Thanks again for the review and feedback, Kathleen. I added privacy considerations, as discussed on this thread, to the assertion drafts and published them this morning.
On Sun, Jul 20, 2014 at 6:18 AM, Kathleen Moriarty < kathleen.moriarty.i...@gmail.com> wrote: > Thanks, Brian. That looks good to me. > > Kathleen > > > On Sat, Jul 19, 2014 at 5:18 PM, Brian Campbell < > bcampb...@pingidentity.com> wrote: > >> Thanks Kathleen, that makes sense. I do, however, think that a little >> 'should' would be more appropriate there than a big 'SHOULD' as there's no >> other use of RFC2119 language in that text. That okay by you? It would read >> like this: >> >> >> A SAML Assertion may contain privacy-sensitive information and, to >> prevent disclosure of such information to unintended parties, should only >> be transmitted over encrypted channels, such as TLS. In cases where it’s >> desirable to prevent disclosure of certain information the client, the >> Subject and/or individual attributes of a SAML Assertion should be >> encrypted to the authorization server. >> >> >> Deployments should determine the minimum amount of information necessary >> to complete the exchange and include only that information in an Assertion >> (typically by limiting what information is included in an >> <AttributeStatement> or omitting it altogether). In some cases >> the Subject can be a value representing an anonymous or pseudonymous user >> as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 >> Client Authentication and Authorization Grants >> [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1 >> <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>* >> ]. >> >> >> On Sat, Jul 19, 2014 at 8:24 AM, Kathleen Moriarty < >> kathleen.moriarty.i...@gmail.com> wrote: >> >>> Thanks for the quick response, Brian. I think the text looks great. >>> The only change I'd like to suggest is in the second sentence, to change >>> the 'may' to 'SHOULD'. >>> >>> Best regards, >>> Kathleen >>> >>> Sent from my iPhone >>> >>> On Jul 19, 2014, at 1:00 AM, Brian Campbell <bcampb...@pingidentity.com> >>> wrote: >>> >>> How about the following (which is intentionally similar to the text I >>> just put forth for your request for privacy consideration in >>> draft-ietf-oauth-jwt-bearer-09)? >>> >>> A SAML Assertion may contain privacy-sensitive information and, to >>> prevent disclosure of such information to unintended parties, should only >>> be transmitted over encrypted channels, such as TLS. In cases where it’s >>> desirable to prevent disclosure of certain information the client, the >>> Subject and/or individual attributes of a SAML Assertion may be encrypted >>> to the authorization server. >>> >>> Deployments should determine the minimum amount of information necessary >>> to complete the exchange and include only that information in an Assertion >>> (typically by limiting what information is included in an >>> <AttributeStatement> or omitting it altogether). In some cases >>> the Subject can be a value representing an anonymous or pseudonymous user >>> as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 >>> Client Authentication and Authorization Grants >>> [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1 >>> <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>* >>> ]. >>> >>> >>> On Tue, Jul 15, 2014 at 2:04 PM, Kathleen Moriarty < >>> kathleen.moriarty.i...@gmail.com> wrote: >>> >>>> Hello, >>>> >>>> I just finished my review of >>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer. The >>>> draft looks great, thank you for all of your efforts on it! >>>> >>>> I did notice that there were no privacy considerations pointing back to >>>> RFC6973, could that text be added? The draft came after the Oauth >>>> framework publication (refernced in the security considerations), so I am >>>> guessing that is why this was missed as there are privacy considerations in >>>> the oauth assertion draft (I competed that review as well and the draft >>>> looked great. I don't have any comments to add prior to progressing the >>>> draft). >>>> >>>> Thank you. >>>> >>>> -- >>>> >>>> Best regards, >>>> Kathleen >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>> >> > > > -- > > Best regards, > Kathleen >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
