IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for DPoP Document

John Bradley <ve7jtb@ve7jtb.com> Mon, 11 April 2022 18:39 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 825793A1A10 for <oauth@ietfa.amsl.com>; Mon, 11 Apr 2022 11:39:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 44axNDAQvUfq for <oauth@ietfa.amsl.com>; Mon, 11 Apr 2022 11:39:08 -0700 (PDT)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD1343A1A0B for <oauth@ietf.org>; Mon, 11 Apr 2022 11:39:08 -0700 (PDT)
Received: by mail-vs1-xe32.google.com with SMTP id r25so12773641vsa.13 for <oauth@ietf.org>; Mon, 11 Apr 2022 11:39:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:reply-to :user-agent:mime-version; bh=436eQhIYrmNjrrZ/KB+Qqpi5+SGUkTQe1X0XNNWk/Rw=; b=ZDkOHhohX7330TCbD/MCa3x9OHYWdfiktbyqC2m412u1vrBH0LRPA4v62shj+4g/64 ovjydKjh9NpwMvOh57/64YaJKGC5hnneixxW0+s5grU4tePyHwbqLPctvOQzJwb0cba8 vuuKWZTaTKlWEKMo/OrIjE+jHwMMTQNh2QC9tLcaaIqN/PcwBHAWYQwY7UdS0Rvp8l0v ZWbpQyw/OllpjTIBzFoGw9YESvapA+DSDJTkMe/Nb/TiJL8g/Gf138V5N4b/m2Xd7TWw Xji9SBPinIEY7uxSENnREuwU0I9663o9ODuf1b7fg4NQhIno8hoEqKzpY2EDutIJb5Ty EcGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:reply-to:user-agent:mime-version; bh=436eQhIYrmNjrrZ/KB+Qqpi5+SGUkTQe1X0XNNWk/Rw=; b=StRGI0gqNti6VQ1ebmn+MEZRKoV310D+oDlRZHHqjItrfnj2ODim1UJfToVkFvTK3l /lcp9O2sH+gqqopcqTUQHM0CRh4ZdryNRe1gapzLnES5IbUELWnhWhRSUJ6bbH4Zoj8Q jUIBhtiK1MRvkpXfRoYIfmfFWtsnKtvUBQnDPWLmWvLUDB+jGrO0BCzBQqh/hWbm10P4 S5aCiPLmP34viP0N7K0u47jnaJhPMGCdVKztEymvzLXQi93U0GPoAaA7rnqRKqKOwMmZ 6sCEqYqUCap73GX/cQDoslFyWJKMiQhIoz8bV6xALLahmGuYbGmvzoeLjHymPVstDuAT ZsFQ==
X-Gm-Message-State: AOAM532G18QLA+Rs0i6JLzY1shMmZtV+72pLA0LMO80PMiRWoyj2umzY 1HxA72XIjsKU+z5CA55RKv9HuQ==
X-Google-Smtp-Source: ABdhPJygjWvrN5zQouQ2++NeLsx+itY4MEy+fUvF0+QHQJiRWNHtEzn49ZaE6fcK6nLdYhRNcWXykg==
X-Received: by 2002:a05:6102:3168:b0:328:1ff0:4c42 with SMTP id l8-20020a056102316800b003281ff04c42mr5533175vsm.20.1649702346768; Mon, 11 Apr 2022 11:39:06 -0700 (PDT)
Received: from [100.96.1.203] (5.104.171.108.unassigned.as54203.net. [108.171.104.5]) by smtp.gmail.com with ESMTPSA id x204-20020a1faed5000000b0033ecf0b2f7csm4633557vke.36.2022.04.11.11.39.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Apr 2022 11:39:06 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
To: Nat Sakimura <sakimura@gmail.com>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Date: Mon, 11 Apr 2022 18:39:04 +0000
Message-Id: <em675c0505-2fd1-48a4-9599-65b9fe5c3b07@desktop-4sfjljk>
In-Reply-To: <CABzCy2DY9u+1oeyDRBr9Jw2m2YYs_-NmXT=hNL6-pa22U=cgng@mail.gmail.com>
References: <CADNypP-_WxX62=LrieDEZYOFec3UAd2FMmnWsfiNu1Zmots+Pg@mail.gmail.com> <CABzCy2DY9u+1oeyDRBr9Jw2m2YYs_-NmXT=hNL6-pa22U=cgng@mail.gmail.com>
Reply-To: John Bradley <ve7jtb@ve7jtb.com>
User-Agent: eM_Client/8.2.1659.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MBA1A5B82E-0248-4CCA-B492-36983BC46BBF"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/26FcVqwtMoseca0f4qIGZDeDzC8>
Subject: Re: [OAUTH-WG] WGLC for DPoP Document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2022 18:39:14 -0000

I support publication.

John Bradley

------ Original Message ------
From: "Nat Sakimura" <sakimura@gmail.com>
To: "Rifaat Shekh-Yusef" <rifaat.s.ietf@gmail.com>; "oauth" 
<oauth@ietf.org>
Sent: 4/7/2022 10:37:21 PM
Subject: Re: [OAUTH-WG] WGLC for DPoP Document

>Thanks for an excellent work.
>I am happy that the public key confirmation method in JPOP [1] 
>presented at IETF OAuth WG in 2017 somewhat morphed into DPOP after 5 
>years. Also, I was very happy to see the
>
>[1] https://datatracker.ietf.org/doc/html/draft-sakimura-oauth-jpop-00
>
>I also apologize that due to circumstances, I was not able to 
>contribute much to the work during the time. It is almost the first 
>read for me so perhaps I could be completely off, but it may also 
>provide the questions that a new reader may pose.
>
>Here is a set of comments that came to my mind while reading the draft.
>It was not immediately clear how the client_id is found from the DPoP 
>token request. In the case of JWT Client Authentication, it has `iss` 
>in it showing the client_id. In DPoP, it does not, so I am wondering 
>how. Some explanatory text would help.
>It was not immediately clear how the binding between the key material 
>presented in the DPoP header in the token request and the client_id is 
>checked. This is critical from the security point of view so if it 
>could be explained early on, perhaps in the first paragraph of section 
>5, it would be great.
>In Figure 8, it would be great if "cnf" member is formatted as an 
>indented JSON member rather than an inline one as it stands.
>In Figure 10, it would be great if "cnf" member is formatted as an 
>indented JSON member rather than an inline one as it stands.
>DPoP Proof Replay described in 11.1 talks about limiting the validity 
>period as the mitigation. However, in the case of DPoP Proof Phishing 
>via MITM adversary, it is entirely possible that it is only used once, 
>in time, by the adversary. So, adding some guidance on server 
>authentication might be good to add.
>I might come up with some additional ones by the deadline, but for now, 
>the above is what I have.
>
>Cheers,
>
>Nat Sakimura
>
>
>On Mon, Mar 28, 2022 at 9:01 PM Rifaat Shekh-Yusef 
><rifaat.s.ietf@gmail.com> wrote:
>>All,
>>
>>As discussed during the IETF meeting in Vienna last week, this is a WG 
>>Last Call for the DPoP document:
>>https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
>>
>>Please, provide your feedback on the mailing list by April 11th.
>>
>>Regards,
>>  Rifaat & Hannes
>>
>>_______________________________________________
>>OAuth mailing list
>>OAuth@ietf.org
>>https://www.ietf.org/mailman/listinfo/oauth
>
>
>--
>Nat Sakimura (=nat)
>Chairman, OpenID Foundation
>http://nat.sakimura.org/
>@_nat_en

v2.23.0 | Report a Bug | By Email