Thanks, Brian! Barry
On Sun, Jul 21, 2019 at 11:43 AM Brian Campbell <bcampb...@pingidentity.com> wrote: > > https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-19 has been > published with the updates discussed in this thread. > > On Sun, Jul 21, 2019 at 6:14 AM Brian Campbell <bcampb...@pingidentity.com> > wrote: >> >> That works for me. >> >> On Sat, Jul 20, 2019 at 10:28 PM Benjamin Kaduk <ka...@mit.edu> wrote: >>> >>> On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote: >>> > On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba <barryle...@computer.org> >>> > wrote: >>> > >>> > > >>> > > >> — Section 1.1 — >>> > > >> Given the extensive discussion of impersonation here, what strikes >>> > > >> me as >>> > > >> missing is pointing out that impersonation here is still controlled, >>> > > that “A is >>> > > >> B” but only to the extent that’s allowed by the token. First, it >>> > > >> might >>> > > be >>> > > >> limited by number of instances (one transaction only), by time of day >>> > > (only for >>> > > >> 10 minutes), and by scope (in regard to B’s address book, but not B’s >>> > > email). >>> > > >> Second, there is accountability: audit information still shows that >>> > > >> the >>> > > token >>> > > >> authorized acting as B. Is that not worth clarifying? >>> > > > >>> > > > My initial response was going to be "sure, I'll add some bits in sec >>> > > > 1.1 >>> > > along those lines to clarify >>> > > > that." However, as I look again at that section for good opportunities >>> > > to make such additions, I feel >>> > > > like it is already said that impersonation is controlled. >>> > > ... >>> > > > So I think it already says that and I'm gonna have to flip it back and >>> > > ask if you have concrete >>> > > > suggestions for changes or additions that would say it more clearly or >>> > > more to your liking? >>> > > >>> > > It is mentioned, true, and that might be enough. But given that Eve >>> > > also replied that she would like more here, let me suggest something, >>> > > the use of which is entirely optional -- take it, don't take it, >>> > > modify it, riff on it, ignore it completely, as you think best. What >>> > > do you think about changing the last sentence of the paragraph?: "For >>> > > all intents and purposes, when A is impersonating B, A is B within the >>> > > rights context authorized by the token, which could be limited in >>> > > scope or time, or by a one-time-use restriction." >>> > > >>> > >>> > Sure, I think that or some slight modification thereof can work just fine. >>> > I'll do that and get it and the rest of these changes published when the >>> > I-D submission embargo is lifted for Montreal. >>> >>> My brain is apparntly storming and not sleeping. Another option for >>> consideration, is to have two sentences: >>> >>> For all intents and purposes, when A is impersonating B, A is B within the >>> rights context authorized by the token. A's ability to impersonate B could >>> be limited in scope or time, or even with a one-time-use restriction, >>> whether via the contents of the token or an out-of-band mechanism. >>> >>> -Ben > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
