IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for Step-up Authentication

Vittorio Bertocci <vittorio@auth0.com> Thu, 13 October 2022 16:58 UTC

Return-Path: <vittorio.bertocci@okta.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F4137C152596 for <oauth@ietfa.amsl.com>; Thu, 13 Oct 2022 09:58:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.455
X-Spam-Level:
X-Spam-Status: No, score=-2.455 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=okta.com header.b=Yu+tzAhX; dkim=pass (2048-bit key) header.d=auth0.com header.b=E7Ryt948
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QdRnnxu_2qLv for <oauth@ietfa.amsl.com>; Thu, 13 Oct 2022 09:57:58 -0700 (PDT)
Received: from mx0a-00553301.pphosted.com (mx0a-00553301.pphosted.com [205.220.164.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A36EC15259F for <oauth@ietf.org>; Thu, 13 Oct 2022 09:57:57 -0700 (PDT)
Received: from pps.filterd (localhost6.localdomain6 [127.0.0.1]) by mx0b-00553301.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 29DGqYVK001976 for <oauth@ietf.org>; Thu, 13 Oct 2022 09:57:57 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=proofpoint-2020; bh=RjlU9MfkcoCvJXd4Tj7ZDPG9P3zmyUhp+frkXYm0Xso=; b=Yu+tzAhXqG5OJeyZzlq5QHJ5XyJ4JL5EHx8n2OHfUGVvjFDcwnluQeYk4C0D+KvX9040 2e9+I9/EGV+y92m2r4VKml/zY+norOReZyNqXmecuFoDgPNNqaJnRURfmAObZLUBqF4u 7B449EdAljGhTUI+SzsYpTCkgg8kcEDSqVjVLwzUgllnpuUhZAvrp/sFwq0RFhdiC1Gg yk0SnFzPyhsYfVcgtRqOkoAdaClykVjKfRj8MJli3K0LNJk7bUIv72tJA/ByZMsSliQG 8iIMUIv+A7F7t63/pLBKVsrFATmBohUjFIRGDkAf5ZmBXWP+mAcV3gXEIRuplVH/a13I GQ==
Received: from mail-oi1-f199.google.com (mail-oi1-f199.google.com [209.85.167.199]) by mx0b-00553301.pphosted.com (PPS) with ESMTPS id 3k34usaqs5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <oauth@ietf.org>; Thu, 13 Oct 2022 09:57:56 -0700
Received: by mail-oi1-f199.google.com with SMTP id s8-20020a0568080b0800b00354d7ce1b4fso975263oij.8 for <oauth@ietf.org>; Thu, 13 Oct 2022 09:57:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=newauth0; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=RjlU9MfkcoCvJXd4Tj7ZDPG9P3zmyUhp+frkXYm0Xso=; b=E7Ryt948TyyjH2mT1TFgfG9I6VggmdQxO9KYIQmut9QBz5TWApdvx8sbE5fxMNX/L4 lvjTWYUIE48ljQqB3oPyq/XuLxRiGvqREqItRIQ0EHq1+stjAm5+lXRs9oouJOVOb5Ut 1uLq09QctUnpZLpWGhn2dBoSy0Z8VneXPlSSPaqLwI06XkObtZSzxPp4QisLaTY76DwQ guVx2p50L0+rLXU3ipCF2g9k44rFUOEDRl1PJX6rfejDVSBK7pUjrtg6JWtDNBfiD2cB NwNhdr86Yl7trqfq0yt+2jG3hcrYr4lE5UwYcT7AKOINvXHfNb8vz+/MVi78fV3hpqt+ m+nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RjlU9MfkcoCvJXd4Tj7ZDPG9P3zmyUhp+frkXYm0Xso=; b=iYv+Lc1bOKVCfgJkZ8C8EuCMzV8Pwz0HrqXv5W1SVn1+H3Bw7OrXAeBi7IVzto0Zkx T4UfwCVGac8KbCOueQleP7oGfZJeUzOrKvVqwcJmEBFBLNtCeEXbRWn1iLVkF8G/qN78 ydjDpdFu9xbCx+QhQTgJZ7oNKb7nPXSo6Qbsbmle4WcjNv7XI2XOukAFb1pUfPC3RyMp Kt3D/vT0nmbTEZEu9m3NJRRPXlKdJiE6QsquAxb97Oym7neVYl9lK0ZJVl7LtQmmwAdX 1OqY1+ql9mCxu5oLWAkpmOpY5EZH8/JRJ2P5qZiGqPWEn8ZSjIMvVgwuC2bu/PD3gDXg bILA==
X-Gm-Message-State: ACrzQf2vm/+cjKrZyaE+PYuoraeJPS6u/1IBrGWu3+rOfWcTz/fSdXfb 0KkMRjtpjVJVQ1myBRxYDjrWDm6FLgr0Gdfs7PINNrqxXG1sSeYPU7m9NdUY1UWa8TXvBQy+/q5 ulNEz9gYD+r3dUuc1Dlnd
X-Received: by 2002:a4a:4847:0:b0:443:347d:6617 with SMTP id p68-20020a4a4847000000b00443347d6617mr285621ooa.94.1665680275333; Thu, 13 Oct 2022 09:57:55 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM6zby+zAb8x6vaPVCWW4dGTr+D5UbZV7gjGxucvsvPIlBatODO78bRD38DP7UxgU+EijUHA+AfbsW6NyKVyL9M=
