Re: [secdir] [OAUTH-WG] Secdir Review of draft-ietf-oauth-jwt-bearer-10

Brian Campbell <bcampbell@pingidentity.com> Fri, 17 October 2014 18:29 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A45EA1A03AA for <secdir@ietfa.amsl.com>; Fri, 17 Oct 2014 11:29:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PokPLfDiOF_X for <secdir@ietfa.amsl.com>; Fri, 17 Oct 2014 11:29:57 -0700 (PDT)
Received: from na3sys009aog113.obsmtp.com (na3sys009aog113.obsmtp.com [74.125.149.209]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6493C1A0154 for <secdir@ietf.org>; Fri, 17 Oct 2014 11:29:57 -0700 (PDT)
Received: from mail-ig0-f182.google.com ([209.85.213.182]) (using TLSv1) by na3sys009aob113.postini.com ([74.125.148.12]) with SMTP ID DSNKVEFgIMuwRTSrXvBlZRIhPPPTuLXj8aY7@postini.com; Fri, 17 Oct 2014 11:29:57 PDT
Received: by mail-ig0-f182.google.com with SMTP id hn15so1365644igb.15 for <secdir@ietf.org>; Fri, 17 Oct 2014 11:29:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=ci/Nu0FfRmTBiKDzatZWOKnyhFkeXzWgmu/PQ9R9bBE=; b=bX0RbofdW4oU+8jq/pxUbaf2KJMx3aaNcbscd/YRPVf/bDALAI8wpkDk5Yt2izBosi sfE3WQvdo2qS1kxyWPCH7fqShaJ0unLuByb22WFvi2YjB4HQFVOJ5VMsYSXzXmvbDPqD /UYujZVsYyNyHYGoOS7O0dv8ZZKQRrJvEh6KVPLBnMXkhtMFQ6Ow7IsCN3EVRQ7dr2WV MNztB/hQGMWM0MHsAUVml/3D8E+UMCMCK/gy7BIkE1AxyDj+ZyW+1uX9RV6Rm/eBijd7 +wuLQvuHT3z/+8CzrWpH2dCUcoan1wpP+jX9pRXhQoRBoKQywjO/DsYer2ZjV1rtlQ9e 2u/g==
X-Gm-Message-State: ALoCoQlyzyZxi09F3ui2BrDvz3w/rNKMT3UhElFl8Vj+0Axn05UzcAd7mUiGMe9JvoaKI9Y/rRwnHi1tMD8meJy1GODizuWJbni1ZXF1lpaN8E24ZGSlfJ0RacrSwh/gnabxWLuXOIKULmQc0QXrsvjzkxw1Iz2sBQ==
X-Received: by 10.50.164.194 with SMTP id ys2mr746931igb.43.1413570588398; Fri, 17 Oct 2014 11:29:48 -0700 (PDT)
X-Received: by 10.50.164.194 with SMTP id ys2mr746920igb.43.1413570588295; Fri, 17 Oct 2014 11:29:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.12.137 with HTTP; Fri, 17 Oct 2014 11:29:17 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BAF0C6A@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAFOuuo7jBohCUm7izrRxCZyQdTnCxWMtjsueHYRhf1PxZDvarg@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439BAF0C6A@TK5EX14MBXC286.redmond.corp.microsoft.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 17 Oct 2014 12:29:17 -0600
Message-ID: <CA+k3eCQs-KQxPc+BY5C8uy4aBzoktC1vn660ksXRfa+qSBtC4g@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=089e0149d116c7df9c0505a28cae
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/t1NcwrHfnj5ANZXk4fnAX2YWgvs
Cc: The IESG <iesg@ietf.org>, "draft-ietf-oauth-jwt-bearer.all@tools.ietf.org" <draft-ietf-oauth-jwt-bearer.all@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] [OAUTH-WG] Secdir Review of draft-ietf-oauth-jwt-bearer-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 18:29:58 -0000

I agree with mike that any additional guidance on when you'd want to use an
assertion for client authentication vs. when you would want to use one for
an authorization grant would belong in the generic assertions specification
draft-ietf-oauth-assertions.

I'm struggling with what guidance to give about it, however. Maybe I'm just
too close to things but it seems almost definitional - one is for client
auth and the other is an authz grant.

Radia (or really anyone), is there some specific text you can propose?


On Mon, Oct 6, 2014 at 1:54 AM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> Thanks for your review, Radia.  I've added the working group to the thread
> so that they're aware of your comments.
>
> > From: Radia Perlman [mailto:radiaperlman@gmail.com]
> > Some background guidance on when you would want to use a token for
> client authentication vs. when you would want to use one for an
> authorization grant would be useful. In practice, the distinction between
> the two is subtle. It is common for a token to contain the caller’s
> identity as well as group memberships and perhaps roles. I suspect the
> reality is that the client has to figure out which protocol slot the server
> wants to get the token in and provide it there, where service designers
> make the decision more or less arbitrarily.
>
> This guidance really belongs in the generic assertions specification
> draft-ietf-oauth-assertions.  I'll plan on reviewing that spec with the
> other editors and the working group to see whether the guidance provided
> there needs to be improved.
>
>