Re: [OAUTH-WG] draft-fett-oauth-dpop-00
Brian Campbell <bcampbell@pingidentity.com> Tue, 02 April 2019 15:35 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3A27120248 for <oauth@ietfa.amsl.com>; Tue, 2 Apr 2019 08:35:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I34Qx5MyNwev for <oauth@ietfa.amsl.com>; Tue, 2 Apr 2019 08:35:37 -0700 (PDT)
Received: from mail-it1-x12e.google.com (mail-it1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8D1012022B for <oauth@ietf.org>; Tue, 2 Apr 2019 08:35:36 -0700 (PDT)
Received: by mail-it1-x12e.google.com with SMTP id a190so4313390ite.4 for <oauth@ietf.org>; Tue, 02 Apr 2019 08:35:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kD35J5bJopYrWsyvBkVajz152NgiThDRrwFDXq7Rqng=; b=g2IVJ3Akv753NXf8S7yxgKjIo7vnoQ1+TLWQiTFZdq6BNL23xsqIJp32gszXaXQ3yl 7wTv+7zOJV35CV7Gj7k/iHC2ugHpX80mllO/Jwolz8Et7T5GbwHrwnbxaH0z+mmNhJsg JhbK26Qn+zD6ovlUXPslJ+j5XBC0Qo52d9Luo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kD35J5bJopYrWsyvBkVajz152NgiThDRrwFDXq7Rqng=; b=jYUljN4PY7vgIeDDLD07bM0Iq658L92n8i/5sk4DcnQazdnK19CE/zGresgS8X0J0d Bdg3goFY3EhDC0HMQ+eCOWYkXB/gPs9uHCeLpZ+QNvjx+JJWnkn57GA+CM0+N1XDg28C npT3yhnRg38EK8LZgV7tB6jTBtWfktgknftKuG1/uagYNIDmi6u6r0207dB3kfzbKXEX P3hXhfl2GX+u1gwprANudemlpwWGvYBJzup6ZSLoYhXFir8fDjvTiPlVGXodEnPLV94l K3v1jmq4xrqfOPWPSaSVTCum1fynmaILGL6oi96CliDmUj2yNMs0OsHZ8fkiJ2vJm0+R C3+A==
X-Gm-Message-State: APjAAAX2mu4dpU5Fh8zYBrA981JmEbLHOQYRSfSpzGdq62vmcxiK+MFJ YouvsXdMpQEGbtNsmerVlYopLBt34nWjvxqPraJ7ngxXga2duQ4jQoOsUcf82N1oj6XXjJZOf14 seSTX+p5YVUKz9Q==
X-Google-Smtp-Source: APXvYqynT7mOeyxeExfTcn2lOjcqRQZJI7QiEpCZhcvc3xUb4juyoC8qRk/WYqNFx5K8UxM5/JxlI0zwGpq4NRLeCt4=
X-Received: by 2002:a24:d9d0:: with SMTP id p199mr4784389itg.104.1554219336138; Tue, 02 Apr 2019 08:35:36 -0700 (PDT)
MIME-Version: 1.0
References: <0a9af6f6-1b5d-244d-06af-9d14461b1d69@yes.com> <22f70452-ae33-17a8-317e-1efbfc44d508@ri.se> <BL0PR00MB0292CA3C921F1E21A3E96ED7F5590@BL0PR00MB0292.namprd00.prod.outlook.com>
In-Reply-To: <BL0PR00MB0292CA3C921F1E21A3E96ED7F5590@BL0PR00MB0292.namprd00.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 02 Apr 2019 10:35:06 -0500
Message-ID: <CA+k3eCRsJ9UJS3uZy6nSBrJ2QX21RSW-z_SBBdK5g=6AEu1HkQ@mail.gmail.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Cc: Ludwig Seitz <ludwig.seitz@ri.se>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006f1e7805858de35c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BHPP5tnuR4KyEE2ZuKwd5v4Wrr4>
Subject: Re: [OAUTH-WG] draft-fett-oauth-dpop-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 15:35:46 -0000
Except that the jwk header is more appropriate in the given context https://tools.ietf.org/html/rfc7515#section-4.1.3 - it is the public key that corresponds to the key used to digitally sign the JWS. Which is what it is. On Thu, Mar 28, 2019, 6:32 AM Mike Jones <Michael.Jones= 40microsoft.com@dmarc.ietf.org> wrote: > Good observation, Ludwig. We should do that. > > -- Mike > > -----Original Message----- > From: OAuth <oauth-bounces@ietf.org> On Behalf Of Ludwig Seitz > Sent: Thursday, March 28, 2019 12:05 PM > To: oauth@ietf.org > Subject: Re: [OAUTH-WG] draft-fett-oauth-dpop-00 > > On 28/03/2019 11:17, Daniel Fett wrote: > > Hi all, > > > > I published the first version of the DPoP draft at > > https://tools.ietf.org/html/draft-fett-oauth-dpop-00 > > > > Abstract > > > > This document defines a sender-constraint mechanism for OAuth 2.0 > > access tokens and refresh tokens utilizing an application-level > > proof-of-possession mechanism based on public/private key pairs. > > > > > > Thanks for the feedback I received so far from John, Mike, Torsten, > > and others during today's session or before! > > > > If you find any errors I would welcome if you open an issue in the > > GitHub repository at https://github.com/webhamster/draft-dpop > > > > - Daniel > > > > > > A quick nit: > > in figure 3 you seem to be using the "jwk" claim to include the pop-key in > the token. Any reason for not using the "cnf" claim from RFC 7800? > > /Ludwig > > > -- > Ludwig Seitz, PhD > Security Lab, RISE > Phone +46(0)70-349 92 51 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] draft-fett-oauth-dpop-00 Daniel Fett
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Mike Jones
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Ludwig Seitz
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Filip Skokan
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Filip Skokan
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 rich levinson
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Brian Campbell
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Ludwig Seitz
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 George Fletcher
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Daniel Fett
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 George Fletcher
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Phil Hunt
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Justin Richer
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Brian Campbell
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Justin Richer
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 David Waite
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Simon Moffatt