X-Received: by 2002:a4a:4847:0:b0:443:347d:6617 with SMTP id p68-20020a4a4847000000b00443347d6617mr285605ooa.94.1665680274808; Thu, 13 Oct 2022 09:57:54 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9ypW35=CSJaOfaEqZGDLXGLjnMs4_x5Ue10-yP6BcVoQ@mail.gmail.com> <CADNypP95pWPndeBydEbThrrWrPCVDg2Jmor-68HFGHpqRqFtyA@mail.gmail.com> <DBAPR83MB04227E5BB028F94FD337032A915F9@DBAPR83MB0422.EURPRD83.prod.outlook.com> <CAEMK1uaBedVBcoBuf9NY53sa2MRKh2j5gXrnW65PCiGj6Rzu7g@mail.gmail.com> <CAEFJvaoHyDoj3mbKhSqZmwCjE-iNNk0ZF1V6X_b35SDbp9iXjQ@mail.gmail.com> <CA+k3eCSfy6_kDf1BYciiqdZVE93-VBt3WYYiD9fJNFN33_K3xw@mail.gmail.com> <790fb615-c9ef-27eb-6050-c0f179eac452@free.fr> <CA+k3eCTb7A0pbqa=iRa3vaPDUMQ=sEvyFitvKmfduSXc0fXPWg@mail.gmail.com> <e53f3c82-ab89-c5ec-ac2e-ab9fade7a5f6@free.fr> <CA+k3eCR3-8kod-99FnRPBaYyz9FbxBMvjHMDEQCP3FAjiM-bqA@mail.gmail.com> <CAExw9Be5=89Z1uGf+bnKa5hgRXYD_Lbqgwabti5fYEB-kkad+A@mail.gmail.com>
In-Reply-To: <CAExw9Be5=89Z1uGf+bnKa5hgRXYD_Lbqgwabti5fYEB-kkad+A@mail.gmail.com>
From: Vittorio Bertocci <vittorio@auth0.com>
Date: Thu, 13 Oct 2022 09:57:44 -0700
Message-ID: <CAEFJvapA0ouxO_dq55FqiyKqoAz9E241LrZBmnV9GsrNCp0+og@mail.gmail.com>
To: Yusuf Khan <ykhan.mca@gmail.com>
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000016f95d05eaed69e6"
X-Gmail-Okta-Auth: Authenticated
X-Gm-Spam: 0
X-Gm-Phishy: 0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-10-13_08,2022-10-13_01,2022-06-22_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6kxdgoQWc1-JwcY7W1NrmgyYUa8>
Subject: Re: [OAUTH-WG] WGLC for Step-up Authentication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2022 16:58:03 -0000

Hi Yusuf,
thanks for your comments.
Before getting to the specific matters you raise: the specification was
submitted as work item and formally adopted by the WG with unambiguous
consensus months ago. We iterated on it on two inperson IETF events,
multiple industry events and on several online discussions also showing
clear interest. We just finished WG last call without identifying
significant issues. And there are already implementations in the wild, as
the problem is real and pressing in the industry. That doesn't mean it will
be useful for everyone, of course, but the evidence for many in the
industry finding this useful is as strong as the IETF process allows.

On the specific questions:
1) If you read the document, you'll see that the specification addresses
precisely the case where the client or the authorization server cannot know
beforehand what the authentication requirements are as they are determined
by the resource on specific circumstances- a common requirement that is
increasingly pervasive as continuous authentication and zero trust gain
popularity and adoption. It is true that this might expose extra info about
the system to an attacker, as mentioned in the security considerations
section, however A) RS can make challenges conditional on received valid
tokens, which eliminates all large scale attacks B) knowing an ACR might
not be particularly actionable without access to the corresponding
credentials, and if those credentials are available they can be tried by
enumeration anyway without the need for a challenge C) equivalent
mechanisms are already available in the standards, see insufficient_scope
and the OIDC claims parameter.
