[OAUTH-WG] Fwd: New Version Notification for draft-fett-oauth-dpop-03.txt

Brian Campbell <bcampbell@pingidentity.com> Thu, 31 October 2019 19:21 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 805371208D9 for <oauth@ietfa.amsl.com>; Thu, 31 Oct 2019 12:21:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QuX24M5yQoWD for <oauth@ietfa.amsl.com>; Thu, 31 Oct 2019 12:21:22 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBE901209D0 for <oauth@ietf.org>; Thu, 31 Oct 2019 12:21:00 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id f5so5581544lfp.1 for <oauth@ietf.org>; Thu, 31 Oct 2019 12:21:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=08INO1NIUPggKWaEWJ9kXne8YAazlD9kNcbfxk0vi5s=; b=kjXzp0C4RNLgQRtRmXsJgzeYUxd44KVhA3N8Z52pu5XmvNiN9XtjnZNm3d1D3dMsyY sKcvEo6nA0hoY+fiSs/76IHGjxhF4MSmoh7SqF12PK8mX0Ac07A/M+/8G5VjICN4wZJD P1pRK97/JBLyTM+bXLAOyEwpj0YwSQefvAmFI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=08INO1NIUPggKWaEWJ9kXne8YAazlD9kNcbfxk0vi5s=; b=iFPkW4ZBk7YXj6Bp60yZVy/ON2bZEYR/Plei47Lwh+qKbPVVCYQOrgAEjQ7IphdwXo srXGK+SizT2PvCThm9prXrdsprUrPFDw+3ZJfoOJhrTYqPskSAnMRBlPH0Bn1d56X/Zd TjhtZa4vgTKsVUUcINOIgt4j440BAXb3rCNVcH0cMq2ei3KhUqwz4tpS42blbhNBHA25 Yt1jMwN84ZFJ/ibIUXFU79ODJ1jANLIpUR/apaZy+ZbkePpg/PLEundSN0WMgdFF42jj ++z5UfoCoFqhKQ9uSSOshJ/Tig2+CzeSIOwmjpo0aacaDYJHmDR7TPl80fuHTFBmTKRH xGiQ==
X-Gm-Message-State: APjAAAXI0DDMOwAQKGjztJx7Povxjur4ovgdo3ODCBo/pvNzJk76ZtJ2 stZdrafilZfT1UvWvsQiRTDbQgpyVYJa2yDWw0qCY/+11blmmEJMhy9aEhE8SQmHKv53O6mExP2 rrr7jRQqG7/rJOfwtFrk=
X-Google-Smtp-Source: APXvYqyRLGj+5yz7NMQ9G0wey7JZhUYI4Om0BYAd9BLn4wBmPg7O6rM2JEoZyod6a4kKG23eEzvhF1EBVYXaOEMkUPQ=
X-Received: by 2002:a19:7d06:: with SMTP id y6mr4821712lfc.120.1572549658694; Thu, 31 Oct 2019 12:20:58 -0700 (PDT)
MIME-Version: 1.0
References: <157254438077.30463.2012864551682668420.idtracker@ietfa.amsl.com>
In-Reply-To: <157254438077.30463.2012864551682668420.idtracker@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 31 Oct 2019 13:20:32 -0600
Message-ID: <CA+k3eCQrdDqMTHD6bgV-jOTC5DRn3tj2RME1=jdzR6H3W45+BA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cc715a059639bf44"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BWGfQcu6vEdJcQWSm9wAcCgnYO0>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-fett-oauth-dpop-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 19:21:25 -0000

Hello WG,

Just a quick note to let folks know that -03 of the DPoP draft was
published earlier today. The usual various document links are in the
forwarded message below and the relevant snippet from the doc history with
a summary of the changes is included here for convenience.

Hopefully folks will have time to read the (relativity) short document
before the meeting(s) in Singapore where (spoiler alert) I plan to ask that
the WG consider adoption of the draft.

Thanks,

 -03
   o  rework the text around uniqueness requirements on the jti claim in
      the DPoP proof JWT
   o  make tokens a bit smaller by using "htm", "htu", and "jkt" rather
      than "http_method", "http_uri", and "jkt#S256" respectively
   o  more explicit recommendation to use mTLS if that is available
   o  added David Waite as co-author
   o  editorial updates

---------- Forwarded message ---------
From: <internet-drafts@ietf.org>;
Date: Thu, Oct 31, 2019 at 11:53 AM
Subject: New Version Notification for draft-fett-oauth-dpop-03.txt
To: Torsten Lodderstedt <torsten@lodderstedt.net>;, Michael Jones <
mbj@microsoft.com>;, John Bradley <ve7jtb@ve7jtb.com>;, Brian Campbell <
bcampbell@pingidentity.com>;, David Waite <david@alkaline-solutions.com>;,
Daniel Fett <mail@danielfett.de>;



A new version of I-D, draft-fett-oauth-dpop-03.txt
has been successfully submitted by Brian Campbell and posted to the
IETF repository.

Name:           draft-fett-oauth-dpop
Revision:       03
Title:          OAuth 2.0 Demonstration of Proof-of-Possession at the
Application Layer (DPoP)
Document date:  2019-10-30
Group:          Individual Submission
Pages:          15
URL:
https://www.ietf.org/internet-drafts/draft-fett-oauth-dpop-03.txt
Status:         https://datatracker.ietf.org/doc/draft-fett-oauth-dpop/
Htmlized:       https://tools.ietf.org/html/draft-fett-oauth-dpop-03
Htmlized:       https://datatracker.ietf.org/doc/html/draft-fett-oauth-dpop
Diff:           https://www.ietf.org/rfcdiff?url2=draft-fett-oauth-dpop-03

Abstract:
   This document describes a mechanism for sender-constraining OAuth 2.0
   tokens via a proof-of-possession mechanism on the application level.
   This mechanism allows for the detection of replay attacks with access
   and refresh tokens.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._