Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-03.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 29 August 2020 12:26 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C32D3A13BA for <oauth@ietfa.amsl.com>; Sat, 29 Aug 2020 05:26:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VjqelEx1SQ5B for <oauth@ietfa.amsl.com>; Sat, 29 Aug 2020 05:26:22 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A37B3A0891 for <oauth@ietf.org>; Sat, 29 Aug 2020 05:26:21 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id s19so2602002eju.6 for <oauth@ietf.org>; Sat, 29 Aug 2020 05:26:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=XaaEZiI9D+NjQX7WfRj5SVgH2/A2ooc0wUJZ/rF389g=; b=sUmmDC/qvlGiIlERrDoDLpvw//O8PTgvRovO0G4krb8AON6iIdGXjx93Nei2X6ZipN znMcGpoKOUvGxBtwSqMmQTx58PuawT7EYmbQLizia7j0mLWTe0rbygAh5gmIOqaft/wR s64QV+4H6fflHHCQjRnrhilmOZGQcJVFrqi5+cvuJFcumegTY38Om7etuP1d0PYg3+HA MZx5VsQ/kMOCxOkA1hmyj+j43gMJKGMAQL2qN+w7Vcfr/AAywOPRcTPN3MueGYVbHnCG jcj+MGqOm7QX1cOyoGW0oB6XIk583AIOAU2C2hfF22j9v6N3+0WfsC4p6/X6Mw6EgPRv ugpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=XaaEZiI9D+NjQX7WfRj5SVgH2/A2ooc0wUJZ/rF389g=; b=cpl2vuvG7TAqAZkTFe+Ot2+eIi0Ab1sFLVfvyrfA55C/3X1jZoSeukk09wQLkLned4 EXD7esF/2NLsPtrBEFb4tRXDl37n1sYkrmbITkmsacR5Y7HK59ZND7p7vLjt0galDV1B MSDElOjq5UEERsgw/waGLpyFJjRf3Wb6DSnPMfoRL4TLWy04UK/TrtWb80vQ4Au+UxRz V/6tbNImUGA0ssnwL00uSNLTKg3TfzkBCDgFl+IoSIBy8wWTDf3CQwmQODnuXFEMb64m zjEdM5k4b0oXNhgmKr0muLx8QzwrR1Y6qyeiYSW4RLomvVveB1cJkT8M5G1/pJAT6oAl 1sIg==
X-Gm-Message-State: AOAM533IHQLKZWEfSJg5SPOhHiSQx6rko32iKKKnaHrDmIYO7bhmARMU Gky+fojPiTgKbWXCxLKUqp36qtpDadFZax2w
X-Google-Smtp-Source: ABdhPJykdPtf30EJEiDx2iQCgaETTVaAU04yOSkIa/lwvvQz6DVLQiT8yA123nGYUg+z/wOuT+GSuA==
X-Received: by 2002:a17:906:656:: with SMTP id t22mr3216563ejb.392.1598703979879; Sat, 29 Aug 2020 05:26:19 -0700 (PDT)
Received: from p200300eb8f1e2a0741fe1768a10f1ac2.dip0.t-ipconnect.de (p200300eb8f1e2a0741fe1768a10f1ac2.dip0.t-ipconnect.de. [2003:eb:8f1e:2a07:41fe:1768:a10f:1ac2]) by smtp.gmail.com with ESMTPSA id hk14sm2083324ejb.88.2020.08.29.05.26.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 29 Aug 2020 05:26:19 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <CA+k3eCQ1z575uRwi3TJmjbcZotaq8Gkp=qBH-n9JbNtjhv4jNg@mail.gmail.com>
Date: Sat, 29 Aug 2020 14:26:18 +0200
Cc: OAuth WG <oauth@ietf.org>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <60E8987A-09FC-4D63-9FE1-CE800F319B54@lodderstedt.net>
References: <159620115034.32558.6249632084531225541@ietfa.amsl.com> <CAOW4vyO5v_b5_3QOKfhXupwbTk19GrpCitKfbGnff_NwYAs_+A@mail.gmail.com> <CA+k3eCQ1z575uRwi3TJmjbcZotaq8Gkp=qBH-n9JbNtjhv4jNg@mail.gmail.com>
To: Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3tqVQuyMoPNVlb82qlChUMbpiro>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Aug 2020 12:26:24 -0000


> On 11. Aug 2020, at 23:55, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> 
> Hi Francis, 
> 
> My apologies for the tardy response to this - I was away for some time on holiday. But thank you for the review and feedback on the draft. I've tried to respond inline below.
> 
> 
> On Fri, Jul 31, 2020 at 5:01 PM Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org> wrote:
> Bellow is the only remark I found from reviewing the draft draft:
> 
> 2.1.  Request: 
> 
> requires the parameters "code_challenge" and "code_challenge_method" but
> https://openid.net/specs/openid-financial-api-part-2-ID2.html#confidential-client mentions that RFC7636 is not required for confidential clients. I guess those two parameters have to be taken off the mandatory list and pushed to the list below.
> 
> The list of parameters in Section 2.1 is qualified with a "basic parameter set will typically include" and is definitely not intended to convey a set of required parameters. It's just a list of parameters that make up a hypothetical typical request.  Perhaps some text in the section or even the formatting needs to be adjusted so as to (hopefully) avoid any confusion like this that the list somehow conveys normative requirements?

Just a note: according to https://tools.ietf.org/html/draft-ietf-oauth-security-topics and https://tools.ietf.org/html/draft-ietf-oauth-v2-1, code_challenge is a mandatory parameter for any client. That’s why we included it in this list. 

The FAPI WG also considers to make PKCE mandatory in FAPI 1. FAPI 2 requires it anyway. 

> 
>  
> - Using jwsreq, non repudiation is provided as request is signed (jws). This section also mentions that the request can be sent as form url  encoded (x-www-form-urlencoded). In this case, there is no way to provide non repudiation unless we mention that request can be signed by client using signature methods declared by the AS (AS metadata).
> 
>  I am not aware of any signature methods or means of an AS declaring support for a signature method in metadata that are sufficiently standardized to be mentioned in the context of this draft. The "request" parameter https://tools.ietf.org/html/draft-ietf-oauth-par-03#section-3 can be sent to the PAR endpoint and should provide the same notation of non-repudiation as does jwsreq. I think that's sufficient treatment of non-repudiation for the PAR draft. 
> 
>  
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth