IETF Logo Mail Archive

Re: [OAUTH-WG] draft-fett-oauth-dpop-00

Ludwig Seitz <ludwig.seitz@ri.se> Thu, 28 March 2019 11:05 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDBEC120487 for <oauth@ietfa.amsl.com>; Thu, 28 Mar 2019 04:05:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DVGQtpTBbHeL for <oauth@ietfa.amsl.com>; Thu, 28 Mar 2019 04:05:27 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30086.outbound.protection.outlook.com [40.107.3.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C466120289 for <oauth@ietf.org>; Thu, 28 Mar 2019 04:05:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aWzkQ5QFJdWUBaD//lGvr8hxdggQkdBxNAl+OgsehPU=; b=AN7CoVDxgK61D43Kutl9ltx8FffAnMEuYUhaGG1zAIrfX4n/rXfVNSilvGfkt7R4zLMyktQEXabs5JsPRVdbSmmuW3TwuHB0i+ixnFbcKdCT65xSSt710z9ZAn/dFxV724DQxQGTmjc27eOqTdw/pdESB16dX7D6nT3X+IdhQ5Y=
Received: from HE1P189CA0029.EURP189.PROD.OUTLOOK.COM (2603:10a6:7:53::42) by DB6P18901MB0103.EURP189.PROD.OUTLOOK.COM (2603:10a6:4:25::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.15; Thu, 28 Mar 2019 11:05:24 +0000
Received: from AM5EUR02FT005.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e1e::202) by HE1P189CA0029.outlook.office365.com (2603:10a6:7:53::42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1750.15 via Frontend Transport; Thu, 28 Mar 2019 11:05:24 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by AM5EUR02FT005.mail.protection.outlook.com (10.152.8.173) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1730.9 via Frontend Transport; Thu, 28 Mar 2019 11:05:23 +0000
Received: from [31.133.151.123] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Thu, 28 Mar 2019 12:05:22 +0100
To: oauth@ietf.org
References: <0a9af6f6-1b5d-244d-06af-9d14461b1d69@yes.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <22f70452-ae33-17a8-317e-1efbfc44d508@ri.se>
Date: Thu, 28 Mar 2019 12:05:20 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <0a9af6f6-1b5d-244d-06af-9d14461b1d69@yes.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms090809050301010202040608"
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(39850400004)(136003)(346002)(396003)(376002)(2980300002)(199004)(53754006)(189003)(51914003)(5024004)(7736002)(2906002)(305945005)(5660300002)(65806001)(229853002)(65826007)(14444005)(31686004)(568964002)(65956001)(5000100001)(6916009)(3846002)(6306002)(235185007)(6116002)(31696002)(6246003)(86362001)(97736004)(44832011)(36756003)(68736007)(53936002)(2351001)(386003)(966005)(74482002)(8676002)(53546011)(8936002)(69596002)(81166006)(16576012)(84326002)(6706004)(106466001)(22746008)(356004)(104016004)(11346002)(486006)(16526019)(77096007)(71190400001)(2616005)(476003)(478600001)(58126008)(16586007)(446003)(106002)(336012)(40036005)(126002)(64126003)(956004)(33964004)(76176011)(26005)(81156014)(186003)(316002)(22756006); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6P18901MB0103; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 224c02e5-f286-43c0-73e6-08d6b36d463c
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4709054)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:DB6P18901MB0103;
X-MS-TrafficTypeDiagnostic: DB6P18901MB0103:
X-Microsoft-Antispam-PRVS: <DB6P18901MB010346388BA0AD508292666382590@DB6P18901MB0103.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 0990C54589
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: v/7WWVIqRjdvnC/0vmayP55SgqVZCOOFlC8Kz/CmDj78u1R/SiKVXmTf/WU75eZEjdNhKL7hEfkfzGRSx21bVCgz2O3ccdp4BRYOOPyvn46oMpNUICoiM8w/WGmfCISAuloumSsgjYhUF3r6Du2UwbL7J62SpX/LOV5+elPKxVcemrozEOC8LbNE5PyE6lR0436HUI7bauE5CCQatTf/Mbq2QMDunPtOGMsDjbB1CbJLxdoDGtAAjdTrPrI7NXOzDqiP2LIK/tWANzlXX3cU+68Fkw8rCleqGROxXvuQE3xpaeWFqQyIKFMkhVl+AuaRL/TpQJDnEmRNDRuxhdEc+daH8R/2hRaqBukKQobKM/wXcnB+EIT+UkZvhVDA0lyeyD3nVwrKiHj8kHBGSR3vZtldj9ES3cMSSX0/9v7fKqY=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Mar 2019 11:05:23.0017 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 224c02e5-f286-43c0-73e6-08d6b36d463c
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P18901MB0103
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0uBLlJe9eA8TONn7ykaPDSj2bVQ>
Subject: Re: [OAUTH-WG] draft-fett-oauth-dpop-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 11:05:40 -0000

On 28/03/2019 11:17, Daniel Fett wrote:
> Hi all,
> 
> I published the first version of the DPoP draft at 
> https://tools.ietf.org/html/draft-fett-oauth-dpop-00
> 
> Abstract
> 
>     This document defines a sender-constraint mechanism for OAuth 2.0
>     access tokens and refresh tokens utilizing an application-level
>     proof-of-possession mechanism based on public/private key pairs.
> 
> 
> Thanks for the feedback I received so far from John, Mike, Torsten, and 
> others during today's session or before!
> 
> If you find any errors I would welcome if you open an issue in the 
> GitHub repository at https://github.com/webhamster/draft-dpop
> 
> - Daniel
> 
>

A quick nit:

in figure 3 you seem to be using the "jwk" claim to include the pop-key 
in the token. Any reason for not using the "cnf" claim from RFC 7800?

/Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51

v2.23.0 | Report a Bug | By Email