[OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-dpop-02.txt
Brian Campbell <bcampbell@pingidentity.com> Wed, 18 November 2020 23:38 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28E4B3A0E9C for <oauth@ietfa.amsl.com>; Wed, 18 Nov 2020 15:38:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVBanTZhPljc for <oauth@ietfa.amsl.com>; Wed, 18 Nov 2020 15:38:42 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCD323A0EA0 for <oauth@ietf.org>; Wed, 18 Nov 2020 15:38:31 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id z21so5515424lfe.12 for <oauth@ietf.org>; Wed, 18 Nov 2020 15:38:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=x1iWIwrSkQmpudmDQH+eKCSUK2E3CsjFE+tUBAYAfc8=; b=GIGinX15baJIDQ6qCWHrrHN5q5Vih4zevhbBmhuC/LATAtd5wz/fEfFr/lTwc5aHCL Zb0A6LoclSCmK4hJaqXKJZ0YbkP5HJTKtQOnWktI9mkoHu+gCB2y/UhZmRiRNnWOgedx SXdYGVHVthVYZuD9Z7JQXclF3n78tJgXkRKH1gCJifwPm0fPN5wTgnChPsfw4FVq4gNH fVrlsYE1Ldd7pDumnPQU3Hk4qflfWbwiaqWj06Gt7bVLSnfhz9D0gJeesYEhRksxdOX+ vZgw8aM/wPbX6JK/8Fypr41f06XkX0+vR13mVvwVQI4u1sF8dScQzaeL0aoDz8PzO38m 0Oxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=x1iWIwrSkQmpudmDQH+eKCSUK2E3CsjFE+tUBAYAfc8=; b=l0IAuqbsMn9gTLVazTSvxl38nINEzgsc0jpbVaNmJPjEsHgpwav679ezu7l0e3N2Wk EYL1WqxMeKCzur1WMDSBRan3St/15puPuU4+ZX6iT3s28wQ64XHlspr1IOYvCrCoY8/2 bT2m8dRl0rnc0i88AU08AaiSGiUrG27Og/412QvrRVMPdU4iWg0N65ScG38BB1EV4fnc J8wxlVMEkm2Kgk67p3WICHs2+CZOPJvAxSg0GSJARict7tE118Oyy7ZJhSEUKDP31tQL bOxJY5gPRhGGGNC/jQGAPnXLTgADPtMfWb85h/p+nTWs/6O2vaYZzu3/aBfngAFpyRo9 7QYQ==
X-Gm-Message-State: AOAM532a10WDJKZzsWKM5+up3FFoEpq7i97+FAXY+xBnDQ4WHGZQOr0/ 3eA+wWcAoGSow2AxgpAQK4299uZEGqWj64Qt23A5JG3gKeMLRIF+Kd6BQdHdZ9eaDAmF7bFZn3j 4gNHDsuP9kf5d+u6Y+o0vpw==
X-Google-Smtp-Source: ABdhPJys9Pmg76XF70jO7YG3FxEX0pYXp32YyMFhNCE6J/dJKzO1AAVThTc5gA0opHgj49DPoLoaRy3r4NjUpV1NMvc=
X-Received: by 2002:ac2:4349:: with SMTP id o9mr4399434lfl.194.1605742707769; Wed, 18 Nov 2020 15:38:27 -0800 (PST)
MIME-Version: 1.0
References: <160573838909.19462.5961557297479283727@ietfa.amsl.com>
In-Reply-To: <160573838909.19462.5961557297479283727@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 18 Nov 2020 16:38:01 -0700
Message-ID: <CA+k3eCQHfDtch5F8TXzaZy=kWES2iRAE93_2TxOpQdo1isWycw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b29c7a05b46a1ba6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1v-Pkwlezn7BldD_4TqWQ2bc3GM>
Subject: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-dpop-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 23:38:44 -0000
I've published a somewhat overdue -02 revision of DPoP. The changes in this revision, which aim to address feedback and discussion from the list and prior interim, are summarized below in text copied from the Document History.The changes are a bit difficult to summarize though because, while the document has gotten a bit of an overhaul, the actual protocol bits are mostly unchanged. I do hope and think, however, that this new revision will be easier to digest. Note also that DPoP is the topic for the next interim meeting later this month https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth whre I plan to do a similarly poor job explaining the recent updates. Changes in -02: * Lots of editorial updates and additions including expanding on the objectives, better defining the key confirmation representations, example updates and additions, better describing mixed bearer/dpop token type deployments, clarify RT binding only being done for public clients and why, more clearly allow for a bound RT but with bearer AT, explain/justify the choice of SHA-256 for key binding, and more * Require that a protected resource supporting bearer and DPoP at the same time must reject an access token received as bearer, if that token is DPoP-bound * Remove the case-insensitive qualification on the "htm" claim check * Relax the jti tracking requirements a bit and qualify it by URI ---------- Forwarded message --------- From: <internet-drafts@ietf.org> Date: Wed, Nov 18, 2020 at 3:26 PM Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-02.txt To: <i-d-announce@ietf.org> Cc: <oauth@ietf.org> A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) Authors : Daniel Fett Brian Campbell John Bradley Torsten Lodderstedt Michael Jones David Waite Filename : draft-ietf-oauth-dpop-02.txt Pages : 29 Date : 2020-11-18 Abstract: This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-02.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-02 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-02.t… internet-drafts
- [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-dpop… Brian Campbell