Re: [Last-Call] Last Call: <draft-ietf-oauth-dpop-12.txt> (OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)) to Proposed Standard
Joseph Salowey <joe@salowey.net> Fri, 03 February 2023 21:32 UTC
Return-Path: <joe@salowey.net>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F5CBC14CF13 for <last-call@ietfa.amsl.com>; Fri, 3 Feb 2023 13:32:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsus51VVKa0Z for <last-call@ietfa.amsl.com>; Fri, 3 Feb 2023 13:32:20 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36326C14F693 for <last-call@ietf.org>; Fri, 3 Feb 2023 13:32:20 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id u12so9731867lfq.0 for <last-call@ietf.org>; Fri, 03 Feb 2023 13:32:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=I/HIaefDkGg/eEEB1D0Rum85ryBWUgsmVvBlUaSeMpc=; b=jHD+3cyJ67SPZh2Pek/WG1MJYUGZ22uORM7INBV8gXLtHAk8PGc1v4F4T+41jqA83d Iu6YxMfoeNTwacsIFITC7sRHVjls+rReKErgrn6u5xBux9s8b++NsnLj2HllvsutKzF2 UKcgG1gDQilZ2nHamTUuyAie4C5kJ14IJ9jeo8OUP0wqG7GGoPb5XFL0OTYAgy2ajHth Ef6MYeYq3iDPPgb1xJ9A7yuHjG5Q0tCK+0eLvnOox84oLM9sblmstoSH8pRGgCU7ylbz WxHSKu2tbKLKgu6m4GtDSjKqdB8i+6a7cvjSqizABV+bJbwwepmwsIIu/zsnJ/1J5Q9g hQeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=I/HIaefDkGg/eEEB1D0Rum85ryBWUgsmVvBlUaSeMpc=; b=6ZgopD/HaahMWYHpMTm2kAIzE4FJ0tpFx/LA82YjIqoofCxVHg/IJsUiAMBi9ZeRTX W58MsiEKWNvxjKKqDbJR+16vLnOUJaHfYRmSjbGQwiRNi+lLfwqPL0994kRlHbYUtkO+ jc0lBiojb1GRROkSJxhq4jFlNW+b5lpaQtf9chm0tiGjCqGCsFK6O4tUJ7yhlZJV0kRm ihkzWGUIHk1mrvDzQUKP7H1VxVRPYZbwZvs8kia3liJQXAPoHQwikDskkY1GKaIa/AnB 0yzOsIYdmZRIHhmOEBBbH0MVKLc+rjS0CqxD0FmPP/EhVag8uIEDtf6+E+P2kvAl8iWN OUaQ==
X-Gm-Message-State: AO0yUKW7PEXPK5yGil7jA1lhtTXfwkpu19FT62DuLAFYw22VdHK1eJiB P6E2paCNZwAX9LdlVUXiQrTy+w9o53fEE3qdU9d0cA==
X-Google-Smtp-Source: AK7set9nsaDkOilnJm/h10YHk8QdwT550t80yiN+Lc1d/slhfiq6EOW7g2oUPPASCz/jSzltnGYacTsIq3KT5slG5K0=
X-Received: by 2002:ac2:563a:0:b0:4cc:9d69:4703 with SMTP id b26-20020ac2563a000000b004cc9d694703mr2100402lff.110.1675459938060; Fri, 03 Feb 2023 13:32:18 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoB+5tKqvun=i2NGtVakL+ojc5esWnb8wjHFOX806FpVyQ@mail.gmail.com> <CA+k3eCScniv9AmaRoM59WMwidmfS88Yrmi8LaBoCLDGL0VFwsQ@mail.gmail.com> <CAOgPGoAJ4jky3hyZBoKC8Y80J7J3FcFk5VoQiArn8bUeVjpeLw@mail.gmail.com> <CA+k3eCRX2zX8vDEkjq7QwDeRHYFSPk8FiKmYwWf0yNiS2HC4Kw@mail.gmail.com> <CAOgPGoCNHrYuwuyjXQfxYq4NsWVTXWJa57AgpKAKVRXaGz0Hhg@mail.gmail.com> <CA+k3eCQ6nM+Vg+5Vi1ZZnrj5WWi464i73BWTjbuS-XYp2hV45A@mail.gmail.com> <CAOgPGoDRR13bvDjUYF2Ko9b8D2CE_CgKb6ee20YkD0scodVQqg@mail.gmail.com> <CA+k3eCTwPxmYt-HJYmiVqEZLutFAybcYnHZwWzzD0UiP_2hvpQ@mail.gmail.com>
In-Reply-To: <CA+k3eCTwPxmYt-HJYmiVqEZLutFAybcYnHZwWzzD0UiP_2hvpQ@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Fri, 03 Feb 2023 13:32:04 -0800
Message-ID: <CAOgPGoCgKg-hLENyGPqi2=Bd32ypeYm3u5uQQtz766N1WhiooQ@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: last-call@ietf.org, draft-ietf-oauth-dpop.all@ietf.org, secdir <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000071a92b05f3d26a44"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/Ui0LzwK6iD07iKPiaxrkYjgqg44>
Subject: Re: [Last-Call] Last Call: <draft-ietf-oauth-dpop-12.txt> (OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)) to Proposed Standard
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2023 21:32:25 -0000
