Re: [OAUTH-WG] Martin Duke's No Objection on draft-ietf-oauth-jwsreq-32: (with COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Thu, 08 April 2021 04:44 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DBF43A3903; Wed, 7 Apr 2021 21:44:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12l5ELTsXW3c; Wed, 7 Apr 2021 21:44:52 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640116.outbound.protection.outlook.com [40.107.64.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CC143A38F8; Wed, 7 Apr 2021 21:44:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B95FTEf95KYClSqPpQ4FnCmzojJu3yex02N+U3ciN7o62HI2KytBJWPKTTFWBc8aBd/FrSWMNIxBh7zFaKNlUiBwIzBlteXQDwnPATg5zZ6yXYYwbTexmRiIrHobmI96RTkLmqanm0x490SlygarvBZuGUbx6LTHBn1eBCqNtih/+XfPkyYq93YqdtxZSVhlyX5ACh7v22V6YPZVe1W1AxIllcy84UWwhkfPAPF/cTDtWTWZMbEHTXGXZJb895iF+8586mGpgMVj4q0yVSuFp9Ho/4Tqq16YTBeQoJncr88t+bK5YEIaBnOHP16uIgRJiL67xg4tHjJrpjJ7h/ocJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GFXyuUa71H/LDyH59ew1qn3tT7yi/O4h11bbSMOobOI=; b=KsZ/MLYe5EE1kcbaxgjOGXuS0DzUsRicepi2UlXDzFo2JxJag0HCwcgqjQKHXxHheqE48Ra0bVFB1LtsbRhjMB8Ulav9D2Orh4YVAi9ZZG0UqPTljY2mjj9qQbHEhckpW4oYa0F0brNZwn/KWpTkdtdbaeBMZO9vQepVTRN9Dq4OQ4aIkBzGfLWn8Z4L5E/Czy5ijjlBwisxwtkbIGXsEBgbfzHK+KTN6PtwRIGy3C45W3YgtOOt7KqjnDcGRpCCqihfc58NR5JbRpwkUbstdea8cj79kqM4kCwZmQ6YF6CrvIRF8CTNbbq2aRaQDFAW360SfeWdaMnintSrPhznzQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GFXyuUa71H/LDyH59ew1qn3tT7yi/O4h11bbSMOobOI=; b=BlmjqSu3awNHX0OvyC3WcJyxyyecGM+ElVUGdj2rw/K5FT9QxUsUXSl8nFmi9sK9u1bA/50v2EChyMpQsygPjzwX2tvsPwx/HnilE01QNAxs7p5iKY9S8u3ok+s3g+8o3BHbsm2jqEyM0rb7+dMhxy0xHZTlkpxvJlcFm8vJPL8=
Received: from DM5PR00MB0421.namprd00.prod.outlook.com (2603:10b6:4:a0::33) by DM6PR00MB0751.namprd00.prod.outlook.com (2603:10b6:5:1be::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4056.0; Thu, 8 Apr 2021 04:44:43 +0000
Received: from DM5PR00MB0421.namprd00.prod.outlook.com ([fe80::e553:4e87:8c7e:63d5]) by DM5PR00MB0421.namprd00.prod.outlook.com ([fe80::e553:4e87:8c7e:63d5%7]) with mapi id 15.20.4056.000; Thu, 8 Apr 2021 04:44:43 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "martin.h.duke@gmail.com" <martin.h.duke@gmail.com>, "iesg@ietf.org" <iesg@ietf.org>
CC: "draft-ietf-oauth-jwsreq@ietf.org" <draft-ietf-oauth-jwsreq@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "Hannes.Tschofenig@gmx.net" <Hannes.Tschofenig@gmx.net>
Thread-Topic: Martin Duke's No Objection on draft-ietf-oauth-jwsreq-32: (with COMMENT)
Thread-Index: AdcsMeE2oUFxE2TgSviIoMFwJNqYLQ==
Date: Thu, 8 Apr 2021 04:44:43 +0000
Message-ID: <DM5PR00MB042158C3EB8C917C9442E687F5749@DM5PR00MB0421.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-04-08T02:25:43Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=96a4b1eb-99cb-4bfa-b273-7ffeaa4214a2; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [172.56.42.184]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e0367f5a-cccb-4fa5-7a09-08d8fa490729
x-ms-traffictypediagnostic: DM6PR00MB0751:
x-microsoft-antispam-prvs: <DM6PR00MB075167C96DDA85B2F3AD70C3F5749@DM6PR00MB0751.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MylrDGNlvNt1AI3Lwd3P+jcPwBy35+vhBy7YXf1B1jzWucDBOQQKty3pSrDrQr3lP75rn6/bRB/LxmyGxmsdD+1jzlHCVv5m2v/7LOmN/GOi/Tc5xqgcgFzX1NPl2QJ4bFu+d3Od11V/2to0HbL2oN5a9RSI2OmRkK+v3oBqMbd0Stk256hOhhdAgK32W0H/HiUdwJdX9+VmHLDmyDNOJeVkyvLBoQ+VMdY9a8HqLrMyZzUZjQoneDLUabk2Fvn0lORZYUtwg1CpxeRe7rKPZTjcP4zh9Rj9VzhjVZtdCXc1dyaRsfFs2ILY9AjV9qCoCXfJ7gzqGk17gjw25Gik4ZWhb2wDqD9YsoTBUaqn2ryDYww+AunDkAnw/yxvMmT8IsWKRyAxE/moCgHQOEZXrwgcx1kX6ItHd9gWTBuE2bUwLwMbHFrvzrVzRb4JlHTe0k4/0bD9oUkrmCzlZ1tLabqYV1XYpVF787zsX2HaDAZgqIFsKIF6ZonqmzBVTROYQaEp6wvUqwb0MNmykS3CgLhBeOtvmPx1BQCaFjrDTKQ5OgClWa/xvvxRt8QIBlQfBP2KtkM/mUUS2Rbmxl8har+JdY1xN+TxeQNsjONkvE7jKB9vz6dgG+5yrSZ5a2+9/RXtTgZfkTX6fxog93xjtV55I7Pod+fgk4++htsWDgrQJLBL9oS9foASY0T4iYX58g0l8ABwQt9CG/A3PbZM5ONHv77GKb6M84UNgBIUCUA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR00MB0421.