2) This matter was debated at length early on, but the TL;DR is: the
standards already feature general affordances for requesting scopes (via
insufficient_scope) and pretty much anything else (via the claims
parameter). However those methods aren't enjoying widespread adoption,
possibly because their expressive power to describe any requirement makes
it very hard for AS to implement it and very hard for clients and resources
to know what they can rely on.
This specification has been purposefully restricted to one particular use
case for which we have strong evidence there's a need in the wild, and that
is unambiguous enough to implement. During the discussion we did inquire on
other parameters/aspects that would have the same direct applicability but
nothing was identified.

I am happy to dig deeper on any of those aspects. It would be immensely
helpful if you could catch up on the document itself and the discussions
that already occurred so that we can build on the work already done :)
Thanks
V.


On Thu, Oct 13, 2022 at 8:55 AM Yusuf Khan <ykhan.mca@gmail.com> wrote:

> *This message originated outside your organization.*
>
> ------------------------------
>
> Hi All,
>
> I have a question here to challenge the need for this document
> specification:
> 1. Here we are trying an attempt to return the information to the client
> to know the acr requirements for a resource on the resource server. I feel
> it will be true for all other parameters where the provided token is
> insufficient to access the resource e.g. scope, consent duration, any other
> user parameter or client app parameter. And this way we are trying to
> reveal the security requirements which are not valid for a
> legitimate client to know as it's already known to them. In other words,
> revealing this information is actually a favor to the attackers rather to a
> legitimate client who already knows the auth requirements for a resource.
>
> 2. If we really want to support it, then why is it limited to only acr and
> max age. It should be open to any kind of deficiency in the presented token
> so that the client gets to know about it and requests authorization from
> the authz server accordingly.
>
> Based on these assumptions, I am not in favor of supporting it unless
> someone clarifies the above 2 points strongly.
>
> Thanks and regards,
> Yusuf
>
> On Wed, Oct 12, 2022 at 1:55 AM Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
>
>> I don't know offhand a better place or if your specific privacy
>> consideration is already covered. Honestly, with that comment, I was just
>> aiming to keep the scope of this document concise and relevant.
>>
>> On Tue, Oct 11, 2022 at 10:06 AM Denis <denis.ietf@free.fr> wrote:
>>
>>> Hi Brian,
>>>
>>> I agree with you that "must not" is more appropriate in that context.
>>>
>>> I also agree with you that the "privacy implications of opaque tokens
>>> are inherent to OAuth in general".
>>> However, I have not reviewed all the RFCs and I wonder whether such a
>>> privacy consideration has already been mentioned.
>>>
>>> It would be nice to start to mention it, rather than to continue to omit
>>> it. Do you see a better place to mention it ?
>>>
>>> Denis
>>>
>>> Thanks Denis, I agree the word "cannot" isn't quite right there. I
>>> struggled with trying to find the right wording (more than I probably
>>> should have) attempting to add a note/reminder without getting into
>>> normative sounding language. But I also wanted to make a firm statement.
>>> Words are hard sometimes. Oftentimes! But reading it again today, "cannot"
>>> doesn't work very well. I think changing to "must not" is appropriate. The
>>> privacy implications of opaque tokens are inherent to OAuth in general and
>>> I don't believe this draft is an appropriate place to attempt to give them
>>> treatment.
>>>
>>> On Tue, Oct 11, 2022 at 2:57 AM Denis <denis.ietf@free.fr> wrote:
>>>
>>>> Hi Brian,
>>>>
>>>> The text states:
>>>>
>>>> Also recall that OAuth 2.0 [RFC6749] assumes access tokens are treated
>>>> as
>>>> opaque by clients. So, during the course of any token caching
>>>> strategy, a client *cannot* inspect the content of the access token to
>>>> determine the associated authentication information or other details.
>>>> The token format might be unreadable to the client or might change at
>>>> any time to become unreadable.
>>>>
>>>> A client *can *inspect the content of the access token.
>>>>
>>>> A better wording  would be:
>>>>
>>>> ...  a client *should not *inspect the content of the access token ...
>>>>
>>>> It would be worthwhile to add a Privacy Considerations section:
>>>>
>>>> 10. Privacy Considerations
>>>>
>>>> Since access tokens are presumed to be opaque to clients, clients (and
>>>> hence users) are not supposed to inspect the content of the access tokens.
