[OAUTH-WG] draft-ietf-oauth-spop-10: Your feedback needed.

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 02 March 2015 15:31 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEE091A1AA9 for <oauth@ietfa.amsl.com>; Mon, 2 Mar 2015 07:31:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ajiwex4YgFIg for <oauth@ietfa.amsl.com>; Mon, 2 Mar 2015 07:31:25 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9EAF1A01FC for <oauth@ietf.org>; Mon, 2 Mar 2015 07:31:24 -0800 (PST)
Received: from [192.168.131.138] ([80.92.121.102]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MDW9x-1YGhHj1ISr-00GprF for <oauth@ietf.org>; Mon, 02 Mar 2015 16:31:22 +0100
Message-ID: <54F48248.2030706@gmx.net>
Date: Mon, 02 Mar 2015 16:31:20 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="tVce5Q0bGHkJIWOFRds4uMu2WX74d0mKG"
X-Provags-ID: V03:K0:/S3hngQ8irPew9lhgejX3UOtBvwCjfM4V45ZWOFvMT9MDSIg7kn j+I1lcL/ylHUZfyS+W8pshrPZud5KpMA8FHSmrP0QNAzqqnbc7N9aEX6cZRnGlEwkYk8PeM 2wRXDdZKTySmy38ZwuEM5f0lJ/yqH55Qvcd/OH66W+RwR/1yUtQcINQ/Ykt2h9A23pA07MX XSFKDWDTcHOeIP/WVr6sQ==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ER-12xDdz-WwXbGA1uQ0xYJ2ggU>
Subject: [OAUTH-WG] draft-ietf-oauth-spop-10: Your feedback needed.
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2015 15:31:26 -0000

Hi all,

I am trying to finalize my work on the shepherd write-up of
draft-ietf-oauth-spop.

Unfortunately, there are still some outstanding issues:

1. S256 as a mandatory-to-implement code challenge method
(by the Authorization Server)

Currently, S256 is MTI but implementations do not use S256 (yet).
Hence, we have very few (maybe not even a single) implementation
that is in conformance with the specification at the moment.

Does the group see a problem with this choice of MTI
(or lack of conformance)?

2. Naveen Agarwal has not provided his confirmation that any and
all appropriate IPR disclosures required for full conformance
with the provisions of BCP 78 and BCP 79 have already been filed.

Without his confirmation I cannot finalize my shepherd write-up.

3. Normative language regarding code verifier randomness

We had a discussion about the language used to describe what
implementations need to provide in terms of randomness of the
code verifier. Here is the discussion thread:
http://www.ietf.org/mail-archive/web/oauth/current/msg14217.html

Ultimately, the issue boiled down to the following sentence and
the use of 'MUST' vs. 'SHOULD':

"the code verifier SHOULD have enough entropy to make it
impractical to guess the value"

It would be good to know whether the group objects using MUST
instead of SHOULD to enhance security.

Ciao
Hannes