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(8936002)(2906002)(86362001)(26005)(5660300002)(55016002)(71200400001)(186003)(52536014)(478600001)(83380400001)(54906003)(8990500004)(110136005)(33656002)(966005)(7696005)(10290500003)(4326008)(66476007)(9686003)(66946007)(6506007)(316002)(82950400001)(38100700001)(8676002)(76116006)(66556008)(82960400001)(64756008)(66446008)(53546011); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?bzhzengwL1owbFZwNlQzUWZLeFQvMk5wQWhjNitFM0g4clZEdVpHTUgvSEYx?= =?utf-8?B?U1JjWG9jRENpUjd5RzZvck1vK0dQUDFYdkQ3MjB1WFZBZjd5dzljeWpJNWZE?= =?utf-8?B?Yk1taXdhbmREM0VlZGYwSDNQQUh4cWp1NjUxOWRhVUVhbDZaR0RBdmVCQytB?= =?utf-8?B?dWloYkFxVCtLdHA1N3g3QnQ2NFFwRHY5cVhHSWhDVC92OUhQN3J3VzEvRnRG?= =?utf-8?B?N2FKWWhibGI5RXdzYnBzTWJROXRLcWtRMnVRUHhucDN3eEpJNUlvRTRyMWFC?= =?utf-8?B?czNpQnUwOUNTTXE0a3NMbFFWaEhRWFpkbU1INmVsMDhBM1Ixb0d2ek9icHFS?= =?utf-8?B?bkg3NG5yQXBMdWgzdTZXNlRTdmNqamhoZEhKUWpjT3NPQ0pnVEJQaUg5RjYx?= =?utf-8?B?TVJ1b2xYbWZmaHlLR2EwSGZpVjczdlplaURNd1o3aUJ5dlVMYmdGVWNoSDdm?= =?utf-8?B?aysrZm92bXhiL2FxSy9JRG9oMmdLZlJuVzIrRm9OdWZEdEgyMk11SjFtZ2Mr?= =?utf-8?B?SFNnMlRCREpQV0pESHFEWTFPTWtnNkZuWGVMVERnM2dnZXYyNnpPUHA0Z3hV?= =?utf-8?B?ZTVqOU43cGtFK0hIVnk5d2xqNnZBRTB3R0xQVDFEMk0xclZrT2F5TlhnK2Jp?= =?utf-8?B?bHZBMldLVEFmdDNjNnEvUkQ2QlN3U05PV09mZTNybTdtRXV3MkdDYWVsZWRO?= =?utf-8?B?Qnp6eW9KMTFld3Npc0VYZUVESDZLZ00rR0l3dFRpK0xVVzZoUDVYQWZEZXpC?= =?utf-8?B?ejVDNWM1Wi9WUTJtRHd4R2krakxmMjRJZmtFQmxCaWk0TUJnalYxNFhORTNt?= =?utf-8?B?eDBFanpjdy9YWFJVUkNjZEJhZnpRVXlSVnNVbWJjb3d2RlpoS1p1Zk1pK25J?= =?utf-8?B?eTlmdmw1Ykw0dTJ1QmVCbVNIN0pBNUkzSDRNT1ppR2huaXcrODJUK1dObTlz?= =?utf-8?B?eGUwZDlaM2hPWVBJZGtzYjlGQ2RQNjJSR21tZHVjQlJkRDgwNGxockc1Rm5Y?= =?utf-8?B?LzNvcHdMR1psaGZpM2hDQjFjbStQTkFjSnl4MVVOT2NNRVkzQ0Z2TmVwM0t4?= =?utf-8?B?Z0llTEE5N0JaalZQbVNqNmdkTS9rWWhTOVNRZjhneWN1TVJoYk5qSjA2WUZX?= =?utf-8?B?b1hNaE5LWHhlaVF1UngrOHdVUWtKWmowMlJCSkhLVUg4ckpkVWZMMWxYcEtS?= =?utf-8?B?ODRTUmlaM2RIZDA4RWhmWXhyd2pPeSt1ZTkrMFQyaU8zSnptL3RUWU93NWRF?= =?utf-8?B?SGx5WXVnWEYxQlB3VDVCRU5TMkQxdWpaODZiSWlKYXpUOVpLQitzanhqTk1a?= =?utf-8?B?TVNSMVYwZXg4OE1xY0R6TDBzNnhHdmxpempvYUE4cFVnd0Zha1BIbTJWQkNJ?= =?utf-8?B?c00zZUVHSjdzR2tjZG54bEYwMHExN2VsSit0K1hOcWxXMS9Sd3NORFczekdV?= =?utf-8?B?OW9GbGhkOU9ybGpiRXdDNFlGYytDbHIydW5aR3pYb2FkQ0RpaWpBcm5RV3VK?= =?utf-8?B?UjRLVWpJbXVET05BWU85RFRoWVc5RHE2ZE9ZcEhwRXpYUzRGZEVIc1VGYkRW?= =?utf-8?B?ZjVEY2R3WFNJMXY3RGxaNUFXU2tPbXZTbVhwaDZIMzhXSXVqNU82dGl5NXo3?= =?utf-8?B?VU5uOUVxTmQ1Q1RHZEdGd0J5Rks0VVhtcDN6OXB6QzU3K1JQVkIxd0NFOFlv?= =?utf-8?B?WjE5dW9QVmFac3ArWHVaRVRrbnRPVHF6c0dHaTFHbHdYQUgvL1dwdG1SZEtr?= =?utf-8?Q?v0N53bz7S9kSUV013Pbg5pUk6bEWGPGnZKPQy5B?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM5PR00MB0421.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e0367f5a-cccb-4fa5-7a09-08d8fa490729
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Apr 2021 04:44:43.2180 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9iGB0wleU9jRizcNXFmgEnR96fYXHLdLx2rXFH6cE9Tw+BatctSX0a2AJRB/tOv1lVYF4MX0kpraHTQZFFHYTQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0751
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BGBBipVWMMe-kHLszYhDw50dvj0>
Subject: Re: [OAUTH-WG] Martin Duke's No Objection on draft-ietf-oauth-jwsreq-32: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Apr 2021 04:44:58 -0000

