openid / fapi / issues / #298 - Change "holder of key" to "sender constrained" — Bitbucket

Issue #298 resolved

Dave Tonge created an issue 2020-06-24

I think we should make an editorial change to use the phrase “sender constrained” as this is used in the security-topics document and oauth-mtls.

Comments (11)

Brian Campbell
For whatever pedanticness it’s worth, the phrase “sender constrained” doesn’t appear at all in oauth-mtls/RFC8705. There was pushback on the terminology during (one) WGLC - search for the word “constrained” in https://mailarchive.ietf.org/arch/msg/oauth/k7sFYL7jAFnI0d_NFlvemWTc88A/ which was in response to https://mailarchive.ietf.org/arch/msg/oauth/NrpieecT1nUKiTbHKCk1TU2VjFs/

I guess I'm not saying that this editorial change is the wrong thing to do. But realize there’s some varied use of language already that’s not going to be reconciled just by choosing a particular one here.
- 2020-06-24T13:13:30+00:00
Dave Tonge reporter
Thanks Brian - I must have remembered it from an earlier version.

RFC8705 refers to Certificate-Bound Access Tokens

https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15 refers to sender-constrained

I just don’t think we should introduce another term.

@Torsten Lodderstedt and @Daniel Fett are you aware of the pushback on “sender-constrained” that was received for RFC8705?
- 2020-06-24T16:17:29+00:00
Tom Jones
i agree with brian - this is not a common term of art - i personally believe we need to focus on binding as the appropriate term of art
- 2020-06-24T16:33:09+00:00
Brian Campbell
I don’t think there is a generally agreed upon or widely understood term of art, which is part of the problem. I’ve tried to capture that in the excerpt below from my upcoming Identiverse® presentation, “The Burden of Proof”. “sender constrained” is maybe/probably as good as any of them. But I was compelled to point out that RFC8705 doesn’t use the term at all. Perhaps going with “sender constrained” but also providing a brief definition would be advisable?
- 2020-06-24T17:18:48+00:00
Tom Jones
one big problem with “sender constrained” is that is sounds like the sender is constrained, which is not, in fact, true. It is not even clear who the sender is with channel binding. Before we can move to a defensible position we need to eliminate channel binding. I think the community has conflated two or more issues. First of all is proof-of-presence, which you left out, and proof of control of the credential, all a signature shows is proof of access to the credential. Good luck with your disambiguation process. A good taxonomy is very valuable and should be created. No committee seems to own an identity taxonomy. In fact no committee agrees on the meaning of identity.
- 2020-06-24T18:09:24+00:00
Dave Tonge reporter
- assigned issue to
  
  Dave Tonge
- 2020-07-08T06:09:23+00:00
Dave Tonge reporter
- assigned issue to
  
  Torsten Lodderstedt
We agreed that @Torsten Lodderstedt would review the text to check for consistency with OAuth security topics
- 2020-07-08T15:10:43+00:00
Dave Tonge reporter
- changed status to resolved
PR merged
- 2020-08-05T14:05:38+00:00
Nat Sakimura
- changed component to Part 2: Advanced
- 2022-12-14T15:36:12+00:00
Nat Sakimura
- changed component to FAPI 1 – Part 2: Advanced
- 2022-12-14T15:36:46+00:00
Nat Sakimura
- changed component to FAPI 1: Advanced
- 2022-12-14T15:38:56+00:00
Log in to comment

Assignee: Torsten Lodderstedt

Type: bug

Priority: major

Status: resolved

Component: FAPI 1: Advanced

Milestone: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!