Re: [OAUTH-WG] WGLC on Assertion Drafts
Brian Campbell <bcampbell@pingidentity.com> Mon, 23 April 2012 12:36 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10C7F21F84C3 for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 05:36:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.956
X-Spam-Level:
X-Spam-Status: No, score=-5.956 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JN6Laumbj0JX for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 05:36:17 -0700 (PDT)
Received: from na3sys009aog132.obsmtp.com (na3sys009aog132.obsmtp.com [74.125.149.250]) by ietfa.amsl.com (Postfix) with ESMTP id 8ECF921F8587 for <oauth@ietf.org>; Mon, 23 Apr 2012 05:36:16 -0700 (PDT)
Received: from mail-vb0-f44.google.com ([209.85.212.44]) (using TLSv1) by na3sys009aob132.postini.com ([74.125.148.12]) with SMTP ID DSNKT5VMuXq5SPBdfg1GCYNXfAFJO+ggakaG@postini.com; Mon, 23 Apr 2012 05:36:16 PDT
Received: by vbbez10 with SMTP id ez10so9397182vbb.31 for <oauth@ietf.org>; Mon, 23 Apr 2012 05:36:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=vb1WQ1bFNcqJUoj9VGe0l3IkGCdKElikrGlRtlf/0kI=; b=JP2IMnlfJ5+VMbPfKwv0POHSiBLuLo4ImAoulDmkUgMgZ9Gn6Rhz7eVvmraC/Yzzao i4aX6sYj/UiFkri0h6gsDbCQyJ10jHeHV0YVmX+loxTbOFbBx+NlrTn7omilX5TjRF0Z yrDcvpG3YQ85LQtVZ/+VBeNxbnXS3HRRBQjrnBZ4rWyjrbOkhCkRq7+K9Zr3hzK/mIQC 9HyrZmTEWZdDFl0fsHlGNf/1X0IDFBW0/2oOqzSFJjRXeDkY/2Eh2zP3Kdi6wKudOWnB HNdmdzNuBmm5wWrspGWwoc9p+s/ZtGE/1UN2slb4dxXEdokzannWCmW4042POeMMG8/K LumQ==
Received: by 10.52.65.69 with SMTP id v5mr13032949vds.14.1335184567103; Mon, 23 Apr 2012 05:36:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.38.104 with HTTP; Mon, 23 Apr 2012 05:35:36 -0700 (PDT)
In-Reply-To: <5710F82C0E73B04FA559560098BF95B1250E8BAD72@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
References: <5710F82C0E73B04FA559560098BF95B1250DE5716F@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <CBADAE5A.2A162%cmortimore@salesforce.com> <5710F82C0E73B04FA559560098BF95B1250E8BAD72@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 23 Apr 2012 06:35:36 -0600
Message-ID: <CA+k3eCQBc7nKo26N+4ETsQkAxbuk1iZMzXthOWv8bueTrHbj3g@mail.gmail.com>
To: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
Content-Type: multipart/alternative; boundary="20cf307f344ad4f2af04be57e1b1"
X-Gm-Message-State: ALoCoQmXSx+h8V1hXEXvaet9UA/oKYXPAyRH3o4U7GOOHOytaMLSa18Dk7N9I4zFcvLle2zOcmp0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on Assertion Drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2012 12:36:18 -0000
Just a note (to myself as much as anything) that that same text is also in §6.2, §6.3 & §6.4 and should updated for all occurrences. On Fri, Apr 13, 2012 at 12:55 PM, Zeltsan, Zachary (Zachary) < zachary.zeltsan@alcatel-lucent.com> wrote: > Chuck,**** > > ** ** > > The intent is clear. Perhaps the following change would clarify the text:* > *** > > Old: The Authorization Server MUST validate the assertion in order > to establish a mapping between the Issuer and the secret used to generate > the assertion.**** > > New: The Authorization Server MUST validate the assertion’s signature in > order to verify the Issuer of the assertion.**** > > ** ** > > Zachary**** > > ** ** > > ** ** > > *From:* Chuck Mortimore [mailto:cmortimore@salesforce.com] > *Sent:* Friday, April 13, 2012 1:20 PM > *To:* Zeltsan, Zachary (Zachary); Tschofenig, Hannes (NSN - FI/Espoo); > oauth@ietf.org > *Subject:* Re: [OAUTH-WG] WGLC on Assertion Drafts**** > > ** ** > > Hi Zachary – sorry about the delay in responding. > > Perhaps the language is a bit confusing – let me explain the intent and > see if it makes sense and if you have a recommendation on how it could be > made clearer. > > All this is really saying is that the Authorization server must validate > the signature to make sure the Issuer is who they say they are. The > authorization server would use the Issuer as it’s mechanism for looking up > either the shared secret for an HS256 or the public key for RS256. It > then checks the signature, and proves to itself that the generator of the > assertion had possession of the expected keying material and identified > itself as the issuer. > > Feedback welcome > > -cmort > > On 4/5/12 1:33 PM, "Zeltsan, Zachary (Zachary)" < > zachary.zeltsan@alcatel-lucent.com> wrote:**** > > Hello, > > The draft http://tools.ietf.org/html/draft-ietf-oauth-assertions-01, > section 6.1 has the following requirement: > > The Authorization Server MUST validate the assertion in order to > establish a mapping between the Issuer and the secret used to > generate the assertion. > > I thought that checking a signature is a part of the assertion validation, > which cannot be done without knowing the mapping between the issuer and the > secret used to generate the assertion. > It appears that the quoted text requires validation of the assertion prior > to checking the signature. > What am I missing? > > Zachary > > > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org<oauth-bounces@ietf.org>] > *On Behalf Of *Tschofenig, Hannes (NSN - FI/Espoo) > *Sent:* Thursday, April 05, 2012 10:47 AM > *To:* oauth@ietf.org > *Subject:* [OAUTH-WG] WGLC on Assertion Drafts > > Hi all, > > this is a Last Call for comments on these three documents: > > http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-10 > > http://tools.ietf.org/html/draft-ietf-oauth-assertions-01 > > http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-02 > > Please have your comments in no later than April 23rd. > > Do remember to send a note in if you have read the document and have no > other comments other than "it’s ready to go" - we need those as much as we > need "I found a problem". > > Thanks! > > Hannes & Derek**** > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] WGLC on Assertion Drafts Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] WGLC on Assertion Drafts Justin Richer
- Re: [OAUTH-WG] WGLC on Assertion Drafts Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] WGLC on Assertion Drafts Brian Campbell
- Re: [OAUTH-WG] WGLC on Assertion Drafts Chuck Mortimore
- Re: [OAUTH-WG] WGLC on Assertion Drafts Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] WGLC on Assertion Drafts Brian Campbell