IETF Logo Mail Archive

Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-step-up-authn-challenge-14: (with COMMENT)

Vittorio Bertocci <vittorio@auth0.com> Thu, 13 April 2023 06:39 UTC

Return-Path: <vittorio.bertocci@okta.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 651ADC15C288 for <oauth@ietfa.amsl.com>; Wed, 12 Apr 2023 23:39:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.543
X-Spam-Level:
X-Spam-Status: No, score=-2.543 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=okta.com header.b="JXWbTSaK"; dkim=pass (2048-bit key) header.d=auth0.com header.b="NTm9xHJG"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RXBOTU96uIm0 for <oauth@ietfa.amsl.com>; Wed, 12 Apr 2023 23:39:11 -0700 (PDT)
Received: from mx0a-00553301.pphosted.com (mx0a-00553301.pphosted.com [205.220.164.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62D36C14CE42 for <oauth@ietf.org>; Wed, 12 Apr 2023 23:39:11 -0700 (PDT)
Received: from pps.filterd (m0209338.ppops.net [127.0.0.1]) by mx0b-00553301.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33D4ZApg021071 for <oauth@ietf.org>; Wed, 12 Apr 2023 23:11:33 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=proofpoint-2020; bh=0se93qfMUnCuGaFO45MhyajRLyrChnw+nIR8cgO7LQ8=; b=JXWbTSaK5DpOc+hhqFai21n0r2PUQW8mj74GSP6jBSukFeUQBHX7U1FNdivfNBpZR6zG lODq4sX+JHBhGxL29UBGNmz8u+Jdfk9WIKbaYxnaveK9IS3wtxaFl5xQ5qG0CSLgmolc GAT/dUz7lS4m2bYCG0Xq1nOiLLhaxElv1PXASQfLTDU0zz1Q5kQUcqm3TMGclB3sHdHX jiQqWGBNuqnNLROaJ28cPG4KQsSAfFKB4UUAnXEpcfjJHB2nl0lOSoSggvPlwK6MgVd4 oK5YGJZsutyVSaeIZ0YP0cLBORxU2UgdvLQsgVKDl7Peqjty+oPVAwynLNxEcitjbiGQ XQ==
Received: from mail-il1-f200.google.com (mail-il1-f200.google.com [209.85.166.200]) by mx0b-00553301.pphosted.com (PPS) with ESMTPS id 3pu4tfrqtf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <oauth@ietf.org>; Wed, 12 Apr 2023 23:11:33 -0700
Received: by mail-il1-f200.google.com with SMTP id e9e14a558f8ab-329614db215so835915ab.2 for <oauth@ietf.org>; Wed, 12 Apr 2023 23:11:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=newauth0; t=1681366292; x=1683958292; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0se93qfMUnCuGaFO45MhyajRLyrChnw+nIR8cgO7LQ8=; b=NTm9xHJGkG95o2aSEHIF/ZgaZDoAuu42T9zO9dJNg/fJ3Y0/rbVag0EmhVVr9st3NT VOEKGx5LFQENbIvn9UKIQlUi9oEALpDtplWF5Ay5wS/fFQ/VY64CD8DbQrabt2yCX6fX hrBXOvvleHsSpjrIVYiwNiUrR1ndW4lIdn97V0Q9/dl6Jx2R6EguL8Nra9JiaIJwzzYY NkuzQU81tspOhRR1g5Ufj1tUKLXVGDagDdeYGZN6j05rNilApP/wj1+YUXYQh2nvGwPO YH+jIssHjvM5lxEebrHnkLXtnSjlchyX3XSorIgAyeR5z/+GBo3hovmFp3n+e5V9veZw 5zvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681366292; x=1683958292; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0se93qfMUnCuGaFO45MhyajRLyrChnw+nIR8cgO7LQ8=; b=K33i9nGnVo4nysqVLrpTIW6dGNDRv9MDiiQ6JrKVdue0VEtFI+TS8M3WKt281ifgYq 8Nnr+Ou7ysJqD5GzyBAqnW0ja9alRgPW4H65A/aYNwA0CnMsR9nwFTwini8OYan2rGTk TvGUaTW7anKrqWl4t+eLrOwlRfWa2ekZ9tqEH7tdn83YVCBa7yDi31GTTZs+wJpZCWhu P7oOljiuECFUo/stILoRI3jBnCMtF8rbBEVerLBHI4gRQRJsBUSPYoGtsPOHaujZSlUe /tc73U4CcxWgkf3ZprKHphFUk0O5m+UNtZPSUMHUePdr/YR+Q5DNB2as0hmymuWB4PNU Wczw==
X-Gm-Message-State: AAQBX9dRZx4Cg94cs4FSelDA1vPOftSSEhePvvT71q+WsNBXL0c8gLDa jabdw5J6gNjw/fWgDeLnSXvkZbFTnfKiZm6y6mOzQpT57krrdc/hQ71S/nNH/KJ7sNsFANN7rix Ml2/HPfGPO+tYk3va/JXZyFCXsBGEvQ2RsQ==
X-Received: by 2002:a05:6e02:806:b0:328:56f6:62cf with SMTP id u6-20020a056e02080600b0032856f662cfmr373644ilm.6.1681366292192; Wed, 12 Apr 2023 23:11:32 -0700 (PDT)
X-Google-Smtp-Source: AKy350ahGTqpJkhKRx8XDPy4UkxGnUzPZt9uB4oSWwfLMdpPYTKt7xhmdFK406gMujWOTcmP1QVWSCjAyqUSNb3NXAA=
X-Received: by 2002:a05:6e02:806:b0:328:56f6:62cf with SMTP id u6-20020a056e02080600b0032856f662cfmr373635ilm.6.1681366291861; Wed, 12 Apr 2023 23:11:31 -0700 (PDT)
MIME-Version: 1.0
References: <168136196076.46946.14361049726064538738@ietfa.amsl.com>
In-Reply-To: <168136196076.46946.14361049726064538738@ietfa.amsl.com>
From: Vittorio Bertocci <vittorio@auth0.com>
Date: Wed, 12 Apr 2023 23:11:21 -0700
Message-ID: <CAEFJvap5yO_52FABDw750w5CAqbcYQBCDnLdkCwsOYuLP6h36Q@mail.gmail.com>
To: Murray Kucherawy <superuser@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-step-up-authn-challenge@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rifaat.s.ietf@gmail.com
Content-Type: multipart/alternative; boundary="000000000000906fb205f93198b2"
X-Gmail-Okta-Auth: Authenticated
X-Gm-Spam: 0
X-Gm-Phishy: 0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-13_02,2023-04-12_01,2023-02-09_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8qq3AuLX4xBKmkHL_u_tpUAzhWs>
Subject: Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-step-up-authn-challenge-14: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 06:39:15 -0000

