[OAUTH-WG] -00 of draft-bradley-stateless-oauth-client
Brian Campbell <bcampbell@pingidentity.com> Sun, 03 November 2013 16:36 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E12B11E815F for <oauth@ietfa.amsl.com>; Sun, 3 Nov 2013 08:36:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.865
X-Spam-Level:
X-Spam-Status: No, score=-5.865 tagged_above=-999 required=5 tests=[AWL=0.111, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9Jq2J35LvWr for <oauth@ietfa.amsl.com>; Sun, 3 Nov 2013 08:36:43 -0800 (PST)
Received: from na3sys009aog131.obsmtp.com (na3sys009aog131.obsmtp.com [74.125.149.247]) by ietfa.amsl.com (Postfix) with ESMTP id 431ED11E81FE for <oauth@ietf.org>; Sun, 3 Nov 2013 08:36:35 -0800 (PST)
Received: from mail-ie0-f172.google.com ([209.85.223.172]) (using TLSv1) by na3sys009aob131.postini.com ([74.125.148.12]) with SMTP ID DSNKUnZ7kKIELnL8bMPeVgZ4nUM1xRCe3HQ8@postini.com; Sun, 03 Nov 2013 08:36:35 PST
Received: by mail-ie0-f172.google.com with SMTP id tp5so10999182ieb.17 for <oauth@ietf.org>; Sun, 03 Nov 2013 08:36:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=2wMjmwuGdOE/fR+aaYSwJizL52Rc4yI1i/HRK7JpprA=; b=Sb+OxF1fgVrgUlkmNW3iz901Ld4V9cszMFZpg9ZfVxMt6VWNsq2scWRixw8JX0x8wW P3p+WXIzvB0gcmEVN+9gDla2ktuk79IWf7g/WloSIEZJO1qzy0sbcBG3s06Vexql5/AK vQjXmnBTdl7F3cxhNnaARl6YOiNaVfGwUy+GpZu3v0zrCB0q1oKLZQ2Ehzo6p2JGrP+w KdbHKFcQd9TwSGVIPT3OZ1KNKZCrBJ06Ouzp2VT5Lc8Ki5RitZYW0HnN8DokLNw5HI9d yWn6ZKsCR8D6jJ9dgqNPstYkJBsPFzKqOomwXOZ1r6MtuhsUnUvgPqDVKeEMzzX9q+U6 hu7Q==
X-Gm-Message-State: ALoCoQntHxJNm9cKgVm8NYfzJV+iMQFIx4epnfCBP/rEm4PRG4m8YEpNPyypYeI6IBXvBMBvsdKN7T7+Z9/BD11G/l94b/7Lmb6RvszzhP1bT4XhdpKPHuZepePQ9c6fTVVDLiAsr355T1iwCp5/J9slZoYElT5crw==
X-Received: by 10.50.1.102 with SMTP id 6mr9381265igl.0.1383496592422; Sun, 03 Nov 2013 08:36:32 -0800 (PST)
X-Received: by 10.50.1.102 with SMTP id 6mr9381259igl.0.1383496592245; Sun, 03 Nov 2013 08:36:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.245.233 with HTTP; Sun, 3 Nov 2013 08:36:02 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 03 Nov 2013 08:36:02 -0800
Message-ID: <CA+k3eCSR+hVFsYnbOzvmxc771kHpe8k1V_Lfo+LFVOy34J=7ow@mail.gmail.com>
To: oauth <oauth@ietf.org>, "<openid-specs-ab@lists.openid.net>" <openid-specs-ab@lists.openid.net>
Content-Type: multipart/alternative; boundary="047d7bd770a4ede5c504ea486681"
Subject: [OAUTH-WG] -00 of draft-bradley-stateless-oauth-client
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2013 16:36:56 -0000
Some musings on http://tools.ietf.org/html/draft-bradley-stateless-oauth-client-00 Abstract: "... allowing for fully stateless operation." --> saying that the statelessness is on the AS side might avoid some confusion. The client is still going to have to maintain state. The kid is header rather than a claim. "The issuer SHOULD sign the JWT with JWS ... issuer MAY encrypt the JWT with JWE." --> this text seems a little off given that the most common case, I'd think, would be an AS who issues these client id JWTs only for its own consumption using JWE's AES_CBC_HMAC_SHA2 which gives encryption and integrity protection. Does the relationship between the "iat" and "exp" claims here and the "client_secret_expires_at" and "client_id_issued_at" parameters of dyn reg need to be explained or explored more? Strikes me as potentially problematic. And what happens when one of these JWT client ids expires or needs to be updated? Or the keys used to create or verify them expire? I know the answer thus far has been that the client will just have to get a new one. But I feel like that might be too limiting in practice. I'd like to further pursue understanding/defining how these kinds of client ids might be used in conjunction with a longer lived way to identify the client that allows the client id (i.e. the metadata) to change but can allow correlation across such changes (the sub claim in this doc even suggests that a client might have such an identifier). As was pointed out in another review, there's a difference between documenting how it's possible for an AS to issue "stateless" client ids for its own use and defining something that allows for some other party to issue such ids. It may make sense to discuss them in the same document but I believe it'd be valuable to have the doc acknowledge and address the difference more.
- [OAUTH-WG] -00 of draft-bradley-stateless-oauth-c… Brian Campbell
- Re: [OAUTH-WG] [Openid-specs-ab] -00 of draft-bra… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] -00 of draft-bra… Brian Campbell