Re: [OAUTH-WG] WGLC for DPoP Document
Nat Sakimura <sakimura@gmail.com> Fri, 08 April 2022 02:37 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC7853A1863 for <oauth@ietfa.amsl.com>; Thu, 7 Apr 2022 19:37:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BzvPS_Rj0-aB for <oauth@ietfa.amsl.com>; Thu, 7 Apr 2022 19:37:33 -0700 (PDT)
Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 836FF3A18A4 for <oauth@ietf.org>; Thu, 7 Apr 2022 19:37:33 -0700 (PDT)
Received: by mail-ua1-x935.google.com with SMTP id f7so36726uap.4 for <oauth@ietf.org>; Thu, 07 Apr 2022 19:37:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=NBVuKqnOMWhCT4832HC9ndL1MJbzJzdYYP1Rx5S94qA=; b=ZMoeJNEhvpQbCAkml9CnIKhdmNKyYoB9Rur1mW5D9O/XweXM3Qe+NnVUok5M5dPO9W g0uv5xiDbSPrXWkfsIgWu6MMI0JlAQBlqh7LhRE+DLpC0E+MIOl1etVMoqIr1lROJOIZ HDb5nM9o2pXYySMlMSS242Rjov80hUad2o27Vv45vKi4Yb3wXOMi/7rET5+kbfrZH12w 3mjyI7SSz42gVdwoVwm4Q4JuDsYTn5ped4/4M1c6Js2RdGDI9mHGD6Ct0ED3QeNptA+1 ffp0v8v/alvf/ZyXl0OpLPxyKD2JqedhigjiEvpmDW3ML/7ee7LPCMNTu+oQ6boIRrIA G/sA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=NBVuKqnOMWhCT4832HC9ndL1MJbzJzdYYP1Rx5S94qA=; b=4vKgdpiSKK+49OTYniAJz0H88nu+tHDHAaJNs/YLF+wZwZnQ7gtPrTIZqkvYLtRnS2 ujJisQkUbe5Q2RyydrFc8TSdiimOjQEaPau9wXxw6Mr4x63kJ6QKy/Mv/beiAHr3QHWd lBn6RPkc2te/6eTGru3skMdr/w4XeBz/abRPkIIwVDhkLF+4JYzntiXOyCKEgqxK41Ov qE96VizSVlLQR1OPXnLE4WcF92M/9Mw2lxav7Q3tZeYH1TtoynP8HEL1mhpSDlbJ4JYu nmhbdI/uBIQBZWEa0W2mcHbB0XajCsFHCY9GRDqGPOVm7Xp0cKPf8bhX1SIfhEXgi70F 5Mqg==
X-Gm-Message-State: AOAM533Dy8r4lUaQb3oc0+RxJZ6mVSkdSUWibmgdfhN7XLwJWAHtUeCN O/7LQD0rEn+L83btjeEHAnC1MOgykbsBlj1KuiQ=
X-Google-Smtp-Source: ABdhPJwJicIM1/hWn9ov/mVeOZ/Txxn3I+Gg+QdZZh+gnFPHl+lWlaEpcU6/O96wSwOYUvhSop/vA2WjvAYWyXyW8l0=
X-Received: by 2002:a9f:3189:0:b0:35c:c458:ee11 with SMTP id v9-20020a9f3189000000b0035cc458ee11mr4975531uad.31.1649385452109; Thu, 07 Apr 2022 19:37:32 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP-_WxX62=LrieDEZYOFec3UAd2FMmnWsfiNu1Zmots+Pg@mail.gmail.com>
In-Reply-To: <CADNypP-_WxX62=LrieDEZYOFec3UAd2FMmnWsfiNu1Zmots+Pg@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Fri, 08 Apr 2022 11:37:21 +0900
Message-ID: <CABzCy2DY9u+1oeyDRBr9Jw2m2YYs_-NmXT=hNL6-pa22U=cgng@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f8820c05dc1b79ce"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-ZirunqctTQJxkpFQ7sn9TH58MY>
Subject: Re: [OAUTH-WG] WGLC for DPoP Document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2022 02:37:38 -0000
Thanks for an excellent work. I am happy that the public key confirmation method in JPOP [1] presented at IETF OAuth WG in 2017 somewhat morphed into DPOP after 5 years. Also, I was very happy to see the [1] https://datatracker.ietf.org/doc/html/draft-sakimura-oauth-jpop-00 I also apologize that due to circumstances, I was not able to contribute much to the work during the time. It is almost the first read for me so perhaps I could be completely off, but it may also provide the questions that a new reader may pose. Here is a set of comments that came to my mind while reading the draft. 