[OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-01.txt

Brian Campbell <bcampbell@pingidentity.com> Fri, 01 May 2020 19:03 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 407043A19FF for <oauth@ietfa.amsl.com>; Fri, 1 May 2020 12:03:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f01bfEHIBPJv for <oauth@ietfa.amsl.com>; Fri, 1 May 2020 12:03:50 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10A0C3A19FE for <oauth@ietf.org>; Fri, 1 May 2020 12:03:50 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id w20so3544182ljj.0 for <oauth@ietf.org>; Fri, 01 May 2020 12:03:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=IEl/pCK3Ay68qtgQJvPjFHPP9NWFK7cZgXJ7xO1MTv0=; b=XdZMx/SOy/MuWbREQOgJ2Y0iyJXCZlpaplBMeiQIVudPKo1/CVvX6HYqONaK/0/Hk8 TA3URHv6UieM+1Hizdgkl+2yyUqBhy4J24/GRnxdOMlxTpAp60vN2hU7bERtpQZTNa26 4fb9T/57a/pgQCNuwNYXtEXGgfXtk/J1MM/+9XDGPUNBeJWYHOmLkWFGUQbjAs/68jvo uVZU0VQwTObWDUzDPjuUBpeQlxJc8L5tCHTzNuDmFv1u2T8AXNH1A1Haw5BWKAhSntRP 3ebwUiF9Syqhd4gHJewNABWLXhrN/92F12e3RAndLgRz4HonLyNSgBZhDIuKaqHvcJl2 JInA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=IEl/pCK3Ay68qtgQJvPjFHPP9NWFK7cZgXJ7xO1MTv0=; b=TEheyaAVlzo5UkONcTzK0WNnofbrZCGl+SoMU/Ykx8xMMQf7pp0ecnoxFpNzSqfT2n othxYPTY6ECxpUZ2Gl0N4yMTj45CEpwUb+tQifz2EXK0EjuKdPGYlJrekg1ZpvrStrmB rlxhNtOjCx2HdP8XA+R3IxQ1KGWrDv1PxGAhjkulzai7cOVzW12vKnuAlzvfp0fBdtqG RfMhz10s5NVJLSrGyzeicADG0a+F506r3h3nhGS01kYqG9QCK5u6XF6k0TkdOy8gT1Y7 7rYCEx2O+DA9MhVuIoUKDDlTY/GxsvqErifZJqHX1+zrxfPiCj2PlOwd2sAC6W5skPdU SjtA==
X-Gm-Message-State: AGi0PuYHT/bQEbXnmErv07L5Y+CmMzWHesKKf1gXe0bVNbSYVRqkNC/p vAGyxhO7V5KSFs9rmNRik8KCMNnGECy2UGPyLCjRdn8fvxbfF4WHsdyc57E9SgZuezsfVFAmNOR AbSqFIn+jo2+R6OQVyyw=
X-Google-Smtp-Source: APiQypKCh9wRziE+GrMwWPd5OmdukNm0XYCJs5db5YBb2+an0B1+9L6VFovZT2AD9/0t1a6qkOYMbVE7zRVBcJaMFdE=
X-Received: by 2002:a2e:9455:: with SMTP id o21mr3214704ljh.245.1588359827546; Fri, 01 May 2020 12:03:47 -0700 (PDT)
MIME-Version: 1.0
References: <158835743733.12112.7484502726888997082@ietfa.amsl.com>
In-Reply-To: <158835743733.12112.7484502726888997082@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 1 May 2020 13:03:21 -0600
Message-ID: <CA+k3eCQTVqX8wv6-4vX9=0LQZ8wQO+43kiESAM4ChriM=eHUVA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004c040305a49ad7d0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DwBCG0HU-cp71FBh7rGh2GdXcv8>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2020 19:03:53 -0000

I've pushed out a -01 revision of DPoP hopefully allowing folks enough time
to read it before the interim meeting on Monday (apologies that it wasn't
sooner but the edits took longer than expected or hoped). For ease of
reference the changes in this revision are summarized below. There are, of
course, still outstanding issues and discussion points that I hope to make
some progress on during the interim meeting on Monday.

   -01

   *  Editorial updates
   *  Attempt to more formally define the DPoP Authorization header
      scheme
   *  Define the 401/WWW-Authenticate challenge
   *  Added "invalid_dpop_proof" error code for DPoP errors in token
      request
   *  Fixed up and added to the IANA section
   *  Added "dpop_signing_alg_values_supported" authorization server
      metadata
   *  Moved the Acknowledgements into an Appendix and added a bunch of
      names (best effort)

---------- Forwarded message ---------
From: <internet-drafts@ietf.org>
Date: Fri, May 1, 2020 at 12:24 PM
Subject: New Version Notification for draft-ietf-oauth-dpop-01.txt
To: Torsten Lodderstedt <torsten@lodderstedt.net>et>, David Waite <
david@alkaline-solutions.com>gt;, John Bradley <ve7jtb@ve7jtb.com>om>, Brian
Campbell <bcampbell@pingidentity.com>om>, Daniel Fett <mail@danielfett.de>de>,
Michael Jones <mbj@microsoft.com>



A new version of I-D, draft-ietf-oauth-dpop-01.txt
has been successfully submitted by Brian Campbell and posted to the
IETF repository.

Name:           draft-ietf-oauth-dpop
Revision:       01
Title:          OAuth 2.0 Demonstration of Proof-of-Possession at the
Application Layer (DPoP)
Document date:  2020-05-01
Group:          oauth
Pages:          22
URL:
https://www.ietf.org/internet-drafts/draft-ietf-oauth-dpop-01.txt
Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
Htmlized:       https://tools.ietf.org/html/draft-ietf-oauth-dpop-01
Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop
Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-01

Abstract:
   This document describes a mechanism for sender-constraining OAuth 2.0
   tokens via a proof-of-possession mechanism on the application level.
   This mechanism allows for the detection of replay attacks with access
   and refresh tokens.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._