than having this be so redundant with the others? Some details: On page 3 para 2, it says “The format and processing rules for the JWT defined in this specification are intentionally similar, though not identical, to those in the closely related SAML 2.0 Profile for OAuth.” It would be good if they specified what the differences are, and why they couldn't be identical. Some background guidance on when you would want to use a token for client authentication vs. when you would want to use one for an authorization grant would be useful. In practice, the distinction between the two is subtle. It is common for a token to contain the caller’s identity as well as group memberships and perhaps roles. I suspect the reality is that the client has to figure out which protocol slot the server wants to get the token in and provide it there, where service designers make the decision more or less arbitrarily. Page 6 item 4: “The authorization server MAY reject JWTs with an “expiration” claim that is unreasonably far in the future.” This is saying that the validator of the token might choose to reject tokens that are long lived. It’s not clear what the user of this spec can do with this information. It calls for some out-of-band communication between the token issuer and the token validator on what is an acceptable expiration period. Unless the protocol has some way of reporting this back so that the caller can get a shorter-lived token, it seems like a fragile design. Radia
- [secdir] Secdir Review of draft-ietf-oauth-jwt-be… Radia Perlman
- Re: [secdir] Secdir Review of draft-ietf-oauth-jw… Mike Jones
- Re: [secdir] [OAUTH-WG] Secdir Review of draft-ie… Brian Campbell