[OAUTH-WG] DPoP introspection not including verification
Dick Hardt <dick.hardt@gmail.com> Sun, 10 March 2024 23:05 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5061C14F6B0 for <oauth@ietfa.amsl.com>; Sun, 10 Mar 2024 16:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LvEiLSfe91Rn for <oauth@ietfa.amsl.com>; Sun, 10 Mar 2024 16:05:52 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 619D2C14F6AE for <oauth@ietf.org>; Sun, 10 Mar 2024 16:05:52 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id 3f1490d57ef6-dcbf82cdf05so2177594276.2; Sun, 10 Mar 2024 16:05:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710111951; x=1710716751; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:mime-version:from:to:cc :subject:date:message-id:reply-to; bh=bWIE6cwWxmtQK/Q0RInKQlc+SJU9/2QpzVbF/NB62Vk=; b=G9mmlAHEZ8wNGKeuaGunPlyY/+MdshCDXrFsbE6AFbOfHez9ksyEK5DRppjXdn21Wo gG6dEBHqR/6CmhJTruvk02c6dTL7nWLtAtPhFwjUFP+brITxWThu4GVufl/CSEkVWRjU eJBBY5RafFCTk47lSJDIwCAx2T69cPbkn8bWh6iN7J1caVeZ0hPABHBrPNlvvPR7hAdu yY+eZAM0hSXrHzA+R78dYvgYSwHb+eAHMDTxe83xPH2Q7gEQN/4s6IJg7PxGCwbJ7n7C 7sSuE+x5D9nMSYU5YDYLAMxd5q23963Oxf4JqjokCaPFLOlBjNSHzMM9xtqRCPYK1iR5 KQBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710111951; x=1710716751; h=cc:to:subject:message-id:date:from:reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=bWIE6cwWxmtQK/Q0RInKQlc+SJU9/2QpzVbF/NB62Vk=; b=pCltsJK85oMneJMohA+fT1gSgPip/dMKPCMMq6b6JEYS1Vahzy1EJIOZPSiGHHHMve k9jXsimDLkMDCBNWbVcO8EUBs4ZFLDtKDBA+OyXnFoQF++La8HSXJHjZnXge9ruG7Xe9 K1JHdXE4rXJmdUpE4Ss46Co5AeZbNmK4VYE8yXltKfVQV8FMqFYXRbZB9U9od81k6h0U Trffc1kFUdhPuaZnf2uCMAqXndKoaSUgl+fIp3YotlfHn0HyhMiNlPWTZmqhMEMslclu RIS3uzww96Io8WKA2oLHb5CJMxuN9XKCJ7deK87BPfton1P4+2LKwNQ6k5hn5rAQkz1D XB1g==
X-Gm-Message-State: AOJu0YxJOcRZOv1mvjE8b73uZ1MSOVJXwwP7+3O5usNdaT8FF8D34tL3 vmj/vDhmIEu+HVRLMdmSJU/9Bvw8hvdoFt5tAxYSrHXLaybDbNslGqV2hZD5qQgJIN1+9O75fJg MnvA79QnqpyVf7lPhB2SApW+nrNGbE+FSiAGi5Q==
X-Google-Smtp-Source: AGHT+IFpv7lhnESmtxxB9tdpIRMN6mZmOSbakTf/XkmVpfV3udUWcwDhsLtZZxmu87YCg7Xx115nx7c3NY8KEk0M1W8=
X-Received: by 2002:a5b:c0a:0:b0:dcb:ad22:1b1 with SMTP id f10-20020a5b0c0a000000b00dcbad2201b1mr2560640ybq.3.1710111950783; Sun, 10 Mar 2024 16:05:50 -0700 (PDT)
MIME-Version: 1.0
Reply-To: Dick.Hardt@gmail.com
From: Dick Hardt <dick.hardt@gmail.com>
Date: Sun, 10 Mar 2024 16:05:13 -0700
Message-ID: <CAD9ie-u5cuo_=Rrfez2k1SJ6mSSAJiN61SL44ktEaqj+_wKRMA@mail.gmail.com>
To: rfc9449@ietf.org, Daniel Fett <fett@danielfett.de>, Brian Campbell <bcampbell@pingidentity.com>
Cc: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005a511306135677d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/C3w2fIeEr5tuyCogZdTqM4tQdBg>
Subject: [OAUTH-WG] DPoP introspection not including verification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Mar 2024 23:05:52 -0000
Hey I was reading over RFC 9449 and was surprised that introspection did not take the DPoP header so that the introspection endpoint could do the check on the DPoP proof rather than forcing the Resource Server to do it. https://datatracker.ietf.org/doc/html/rfc9449#name-jwk-thumbprint-confirmation- Curious what was the reasoning behind this? /Dick
- [OAUTH-WG] DPoP introspection not including verif… Dick Hardt
- Re: [OAUTH-WG] DPoP introspection not including v… Justin Richer
- Re: [OAUTH-WG] DPoP introspection not including v… Dick Hardt