Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-09
Mike Jones <Michael.Jones@microsoft.com> Sat, 19 July 2014 16:00 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 809BF1B287E for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 09:00:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dmDT7K3m8p2Y for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 09:00:54 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0139.outbound.protection.outlook.com [207.46.163.139]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 772591B2880 for <oauth@ietf.org>; Sat, 19 Jul 2014 09:00:54 -0700 (PDT)
Received: from BL2PR03MB242.namprd03.prod.outlook.com (10.255.231.18) by BL2PR03MB468.namprd03.prod.outlook.com (10.141.92.27) with Microsoft SMTP Server (TLS) id 15.0.990.7; Sat, 19 Jul 2014 16:00:53 +0000
Received: from CH1PR03CA004.namprd03.prod.outlook.com (10.255.156.149) by BL2PR03MB242.namprd03.prod.outlook.com (10.255.231.18) with Microsoft SMTP Server (TLS) id 15.0.990.7; Sat, 19 Jul 2014 16:00:52 +0000
Received: from BN1AFFO11FD019.protection.gbl (10.255.156.132) by CH1PR03CA004.outlook.office365.com (10.255.156.149) with Microsoft SMTP Server (TLS) id 15.0.990.7 via Frontend Transport; Sat, 19 Jul 2014 16:00:51 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD019.mail.protection.outlook.com (10.58.52.79) with Microsoft SMTP Server (TLS) id 15.0.980.11 via Frontend Transport; Sat, 19 Jul 2014 16:00:51 +0000
Received: from TK5EX14MBXC294.redmond.corp.microsoft.com ([169.254.3.103]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0195.002; Sat, 19 Jul 2014 16:00:20 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-09
Thread-Index: AQHPlwV0CYCrEzmZtkW1H310hSfpcZum7GyAgAAfl4CAAGI3AIAAGZoAgAAFhgCAABmfQA==
Date: Sat, 19 Jul 2014 16:00:20 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439ADD6FB5@TK5EX14MBXC294.redmond.corp.microsoft.com>
References: <CAHbuEH5NdcWNrJ1JEpdSaBfCDbz+zUZyiNf_yfJ9zTHxG0G1PQ@mail.gmail.com> <CA+k3eCQp5mkSKsHV5T509ymd4MoA=7E3WdO_94cMPn+wByZknw@mail.gmail.com> <7DDBCE8B-4B39-432E-8925-B0C6D762A54C@oracle.com> <1452B71B-DB68-477E-BFE0-0765387B2934@ve7jtb.com> <CA+k3eCS+PHtid=HpXMSZdN8FEFbGv1d4Us4noATSfrRKTJD7Aw@mail.gmail.com> <AA876C14-48F0-48E8-810B-C70B905B76A3@gmail.com>
In-Reply-To: <AA876C14-48F0-48E8-810B-C70B905B76A3@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439ADD6FB5TK5EX14MBXC294r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(438002)(164054003)(55674003)(199002)(52604005)(24454002)(189002)(377454003)(77096002)(4396001)(95666004)(66066001)(19300405004)(50986999)(85852003)(83072002)(19617315012)(2656002)(31966008)(71186001)(20776003)(85306003)(76176999)(107046002)(99396002)(93886003)(80022001)(512874002)(84676001)(21056001)(74662001)(92566001)(76482001)(46102001)(44976005)(19625215002)(69596002)(97736001)(26826002)(92726001)(19580405001)(77982001)(83322001)(19580395003)(84326002)(104016003)(33656002)(68736004)(81156004)(106116001)(81542001)(79102001)(15975445006)(106466001)(64706001)(86612001)(54356999)(16236675004)(81342001)(87936001)(55846006)(74502001)(15202345003)(86362001)(6806004); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB242; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 02778BF158
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/mHHPNOBRTnVYHkq-X3TYu4Kfpd8
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-09
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2014 16:00:59 -0000
I agree with Brian’s suggested text. Thanks for writing this, Brian!
-- Mike
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Kathleen Moriarty
Sent: Saturday, July 19, 2014 7:28 AM
To: Brian Campbell
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-09
Thanks, again! I read the other message first and the one comment is the same to emphasize that you really should be encrypting to prevent disclosure.
Thanks,
Kathleen
Sent from my iPhone
On Jul 19, 2014, at 10:08 AM, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:
I agree that mentioning the RS in this context is only likely to cause confusion.
This draft is only about sending a JWT to the token endpoint at an AS as an authorization grant or as client authentication.
On Sat, Jul 19, 2014 at 6:37 AM, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:
While a JWT might generically have many different audiences like resource servers, this profile is about sending it to the token endpoint at an AS for authentication or authorization.
I think adding something about the RS will confuse people.
I think Brian's text is fine.
John B.
On Jul 18, 2014, at 11:45 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:
Should that be encrypted for the intended audience (aud) of the JWT which may be the AS and/or the resource server?
Phil
On Jul 18, 2014, at 21:52, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:
Sorry for the slow response on this Kathleen, my day job has been keeping me busy recently. And, honestly, I was kind of hopeful someone would volunteer some text in the meantime. But that didn't happen so how about the following?
A JWT may contain privacy-sensitive information and, to prevent disclosure of such information to unintended parties, should only be transmitted over encrypted channels, such as TLS. In cases where it’s desirable to prevent disclosure of certain information the client, the JWT may be be encrypted to the authorization server.
Deployments should determine the minimum amount of information necessary to complete the exchange and include only such claims in the JWT. In some cases the "sub" (subject) claim can be a value representing an anonymous or pseudonymous user as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1].
On Thu, Jul 3, 2014 at 3:26 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote:
Hello,
I just read through draft-ietf-oauth-jwt-bearer-09 and it looks good. The only question/comment I have is that I don't see any mention of privacy considerations in the referenced security sections. COuld you add something? It is easily addressed by section 10.8 of RFC6749, but there is no mention of privacy considerations. I'm sure folks could generate great stories about who accessing what causing privacy considerations to be important.
Thanks & have a nice weekend!
--
Best regards,
Kathleen
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-… Kathleen Moriarty
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Brian Campbell
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Phil Hunt
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… John Bradley
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Brian Campbell
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Kathleen Moriarty
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Mike Jones