Thanks On Sun, Jul 21, 2019, 12:31 PM Barry Leiba <barryle...@computer.org> wrote:
> Thanks, Brian! > > Barry > > On Sun, Jul 21, 2019 at 11:43 AM Brian Campbell > <bcampb...@pingidentity.com> wrote: > > > > https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-19 has been > published with the updates discussed in this thread. > > > > On Sun, Jul 21, 2019 at 6:14 AM Brian Campbell < > bcampb...@pingidentity.com> wrote: > >> > >> That works for me. > >> > >> On Sat, Jul 20, 2019 at 10:28 PM Benjamin Kaduk <ka...@mit.edu> wrote: > >>> > >>> On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote: > >>> > On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba <barryle...@computer.org> > wrote: > >>> > > >>> > > > >>> > > >> — Section 1.1 — > >>> > > >> Given the extensive discussion of impersonation here, what > strikes me as > >>> > > >> missing is pointing out that impersonation here is still > controlled, > >>> > > that “A is > >>> > > >> B” but only to the extent that’s allowed by the token. First, > it might > >>> > > be > >>> > > >> limited by number of instances (one transaction only), by time > of day > >>> > > (only for > >>> > > >> 10 minutes), and by scope (in regard to B’s address book, but > not B’s > >>> > > email). > >>> > > >> Second, there is accountability: audit information still shows > that the > >>> > > token > >>> > > >> authorized acting as B. Is that not worth clarifying? > >>> > > > > >>> > > > My initial response was going to be "sure, I'll add some bits in > sec 1.1 > >>> > > along those lines to clarify > >>> > > > that." However, as I look again at that section for good > opportunities > >>> > > to make such additions, I feel > >>> > > > like it is already said that impersonation is controlled. > >>> > > ... > >>> > > > So I think it already says that and I'm gonna have to flip it > back and > >>> > > ask if you have concrete > >>> > > > suggestions for changes or additions that would say it more > clearly or > >>> > > more to your liking? > >>> > > > >>> > > It is mentioned, true, and that might be enough. But given that > Eve > >>> > > also replied that she would like more here, let me suggest > something, > >>> > > the use of which is entirely optional -- take it, don't take it, > >>> > > modify it, riff on it, ignore it completely, as you think best. > What > >>> > > do you think about changing the last sentence of the paragraph?: > "For > >>> > > all intents and purposes, when A is impersonating B, A is B within > the > >>> > > rights context authorized by the token, which could be limited in > >>> > > scope or time, or by a one-time-use restriction." > >>> > > > >>> > > >>> > Sure, I think that or some slight modification thereof can work just > fine. > >>> > I'll do that and get it and the rest of these changes published when > the > >>> > I-D submission embargo is lifted for Montreal. > >>> > >>> My brain is apparntly storming and not sleeping. Another option for > >>> consideration, is to have two sentences: > >>> > >>> For all intents and purposes, when A is impersonating B, A is B within > the > >>> rights context authorized by the token. A's ability to impersonate B > could > >>> be limited in scope or time, or even with a one-time-use restriction, > >>> whether via the contents of the token or an out-of-band mechanism. > >>> > >>> -Ben > > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you. >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
