System for Cross-domain Identity Management: Protocol
Note: This ballot was opened for revision 16 and is now closed.
(Barry Leiba) Yes
Kathleen Moriarty (was Discuss) Yes
Comment (2015-05-11 for -18)
Thank you for your work on this draft as I do think the work is important. Thank you also for working with me to resolve discusses on security and privacy concerns with the authentication and authorization protocols that may be used with SCIM. The added text on http authentication methods and security problems with OAuth bearer tokens will be very helpful to implementers and customers evaluating/negotiating security services of their service providers for provisioning.
(Jari Arkko) No Objection
Alia Atlas No Objection
Deborah Brungard No Objection
Ben Campbell (was Discuss) No Objection
Comment (2015-05-14 for -18)
Update: I've released my DISCUSS on this. All my DISCUSS items have been resolved save the last one that I am moving to a comment. My point was to make sure the concern was discussed--if the authors answer that the working group thought about this want to keep it as is, that's okay with me. Former Discuss Point: It's optional (MAY) to include the API version. If the version is missing, the service provider SHOULD perform the operation using the most recent supported version. This seems to allow the client and service provider to disagree on the version being used. Does this cause an interop problem if the later version is not backwards compatible? (Are all new versions expected to be backwards compatible with old versions?) [ I've removed comments that I think have been addressed.] [...] -- 2.1, last paragraph: Just SHOULD? Do you invision situations where it might be reasonable _not_ to take the threats into account? Also, the reference to oath-assertions needs to be normative -- 2.2, "... it MAY be acceptable" [...] -- 3.3, 3rd bullet: How does a service provider know which attributes a client understands? [...] As worded, that sounds like a statement of fact. -- 7.3: That needs to be a normative reference. Also, why is this a SHOULD? Can you envision scenarios where it might be reasonable for implementors NOT to take the countermeasures into account? -- 7.4: Reference to oauth-assertions needs to be normative. -- 7.6, 2nd bullet [...]
Benoit Claise No Objection
Spencer Dawkins No Objection
(Stephen Farrell) No Objection
Comment (2015-05-13 for -18)
Feel free to ignore any of these that overlap with earlier comments, I've not been following all discussion on this one. - section 2 says that bearer tokens based on no authenticaton may be used (as the exception to the "SHOULD NOT be used"). Why is that ok? Maybe s/SHOULD NOT/MUST NOT/ here would be better and justified? - 3.1: seems odd to define schema but then say it's entirely fine to ignore all of that - or am I reading this wrong? - p9, figures and tables should have captions and be numbered and this looks like a table of HTTP methods (not "operations") that has neither. - general: I came across a bunch of places where some forward reference would help (e.g. 3.3 assumes I get what readOnly means; 126.96.36.199 does the same for a "json attribute"). An editing pass to try improve that before the RFC editor would be good I think. - 3.4.2 says: "This SHALL NOT be equal to the number of elements in the resources attribute of the list response if pagination (Section 188.8.131.52) is requested. " What if I ask for pagination with 10 per page and there are a total of 10 matching results? That SHALL NOT seems broken. - 184.108.40.206: Is "pr()" true when a client didn't send a value to the server at creation time but the server included the default value in the response to the PUT? (And what happens to pr() and eq() when the default value changes?) - 220.127.116.11, p21: eq() is case insensitive? I think you badly need a fwd ref to sections 3.8 and 5. - 7.4, para 2 looks truncated
(Brian Haberman) No Objection
(Joel Jaeggli) No Objection
Comment (2015-05-09 for -17)
" o Limit the number of requests any particular client MAY make in a period of time." Great so we going to limit the extent to which an attacker can spam the the thing. that sounds comforting. " These recommendations include but are not limited to: o Provide injection attack counter measures (e.g., by validating all inputs and parameters), o No cleartext storage of credentials, o Store credentials using an encrypted protection mechanism, and " I don’t really think of that as being a recommendation so much as a requirement . if you’re storing clear text passwords somebody needs to take away all your toys.
Alvaro Retana No Objection
Comment (2015-05-12 for -18)
Small nit in Section 1.2 s/Throughout this documents all figures MAY contain spaces/Throughout this document all figures may contain spaces