On Fri, Feb 3, 2023 at 11:09 AM Brian Campbell <bcampbell@pingidentity.com> wrote: > I'm going to make the subsection header a little more specific with > "Binding to Client Identity" but otherwise the suggested text is good. > Thank you! > > [Joe] Thanks. That sounds better. > On Thu, Feb 2, 2023 at 9:08 PM Joseph Salowey <joe@salowey.net> wrote: > >> >> >> On Fri, Jan 27, 2023 at 3:44 PM Brian Campbell < >> bcampbell@pingidentity.com> wrote: >> >>> >>> >>> On Thu, Jan 26, 2023 at 6:40 PM Joseph Salowey <joe@salowey.net> wrote: >>> >>>> >>>> >>>> On Wed, Jan 25, 2023 at 12:21 PM Brian Campbell < >>>> bcampbell@pingidentity.com> wrote: >>>> >>>>> >>>>> >>>>> On Sun, Jan 22, 2023 at 2:47 PM Joseph Salowey <joe@salowey.net> >>>>> wrote: >>>>> >>>>>> Hi Brian, >>>>>> >>>>>> Thanks for the quick reply. Responses inline: (I'm also copying >>>>>> secdir, while this is not a secdir review it might be of interest) >>>>>> >>>>> >>>>> Thanks for noting the addition. Slower reply this time from me. >>>>> Apologies for that. Among other reasons, I'm having a hard time >>>>> articulating my thoughts/replies. But I am trying to give meaningful >>>>> responses. >>>>> >>>>> >>>> [Joe] No problem, thanks for your patience, I realize my main questions >>>> are somewhat outside the core use case here. I have a better understanding >>>> of DPoP now. Additional responses inline below. >>>> >>> >>> Likewise, thanks for your patience. And also likewise, some continued >>> responses inline below. >>> >>> >> [Joe] Sorry for the delay. I included some text to discuss the binding >> to authentication below. >> >> >>> >>> >>>> >>>>> >>>>> On Sat, Jan 21, 2023 at 6:45 AM Brian Campbell < >>>>>> bcampbell@pingidentity.com> wrote: >>>>>> >>>>> Hi Joseph, >>>>>> >>>>>> On Fri, Jan 20, 2023 at 6:10 PM Joseph Salowey <joe@salowey.net> >>>>>> wrote: >>>>>> >>>>>>> These are last call comments for draft-ietf-oauth-dpop-12. >>>>>>> >>>>>>> First, I want to thank the authors and participants for working on >>>>>>> this document, its good to see it and I think it will be very useful. >>>>>>> >>>>>> >>>>>> Thanks! Glad to hear that. I hope it will be useful as well. >>>>>> >>>>>> >>>>>> >>>>>>> I had a few questions/comments. >>>>>>> >>>>>>> 1. Interaction with private_key_jwt >>>>>>> >>>>>>> When I first started to look at the document I got a little >>>>>>> depressed because it brought up the private_key_jwt authentication >>>>>>> mechanism which always makes me a bit sad because while it is an >>>>>>> authentication mechanism of sorts, it's a poor proof-of-possession >>>>>>> mechanism. It's really a self-signed bearer token that's prone to many of >>>>>>> the problems described in the objectives section. This seems to be widely >>>>>>> used as an authentication mechanism especially in cases where an automated >>>>>>> client talks to a service using a pre-configured public key. The document >>>>>>> declares authentication out of scope, but I didn't let myself get too >>>>>>> despondent, because it seems that DPoP could be used to improve the >>>>>>> private_key_jwt client authentication mechanism with a better POP. But >>>>>>> from the document, I'm not quite sure how as the document focuses more on >>>>>>> public clients instead of confidential clients (I think that is the right >>>>>>> terminology). >>>>>>> >>>>>>> If I'm reading the document correctly, I think the client could >>>>>>> include a DPoP Proof JWT header in the token request using the same key >>>>>>> contained the private_key_jwt. The token service could then evaluate both >>>>>>> the private_key_jwt JWT and the DPoP proof JWT before issuing an access >>>>>>> token and refresh tokens to supplement the authentication provided by the >>>>>>> private_key_jwt with a better PoP. Is this correct? >>>>>>> >>>>>>> If so the document should mention this use case as I think it would >>>>>>> improve the some common practice. (I can submit some text if I'm on the >>>>>>> right track). If not is there another DPoP mechanism that should be used >>>>>>> to