How about the following (which is intentionally similar to the text I just put forth for your request for privacy consideration in draft-ietf-oauth-jwt-bearer-09)?
A SAML Assertion may contain privacy-sensitive information and, to prevent disclosure of such information to unintended parties, should only be transmitted over encrypted channels, such as TLS. In cases where it’s desirable to prevent disclosure of certain information the client, the Subject and/or individual attributes of a SAML Assertion may be encrypted to the authorization server. Deployments should determine the minimum amount of information necessary to complete the exchange and include only that information in an Assertion (typically by limiting what information is included in an <AttributeStatement> or omitting it altogether). In some cases the Subject can be a value representing an anonymous or pseudonymous user as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1 <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>*]. On Tue, Jul 15, 2014 at 2:04 PM, Kathleen Moriarty < [email protected]> wrote: > Hello, > > I just finished my review of > http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer. The draft > looks great, thank you for all of your efforts on it! > > I did notice that there were no privacy considerations pointing back to > RFC6973, could that text be added? The draft came after the Oauth > framework publication (refernced in the security considerations), so I am > guessing that is why this was missed as there are privacy considerations in > the oauth assertion draft (I competed that review as well and the draft > looked great. I don't have any comments to add prior to progressing the > draft). > > Thank you. > > -- > > Best regards, > Kathleen > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