Thanks for your review, Martin.  We've published https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-33 to address your and other IESG comments.

Responses are inline below, prefixed by "Mike>".

-----Original Message-----
From: Martin Duke via Datatracker <noreply@ietf.org> 
Sent: Tuesday, April 6, 2021 12:13 PM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-oauth-jwsreq@ietf.org; oauth-chairs@ietf.org; oauth@ietf.org; Hannes.Tschofenig@gmx.net
Subject: Martin Duke's No Objection on draft-ietf-oauth-jwsreq-32: (with COMMENT)

Martin Duke has entered the following ballot position for
draft-ietf-oauth-jwsreq-32: No Objection

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

After reading Sec 10.5, I was a little unclear how the client and auth server necessarily achieve interoperability, but I think it's just an editorial fix.

If the server advertises that a signed object is required, then it cannot communicate with a client that does not support the extension. But if the object_required metadata is missing, then what is the metadata that tells the client to use a signed object if it can?

IIUC the answer is that the server metadata includes the request_object_signing_alg_values_supported and/or request_object_encryption_alg_values_supported parameter in the metadata. It might be helpful to spell that out here.

Is this correct?

Mike> Yes, correct.  I've added the clarifying point that you suggested by adding this paragraph to the end of Section 10.5:
	    Note that even if "require_signed_request_object"
	    metadata values are not present, the client MAY use signed request objects,
	    provided that there are signing algorithms mutually supported by the client and the server.
	    Use of signing algorithm metadata is described in Section 4.

				Thanks again,
				-- Mike