supplement the private_key_jwt with better PoP? >>>>>>> >>>>>> >>>>>> The DPoP proof JWT and the private_key_jwt JWT ultimately use pretty >>>>>> similar mechanisms so it's not obvious that DPoP is materially better. >>>>>> Supplementing the private_key_jwt somehow with DPoP could be done but I >>>>>> don't believe it'd add much value. >>>>>> >>>>>> >>>>> [Joe] The difference I'm focused on is that DPoP defines the use of >>>>>> nonce, whereas, to my knowledge, there is no standard way to use a nonce >>>>>> with private_key_jwt. The addition of the nonce changes the security >>>>>> properties a bit. >>>>>> >>>>> >>>>> Yes, the nonce is an optional mechanism defined in DPoP and you are >>>>> correct that there's no standard way to use a nonce with private_key_jwt. >>>>> That is FWIW why I tried to use language like "pretty similar" there rather >>>>> than saying they were the same. More generally though, supplementing client >>>>> authentication wasn't a goal the WG had with this document. An >>>>> authorization server could check that the same key was used for >>>>> private_key_jwt and dpop, which I think is what you are looking for. But >>>>> that would be specific to the particular implementation/deployment (and >>>>> need to be documented somehow for interop). There were a nontrivial number >>>>> of WG participants that thought it was important to allow the keys to be >>>>> different so the DPoP keys could be more transient or ephemeral-like. >>>>> >>>>> [Joe] I agree that it's good to support ephemeral keys. I think to >>>> really address this it would take some cryptographic binding between the >>>> authentication and the DPoP. For example, have the auth mechanism sign the >>>> DPoP message (bind the key and nonce to the authentication then move >>>> forward with the key). I can see how this is out of scope of the document, >>>> but I think it probably should be mentioned in the security >>>> considerations. I'll propose some text. >>>> >>> >>> Thank you. Proposed text is very helpful (of course) . >>> >>> >> [Joe] Here is a stab at a security considerations sub-section >> >> ## Binding to Identity >> >> In cases where DPoP is used with client authentication, it is only bound >> to authentication by being coincident in the same TLS tunnel. Since the >> DPoP proof is not directly cryptographically bound to the authentication, >> it's possible that the authentication or the DPoP messages were copied into >> the tunnel. While including the URI in the DPoP can partially mitigate >> some of this risk, modifying the authentication mechanism to provide >> cryptographic binding between authentication and DPoP could provide better >> protection. However, providing additional binding with authentication >> through the modification of authentication mechanisms or other means is >> beyond the scope of this specification. >> >> >>> >>> >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> Using DPoP with/for client authentication to the AS was proposed at >>>>>>> one point during an interim meeting a while back ( >>>>>>> https://datatracker.ietf.org/meeting/interim-2020-oauth-16/materials/slides-interim-2020-oauth-16-sessa-dpop-01.pdf >>>>>>> slide 19) but it was more about trying to simplify some redundancy. There >>>>>>> wasn't sufficient interest in pursuing it at the time anyway. >>>>>>> >>>>>>> [Joe] OK, good to know. >>>>>> >>>>>> >>>>>>> OAuth client authentication is not a defined thing for calls to >>>>>>> resource servers (aka protected resources). As I struggle to find words to >>>>>>> reply here and reread your question/comment, it seems like maybe that >>>>>>> (client using something like private_key_jwt making