IETF Logo Mail Archive

[OAUTH-WG] draft-ietf-oauth-saml2-bearer-17

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sat, 02 November 2013 09:07 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD2DE11E8128 for <oauth@ietfa.amsl.com>; Sat, 2 Nov 2013 02:07:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8TYdX1YE5dK2 for <oauth@ietfa.amsl.com>; Sat, 2 Nov 2013 02:07:45 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id 179F411E80EC for <oauth@ietf.org>; Sat, 2 Nov 2013 02:07:42 -0700 (PDT)
Received: from masham-mac.home ([81.164.176.169]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0Lomql-1WAFQf1Atf-00glGc for <oauth@ietf.org>; Sat, 02 Nov 2013 10:07:38 +0100
Message-ID: <5274C0D9.9070300@gmx.net>
Date: Sat, 02 Nov 2013 10:07:37 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-15"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:SXahbtcWy2z0M75KOzCKz6lWEL1S+WumH5ZOY25ratYvji9WyAE sBbAB/YbOEzO5u9YK1wdxNVFfsvBZKgk3jnWxKmoykviW3Q4Y2AlWQAypcvP2zim+Fc4Q9k uMcXYaQoJ45UEJy1jcqENFmmiDMDXBKm30JkJ9qQVLE9HuVfxemICeaee31LSb6VBsAHmFq aphKHo8JED64zJ5QUF5Gw==
Subject: [OAUTH-WG] draft-ietf-oauth-saml2-bearer-17
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2013 09:07:51 -0000

Hi Brian, Hi all,

I read through the SAML Bearer draft and here are a few comments:
(actually some of the comments that I made yesterday regarding 
draft-ietf-oauth-jwt-bearer-06)


Section 3:

Item #1: You wrote: "Issuer
         values SHOULD be compared using the Simple String Comparison
         method defined in Section 6.2.1 of RFC 3986 [RFC3986], unless
         otherwise specified by the application."

I would put a MUST here. You can also use the text I proposed for 
draft-ietf-oauth-jwt-bearer-06, which is text I copied from the TLS 
specification.

Also the comment regarding the comparison operation I made in 
draft-ietf-oauth-jwt-bearer-06 is applicable here.

Item #2: You wrote:

"
Section 2.5.1.4 of Assertions and Protocols for the OASIS
         Security Assertion Markup Language [OASIS.saml-core-2.0-os]
         defines the <AudienceRestriction> and <Audience> elements and,
         in addition to the URI references discussed there, the token
         endpoint URL of the authorization server MAY be used as a URI
         that identifies the authorization server as an intended
         audience.  Assertions that do not identify the Authorization
         Server as an intended audience MUST be rejected.
"

The 'MAY' is extremely weak here. If you make it a MUST that there has 
to be the endpoint URL of the authorization server in there then that 
would provide so much more interoperability. As a reader I wouldn't know 
what other options I have and systems that provision necessary databases 
/ tables to ensure that the comparison takes place will also struggle.

Then, there is again this SHOULD regarding the comparison operation, see
"
  Audience
         values SHOULD be compared using the Simple String Comparison
         method defined in Section 6.2.1 of RFC 3986 [RFC3986], unless
         otherwise specified by the application.
"

I would replace it with a MUST, as I argued in 
draft-ietf-oauth-jwt-bearer-06.


Item #3: As in the draft-ietf-oauth-jwt-bearer-06 this part is extremely 
fluffy, except for the case where it talks about the client-id. What 
exactly do I put into the field in the case of an authorization grant?

Item #5: You write:

"
The <Subject> element MUST contain at least one
         <SubjectConfirmation> element that allows the authorization
         server to confirm it as a Bearer Assertion.
"

What do you mean that the AS confirms that it is a bearer assertion? I 
think what you rather want to say is that the AS indicates that it is a 
bearer assertion.

Item #7+8: T I think you should combine the two items since they relate 
to the same issue, namely when to include the <AuthnStatement> element. 
There are two questions:

     Q1: Has the subject been authenticated?

     If 'no', then the <AuthnStatement> cannot be populated.

     If 'yes', then
         Q2: Has the subject requested to be anonymous?

         If 'no', then the <AuthnStatement> element is populated
         with the subject's identity.

         If 'yes', then the <AuthnStatement> MUST NOT be populated.
         (or populated with a field that indicates that the subject
          is anonymous; I don't know SAML enough to tell what the
          right approach here is).

Then you write:
"
The presenter SHOULD
         be identified in the <NameID> or similar element in the
         <SubjectConfirmation> element, or by other available means like
         SAML V2.0 Condition for Delegation Restriction
         [OASIS.saml-deleg-cs].
"

Who is the presenter? Is the presenter the subject?

Item #10: You write:

"
    10.  The Assertion MUST be digitally signed or have a keyed message
         digest applied by the issuer.  The authorization server MUST
         reject assertions with an invalid signature or keyed message
         digest.
"

To my knowledge SAML assertions only support digitial signatures and no 
keyed message digests.

Security Consideration section:


I believe the section needs to say two things into addition to the 
reference to the other specifications, which are already included in the 
security consideration section:

a) The specification does not mandate replay protection for the SAML 
assertion usage for neither the authorization grant nor for the client 
authentication. It is an optional feature.

b) There is actually no authentication happening when these SAML 
assertions are used for client authentication and for the authorization 
grant (in the classical definition of authentication). This may be 
surprising to some why typically assume that the client would have to 
demonstrate proof of possession of a secret, which isn't the case here.

It would have been possible to provide more enhanced funtionality (and 
SAML supports this as well) but it is not provided in the specification. 
Maybe a future specification will provide that functionalility.

I think it is worth pointing out.

Ciao
Hannes

v2.23.0 | Report a Bug | By Email