>>>> Authorizations Servers are able to disclose more information than
>>>> strictly necessary about the authenticated user without the end user being
>>>> able to know it. Such additional information may endanger the privacy
>>>> of the user.
>>>>
>>>> Denis
>>>>
>>>>
>>>> I've published an -04. It has that very minor change. There was also an
>>>> off-list discussion during WGLC that resulted in thinking it'd be
>>>> worthwhile
>>>> *to add a reminder that access tokens are opaque to clients*. So I
>>>> took that as LC feedback and -04 adds a brief note towards that end.
>>>>
>>>>
>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/
>>>> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/__;!!PwKahg!_tTTH6a6ZkmSuoSd_s22eU8OkYd8Ge2IpfR9ty2PKQeeRJ-35MoeZaZTLf2NpArZhi8OV7QYIGpX075mLQ$>
>>>>
>>>>
>>>>
>>>> On Mon, Oct 10, 2022 at 1:22 PM Vittorio Bertocci <vittorio=
>>>> 40auth0.com@dmarc.ietf.org> wrote:
>>>>
>>>>> Thanks Dima for the comment. Some thoughts:
>>>>>
>>>>> > (editorial)...
>>>>> Good point. "statically" would characterize the simplest of the
>>>>> scenarios, but in fact any case where the AS is the only arbiter of the
>>>>> authn level works for the point we are trying to make. We'll drop
>>>>> "statically". Thanks!
>>>>>
>>>>> > Apart from...
>>>>> This spec focuses on empowering an RS to communicate its ACR and
>>>>> freshness requirements, regardless of the reasons leading the RS to make
>>>>> that determination: the logic by which that happens is explicitly out of
>>>>> scope, and in many real life cases it might simply be unknowable (eg
>>>>> anomaly detection engines based on ML are often back boxes). The mechanism
>>>>> described here can be used alongside other mechanisms that might require
>>>>> the client to get the user to interact with the AS, as it is the case for
>>>>> insufficient_scope, but those remain distinct cases (eg insufficient _scope
>>>>> might not require any step up but simply explicit user consent, and if it
>>>>> does require a stepup, that's entirely determined by the AS without any
>>>>> communication with client or RS required).
>>>>>
>>>>> On Fri, Oct 7, 2022 at 17:43 Dima Postnikov <dima@postnikov.net>
>>>>> wrote:
>>>>>
>>>>>> *This message originated outside your organization.*
>>>>>>
>>>>>> ------------------------------
>>>>>>
>>>>>> Couple of quick comments from me:
>>>>>>
>>>>>> 1) (Editorial) >In simple API authorization scenarios, an
>>>>>> authorization server will statically determine what authentication technique
>>>>>>
>>>>>> In many scenarios, authorization servers will use *dynamic*
>>>>>> decisioning to determine authentication techniques; it's just not
>>>>>> exposed to the client in a way to make it actionable (which is why this
>>>>>> specification's intent makes perfect sense).
>>>>>>
>>>>>> 2) Apart from authentication level, there might be other reasons why
>>>>>> users might be forced to go through the authorization flow, for example,
>>>>>> insufficient authorization / scopes / claims / etc.
>>>>>>
>>>>>> If there is a mechanism to let the client know, as a practitioner,
>>>>>> i'd rather have the same approach for both authentication and
>>>>>> authorization. There are a range of authorization policy engines in the
>>>>>> market that could return "STEP UP is required" after looking at
>>>>>> authentication, authorisation and many other real-time signals. It's just
>>>>>> not standardized...
>>>>>>
>>>>>>
>>>>>> On Sat, Oct 8, 2022 at 7:30 AM Pieter Kasselman <pieter.kasselman=
>>>>>> 40microsoft.com@dmarc.ietf.org> wrote:
>>>>>>
>>>>>>> I am very supportive of this work and have been working through
>>>>>>> different use cases to see whether it can satisfy the requirements that
>>>>>>> arise from them.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> One observation from working through these uses cases is that as
>>>>>>> customers move to Zero Trust architectures, we are seeing customers
>>>>>>> adopting finer grained policy segmentation. Consequently customers are
>>>>>>> planning to deploy segmented access control by data or action sensitivity,
>>>>>>> within a service. This approach to policy design makes it more common for a
>>>>>>> single service to depend on multiple authentication context values or
>>>>>>> combinations of authentication context values.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> An example of this is a policy that has multiple acr values (e.g.