protected resource API >>>>>>> calls) is the case you are referring to. That's "off-label" use of >>>>>>> private_key_jwt, which I certainly don't endorse but isn't a defined thing >>>>>>> and thus not in scope for DPoP to say anything about. Something like the >>>>>>> client credentials grant with private_key_jwt and DPoP binding the access >>>>>>> token might be a better and standard supported way of accomplishing the >>>>>>> automated client to service w/ pre-configured public key case. FWIW. >>>>>>> >>>>>>> [Joe] Yea it seems there is a bit of confusion about the use of >>>>>> private_key_jwt out there (some of it is probably mine). Here is an >>>>>> example of what coencerns me - >>>>>> https://developers.google.com/identity/protocols/oauth2/service-account#httprest >>>>>> Do you know if its intended usage and perhaps avoiding misusage are defined >>>>>> anywhere. >>>>>> >>>>> >>>>> There's a lot there but it looks like both use of the bearer JWT grant >>>>> type (which is similar to private_key_jwt in some respects but more for an >>>>> automated client talking to a service on-behalf-of a user) and the >>>>> "Addendum: Service account authorization without OAuth" appears similar to >>>>> the "off-label" usage described previously. >>>>> >>>>> >>>>> >>>>>> I think most of this issue is with private_key_jwt and not this >>>>>> document, although I am a bit confused by some of the DPoP document: >>>>>> >>>>>> In section 3, the document says it is "compatible with >>>>>> private_key_jwt and all other client authentication methods." What does >>>>>> that compatibility mean? >>>>>> >>>>> >>>>> That might not be the best word choice but it's intended to mean that >>>>> DPoP can be used alongside any client authentication method and doesn't >>>>> interact or interfere with client auth. They operate independently of one >>>>> another. >>>>> >>>>> >>>> [Joe] I think that helps. I think the doc should mention that it is >>>> not directly bound in the security considerations. They auth and DPoP >>>> presented within the same secure tunnel so there is some binding, but there >>>> is still the possibility that one or both of them originated somewhere else >>>> and was copied into the tunnel. >>>> >>>> >>>>> >>>>> >>>>>> Can the DPoP key be the same as the key used for private_key_jwt? >>>>>> >>>>> >>>>> It certainly can be the same key. But it isn't required to be the >>>>> same. >>>>> >>>>> >>>>> >>>>>> How is DPoP bound to the client authentication? >>>>>> >>>>> >>>>> It's not. >>>>> >>>>> >>>>> >>>>>> >>>>>> At the end of section 5 it has a paragraph that suggests that DPoP >>>>>> might not be beneficial for redeeming refresh tokens in the case that >>>>>> client authentication is used. It seems this might require additional >>>>>> discussion. For example, if DPoP uses the same public key as in the >>>>>> private_key_jwt then binding to the public is already part of the >>>>>> authentication and it seems that DPoP could strengthen the validation for >>>>>> redeeming refresh tokens. >>>>>> >>>>> >>>>> That paragraph is trying to say that refresh tokens issued to clients >>>>> with authentication credentials are not also bound to a DPoP key. Such >>>>> refresh tokens are bound to the client and its respective authentication. >>>>> The same public key used in private_key_jwt and DPoP is possible here. But >>>>> similar to what I tried to articulate in a reply above, that check would be >>>>> deployment specific and a bit beyond what DPoP specifies. >>>>> >>>>> >>>> [Joe] I'm still trying to wrap my head around this one. My main >>>> problem is around the security of the authentication mechanisms. It's not >>>> a DPoP, but