On the SHOULD on top of S4. There are pretty common situations in which
failing to get a response from an API is an acceptable outcome, and
presenting an interactive prompt isn't. A classic example is a background
update that the client can use to proactively fetch fresh data, that isn't
critical for the application function and wasn't initiated by the user. As
such, an interactive prompt could disrupt the user experience by requiring
an action without clear context and not in pursuit of a goal the user
expressed. A MUST would force a complying client to act on the challenge,
making those scenarios hard to handle.

On the SHOULD on top of S5. There we are just describing what the OIDC
specification mandates for ID tokens, hence not providing any new normative
guidance.We echo what OIDC mandates for ID tokens there because we want to
apply the same logic for access tokens, as we later describe in the same
section. In that description we don't introduce a more restrictive MUST
because that would make it hard for the (many) existing authorization
server+OIDC implementations to comply, limiting adoption and for a
relatively small return.

On the quotes: Brian has more experience in RFC authoring than I do, but
it's night on his part of the world hence I cannot consult him :) However
in the only other spec I authored (rfc9068) I did use quotes for every
claim occurrence in the text, hence I am confident we can do the same here.
Thanks for the catch!

On Wed, Apr 12, 2023 at 9:59 PM Murray Kucherawy via Datatracker <
noreply@ietf.org> wrote:

>
>   This message originated outside your organization.
>
>
> Murray Kucherawy has entered the following ballot position for
> draft-ietf-oauth-step-up-authn-challenge-14: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to
> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
> for more information about how to handle DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thanks to Robert Sparks for the ARTART reviews and Mark Nottingham for the
> HTTPDIR review.  Please make sure the former was fully addressed before
> proceeding.
>
> The SHOULD at the top of Section 4 is bare.  What happens if I don't do
> that?
> Or should this really be a MUST?
>
> Same question for the first SHOULD in Section 5.  Is there ever a
> legitimate
> reason not to do what it says?
>
> I feel that claim names such as "acr" should be quoted.  They look like
> misspelled words otherwise.
>
>
>
>

v2.23.0 | Report a Bug | By Email