[OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-dpop-12.txt

Brian Campbell <bcampbell@pingidentity.com> Thu, 29 December 2022 12:52 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 214B0C14CE4D for <oauth@ietfa.amsl.com>; Thu, 29 Dec 2022 04:52:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1E5NVmQmKGcp for <oauth@ietfa.amsl.com>; Thu, 29 Dec 2022 04:52:55 -0800 (PST)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C02DC14CE2B for <oauth@ietf.org>; Thu, 29 Dec 2022 04:52:55 -0800 (PST)
Received: by mail-pj1-x1034.google.com with SMTP id o31-20020a17090a0a2200b00223fedffb30so18856412pjo.3 for <oauth@ietf.org>; Thu, 29 Dec 2022 04:52:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=PSdtUCQuPQMOl/4HD/Q4PNvurOfJ5xUUPuz223bX16I=; b=a/Iabt5iBZ+zq3BQtadNWQC0z29rGVJYD4ev6wUvyYjmvQSWsaAFAjA93oNVnvr7Yt ni0kMLv0fNruB/CilPWjHvu8BHC4P7TyMNHucWhkY1vdekVqT7UYAcqQj9AKQ7+4DfoQ RKJhFEDvf5ADWazDJFSnz9Vf7+LveKOLQ416AThgjYeHMVVW/sp5iXF99vIZVQWhwZDz K7vDFS/ifAnFnmvFdtb1D71bDd6LMKZ8BiZgTUZh+NwQkX4KNJcQnaiYPQHhLlBm2Odn sFUX0vtEkDCc59j5OmFPEDTwrWtr3+Ljr3vomgrE9ZF4JE99yeF5J3AALQoUXmFyLir+ /FHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PSdtUCQuPQMOl/4HD/Q4PNvurOfJ5xUUPuz223bX16I=; b=NJk8kxS2Kny9WOqxDD3+x2s1jkSgR80L50i08a6QSMYUbwlqS/0yFv+4LGjdzyz1IO kazWzYrrod/h4kKnbAxWNZG2h8alZGzY2rnxWSMvq0zrAv/vLIjheW5WLIvurtUC2YBz NwR93ad2N08B+A59TONJI3Kv1cPTnDx1M1k5QDfvEZW2ozSDZitsnlOWQP7Jj1aQIvwa qZKVaWRFN7tq2DYNEH2Tlrczo2UdY0WvrNhRr/Mq7M5UJHqRU+wy7G08qenP1BWlpEZS rpz20l6QQ+djDAhqh268ZBPo94+3avNWgL9uw5/U4M4ZIZCHaO0SCSSpBZW04dTVKFC3 k07g==
X-Gm-Message-State: AFqh2krqUMb2fW7HR5Uikm1VVtBdwe15zzz5a3hznZctJaUc8Z0a6Udq zE7Bd1ZbwEPb59+hIrsrCoJNEVwOAnwpDuyaV1vD4uxVyhRjuelmB5/plIU/Z6sXRPtciVSGch9 tOj7V7hjh0Vks39TfkXc4ur0v
X-Google-Smtp-Source: AMrXdXux0oSwKHYSBNUwRJZDgQoWq49Tg2/O3unMyCgSQIlhLEzHoaYLD+kqjDwtYnn4WMT8vBng/5VV4SVVm6p7yk8=
X-Received: by 2002:a17:902:c246:b0:189:c0ec:8b4d with SMTP id 6-20020a170902c24600b00189c0ec8b4dmr1400981plg.83.1672318373745; Thu, 29 Dec 2022 04:52:53 -0800 (PST)
MIME-Version: 1.0
References: <167231780948.48131.17662442156048221880@ietfa.amsl.com>
In-Reply-To: <167231780948.48131.17662442156048221880@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 29 Dec 2022 05:52:03 -0700
Message-ID: <CA+k3eCQVfkvH-qGV7vAmm8b8oTWLA9JAWju2v_8rGp45JRHTsg@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009ed93305f0f6f675"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5C3PilbM_Yr80N_5lmsUIT5Za3M>
Subject: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-dpop-12.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2022 12:52:59 -0000

This -12 revision has updates addressing the AD review comments and a few
other minor things that came up during that time.

   -12

   *  Updates from Roman Danyliw's AD review
   *  DPoP-Nonce now included in HTTP header field registration request
   *  Fixed section reference to URI Scheme-Based Normalization
   *  Attempt to better describe the rationale for SHA-256 only and
      expectations for how hash algorithm agility would be achieved if
      needed in the future
   *  Elaborate on the use of multiple WWW-Authenticate challenges by
      protected resources
   *  Fix access token request examples that were missing a client_id


---------- Forwarded message ---------
From: <internet-drafts@ietf.org>
Date: Thu, Dec 29, 2022 at 5:43 AM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-12.txt
To: <i-d-announce@ietf.org>
Cc: <oauth@ietf.org>



A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

        Title           : OAuth 2.0 Demonstrating Proof-of-Possession at
the Application Layer (DPoP)
        Authors         : Daniel Fett
                          Brian Campbell
                          John Bradley
                          Torsten Lodderstedt
                          Michael Jones
                          David Waite
  Filename        : draft-ietf-oauth-dpop-12.txt
  Pages           : 46
  Date            : 2022-12-29

Abstract:
   This document describes a mechanism for sender-constraining OAuth 2.0
   tokens via a proof-of-possession mechanism on the application level.
   This mechanism allows for the detection of replay attacks with access
   and refresh tokens.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-12.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-dpop-12


Internet-Drafts are also available by rsync at rsync.ietf.org:
:internet-drafts


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._