DPoP could make things better, however what is really needed is >>>> to improve the auth mechanisms. >>>> >>>> >>>>> >>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> 2. Confirmation Methods >>>>>>>> >>>>>>>> Is the goal of section 6 to define mandatory to implement >>>>>>>> conformation methods? >>>>>>>> >>>>>>> >>>>>>> The goal is to provide an interoperable way to convey the binding of >>>>>>> the access token to the DPoP key for both token introspection and JWT >>>>>>> formated access tokens. That's done with the jkt conformation method >>>>>>> >>>>>>> >>>>>>>> If it is, it should say so. I think the paragraph might be a >>>>>>>> little clearer if it used the term key confirmation method in section 6. >>>>>>>> For example, "Other key confirmation methods, such as those defined in >>>>>>>> [RFC7800] and [RFC8705] may be used per agreement between the authorization >>>>>>>> server and the protected resource, but are not detailed in this >>>>>>>> specification. >>>>>>>> >>>>>>> >>>>>>> The confirmation method in RFC8705 is a hash of a certificate so >>>>>>> isn't applicable/appropriate in the context of DPoP that's using bare JWK >>>>>>> formatted keys. >>>>>>> >>>>>>> >>>>>> [Joe] This wasn't clear to me in the document and I don't necessarily >>>>>> see why it could not be used. I think you can include a certificate >>>>>> reference in the DPoP proof header in the JWK field such as x5t#S256. >>>>>> Perhaps your primary use case is when the client generates a new specific >>>>>> DPoP key for the current transaction, but it doesn't seem to eliminate >>>>>> using a pre-configured key pair which leads to some ambiguity. >>>>>> >>>>> >>>>> It's not meant to eliminate the possibility of using pre-configured >>>>> keys but bare JWK keys would still be used or referenced in this context. >>>>> Certificates just aren't part of DPoP. >>>>> >>>>> [Joe] My main question is that would this statement: >>>> "Other methods of associating a public key with an access token are >>>> possible, per agreement by the authorization server and the protected >>>> resource, but are beyond the scope of this specification.¶ >>>> <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-13#section-6-1> >>>> >>>> Does "methods of associating a public key with an access token" mean >>>> "confirmation method"? and with agreement could a any cnf mechanisms be >>>> used including x5t#S256? >>>> >>> >>> Yes it could be cnf.x5t#S256 but there would be a lot of other "beyond >>> the scope of this specification" stuff needed for it to be workable. Enough >>> extra that I think a mention of it would cause more confusion than be >>> helpful. >>> >>> That statement in the spec is really meaning to say that a dpop public >>> key can be associated with an access token in any way that works for, and >>> is mutually agreed upon, by the AS and RS. It could be a different cnf in a >>> JWT or the JSON of an introspection response. It could be a column in an >>> access token table of a shared database. It could be a >>> field/parameter/member of an integrity protected bit of CBOR or protobuf or >>> whatever. Etc. >>> >>> I get the sense we've been talking past each other on this one though. >>> I'm not sure how to rectify that but thinking it's better to say it out >>> loud than just continue the back-and-forth (despite doing just that in the >>> prior two paragraphs). >>> >>> >>> >> [Joe] Thanks, I think I have a better understanding now and this >> discussion has helped. I don't think there needs to be any modification of >> this section. >> >> >>> >>> >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> 3. Unpredictable Nonces >>>>>> >>>>>> The draft