>>>>>>> acr1=password, acr2=FIDO, acr3=selfie check, acr4=trusted network). A
>>>>>>> customer may define a policy that requires different combinations of these
>>>>>>> acr values, for example, a file server may requires password for general
>>>>>>> access (e.g. acr1), FIDO authentication (acr2) or password access and being
>>>>>>> on a trusted network to read sensitive data (acr 2 of (acr1 + acr 4), FIDO
>>>>>>> authentication and password (acr1 + acr2) for accessing editing sensitive
>>>>>>> documents and a real-time selfie check on top of FIDO and presence on a
>>>>>>> trusted network  (acr1 + acr2 + acr3 + acr4) to initiate a sensitive
>>>>>>> workflow (e.g. check-in code). Other variations of this includes database
>>>>>>> access with different types of access requirement for certain rows
>>>>>>> (row-level permissions) or columns (column level permissions) with
>>>>>>> different combinations of acr values.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I was curious if this type of scenario where multiple authentication
>>>>>>> contexts and combinations of contexts are required is something others see
>>>>>>> (or are beginning to see) as well?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Pieter
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Rifaat
>>>>>>> Shekh-Yusef
>>>>>>> *Sent:* Thursday, September 22, 2022 3:02 PM
>>>>>>> *To:* oauth <oauth@ietf.org>
>>>>>>> *Subject:* Re: [OAUTH-WG] WGLC for Step-up Authentication
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *Correction:*
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Please, review the document and provide your feedback on the mailing
>>>>>>> list by *Oct 7th, 2022*.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Sep 22, 2022 at 9:52 AM Rifaat Shekh-Yusef <
>>>>>>> rifaat.s.ietf@gmail.com> wrote:
>>>>>>>
>>>>>>> All,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> This is to start a *WG Last Call *for the *Step-up Authentication *
>>>>>>> document:
>>>>>>>
>>>>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-03.html
>>>>>>> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.ietf.org*2Farchive*2Fid*2Fdraft-ietf-oauth-step-up-authn-challenge-03.html&data=05*7C01*7Cpieter.kasselman*40microsoft.com*7C0078f809101147bc978308da9ca32020*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637994521713812011*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=18sfemyWqYb06PvUA9eTLaq0ccDY14*2F6ETo58JpE*2FJQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!537tJQfGj3Z_Yi2waywl1VPGyDs9818JE-M-KNFgPtoB0O26a7ksRvAYrPyzfKKXsMKCVblAomtRXj8$>
>>>>>>>
>>>>>>>
>>>>>>> Please, review the document and provide your feedback on the mailing
>>>>>>> list by *Sep 30th, 2022*.
>>>>>>>
>>>>>>> Regards,
>>>>>>>  Rifaat & Hannes
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!PwKahg!537tJQfGj3Z_Yi2waywl1VPGyDs9818JE-M-KNFgPtoB0O26a7ksRvAYrPyzfKKXsMKCVblAbcE1GME$>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!PwKahg!_tTTH6a6ZkmSuoSd_s22eU8OkYd8Ge2IpfR9ty2PKQeeRJ-35MoeZaZTLf2NpArZhi8OV7QYIGpYS7lhJA$>
>>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!PwKahg!_tTTH6a6ZkmSuoSd_s22eU8OkYd8Ge2IpfR9ty2PKQeeRJ-35MoeZaZTLf2NpArZhi8OV7QYIGpYS7lhJA$>
>>>>>
>>>>
>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>> privileged material for the sole use of the intended recipient(s). Any
>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>> If you have received this communication in error, please notify the sender
>>>> immediately by e-mail and delete the message and any file attachments from
>>>> your computer. Thank you.*
>>>>
>>>> _______________________________________________
>>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!PwKahg!_tTTH6a6ZkmSuoSd_s22eU8OkYd8Ge2IpfR9ty2PKQeeRJ-35MoeZaZTLf2NpArZhi8OV7QYIGpYS7lhJA$>
>>>>
>>>>
>>>>
>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s). Any
>>> review, use, distribution or disclosure by others is strictly prohibited.
>>> If you have received this communication in error, please notify the sender
>>> immediately by e-mail and delete the message and any file attachments from
>>> your computer. Thank you.*
>>>
>>>
>>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*_______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!PwKahg!_tTTH6a6ZkmSuoSd_s22eU8OkYd8Ge2IpfR9ty2PKQeeRJ-35MoeZaZTLf2NpArZhi8OV7QYIGpYS7lhJA$>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email