1. It was not immediately clear how the client_id is found from the DPoP token request. In the case of JWT Client Authentication, it has `iss` in it showing the client_id. In DPoP, it does not, so I am wondering how. Some explanatory text would help. 2. It was not immediately clear how the binding between the key material presented in the DPoP header in the token request and the client_id is checked. This is critical from the security point of view so if it could be explained early on, perhaps in the first paragraph of section 5, it would be great. 3. In Figure 8, it would be great if "cnf" member is formatted as an indented JSON member rather than an inline one as it stands. 4. In Figure 10, it would be great if "cnf" member is formatted as an indented JSON member rather than an inline one as it stands. 5. DPoP Proof Replay described in 11.1 talks about limiting the validity period as the mitigation. However, in the case of DPoP Proof Phishing via MITM adversary, it is entirely possible that it is only used once, in time, by the adversary. So, adding some guidance on server authentication might be good to add. I might come up with some additional ones by the deadline, but for now, the above is what I have. Cheers, Nat Sakimura On Mon, Mar 28, 2022 at 9:01 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote: > All, > > As discussed during the IETF meeting in *Vienna* last week, this is a *WG > Last Call *for the *DPoP* document: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > Please, provide your feedback on the mailing list by April 11th. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- [OAUTH-WG] WGLC for DPoP Document Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document Steinar Noem
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document David Waite
- Re: [OAUTH-WG] WGLC for DPoP Document Justin Richer
- Re: [OAUTH-WG] WGLC for DPoP Document Daniel Fett
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document Roberto Polli
- Re: [OAUTH-WG] WGLC for DPoP Document Justin Richer
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document Justin Richer
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document Hans Zandbelt
- [OAUTH-WG] WGLC for DPoP Document: new thread abo… Denis
- Re: [OAUTH-WG] WGLC for DPoP Document: new thread… Hans Zandbelt
- Re: [OAUTH-WG] WGLC for DPoP Document Mike Jones
- Re: [OAUTH-WG] WGLC for DPoP Document: new thread… Denis
- Re: [OAUTH-WG] WGLC for DPoP Document David Waite
- Re: [OAUTH-WG] WGLC for DPoP Document Steinar Noem
- Re: [OAUTH-WG] WGLC for DPoP Document Daniel Fett
- Re: [OAUTH-WG] WGLC for DPoP Document Dave Tonge
- Re: [OAUTH-WG] WGLC for DPoP Document Steinar Noem
- Re: [OAUTH-WG] WGLC for DPoP Document Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC for DPoP Document Warren Parad
- Re: [OAUTH-WG] WGLC for DPoP Document Pieter Kasselman
- [OAUTH-WG] Fwd: WGLC for DPoP Document Neil Madden
- Re: [OAUTH-WG] WGLC for DPoP Document Vladimir Dzhuvinov
- Re: [OAUTH-WG] WGLC for DPoP Document Nat Sakimura
- Re: [OAUTH-WG] WGLC for DPoP Document John Bradley
- Re: [OAUTH-WG] WGLC for DPoP Document Brian Campbell
- Re: [OAUTH-WG] WGLC for DPoP Document Brian Campbell