does list that unpredictable nonces have advantages in >>>>>> section 11.2. I believe it should also mention this as a mitigation in >>>>>> section 11.4. I think the document should go further and make >>>>>> unpredictable nonces a MUST or at least RECOMMENDED. >>>>>> >>>>>> >>>>> I think that text in section 11.2 is intended to be descriptive in >>>>> saying these nonces are unpredictable and then describing a security >>>>> benefit of their use. It's not supposed to suggest or allow for some nonces >>>>> to be predictable. Honestly, I think there was/is just an implicit >>>>> assumption/requirement that nonces be unpredictable. But we can add an >>>>> explicit statement somewhere, if you think it's needed? >>>>> >>>>> >>>> [Joe] I think it should have an explicit statement. THere is some test >>>> that could lead an implementer to use a timestamp as a nonce (section 4.3, >>>> section 11.1). >>>> >>> >>> That's a fair point. To try and explain, there's definitely the >>> assumption that the nonce conveys a time value back to the server. But not >>> just a raw timestamp. The assumption was also that it'd be protected >>> somehow with HMAC, AEAD or something. Anyway, yes, having an explicit >>> statement would be worthwhile. >>> >>> >>> >>>> I think you could add to the description of DPoP-Nonce header is >>>> sections 8.9. >>>> >>>> "In order to ensure that the nonce is unpredictable it should have at >>>> least xx bits of entropy." I think 96 is probably a good number for the >>>> bits of entropy. >>>> >>> >>> I'll add something to section 8 that's explicit about the nonce needing >>> to be unpredictable. >>> >>> >>> >> [Joe] Thanks >> >> >>> >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>>> >>>>>>>> I may have a few additional editorial comments as I go through the >>>>>>>> draft that I will pass along. >>>>>>>> >>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> Joe >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>>>>>> privileged material for the sole use of the intended recipient(s). Any >>>>>>> review, use, distribution or disclosure by others is strictly prohibited. >>>>>>> If you have received this communication in error, please notify the sender >>>>>>> immediately by e-mail and delete the message and any file attachments from >>>>>>> your computer. Thank you.* >>>>>> >>>>>> >>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>>>> privileged material for the sole use of the intended recipient(s). Any >>>>> review, use, distribution or disclosure by others is strictly prohibited. >>>>> If you have received this communication in error, please notify the sender >>>>> immediately by e-mail and delete the message and any file attachments from >>>>> your computer. Thank you.* >>>> >>>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibited. >>> If you have received this communication in error, please notify the sender >>> immediately by e-mail and delete the message and any file attachments from >>> your computer. Thank you.* >> >> > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
- Re: [Last-Call] Last Call: <draft-ietf-oauth-dpop… Joseph Salowey
- Re: [Last-Call] Last Call: <draft-ietf-oauth-dpop… Brian Campbell
- Re: [Last-Call] Last Call: <draft-ietf-oauth-dpop… Joseph Salowey
- Re: [Last-Call] Last Call: <draft-ietf-oauth-dpop… Brian Campbell
- Re: [Last-Call] Last Call: <draft-ietf-oauth-dpop… Joseph Salowey
- Re: [Last-Call] Last Call: <draft-ietf-oauth-dpop… Brian Campbell
- Re: [Last-Call] Last Call: <draft-ietf-oauth-dpop… Joseph Salowey
- Re: [Last-Call] Last Call: <draft-ietf-oauth-dpop… Brian Campbell
- Re: [Last-Call] Last Call: <draft-ietf-oauth-dpop… Joseph Salowey