IETF Logo Mail Archive

Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-step-up-authn-challenge-14: (with COMMENT)

Daniel Fett <fett@danielfett.de> Thu, 13 April 2023 07:06 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AC6CC151B3E; Thu, 13 Apr 2023 00:06:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xOk4_60RQYjB; Thu, 13 Apr 2023 00:06:37 -0700 (PDT)
Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [80.241.56.172]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10565C151B21; Thu, 13 Apr 2023 00:06:34 -0700 (PDT)
Received: from smtp1.mailbox.org (unknown [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4PxrGY3rn7z9spd; Thu, 13 Apr 2023 09:06:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=MBO0001; t=1681369589; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=oFSbHT4jh9gfMxgeJ0mi55QDEM9tv/wdSMplwijd65g=; b=0reclQoE8t9m8/9jKmKzrfaeFmr6ehu5o9AKSX0cIF8WjAWCDFhQKs18hJrjqh/b8R5441 XkGNUFAMgg+E2yjqeGIJ3a+JuOM0bbIicmFkOey6uqECGqDF6Sw+/9ufl7RsiQchGxHxsc wxEsp3HKmDvYmclMvkD1KK4DFwRd345ilaDJdc2ewqRKjkXKkXkLp1pqTqpy/zFiEZEMqv KLyNdzABM9EovXJrf4igekwAlJpjQlBdhqBjMBc026/DMt5ilNAEWR+zOerYJXFXx9Zj2T twsSZ4YgJPq1XmAnqb1oi1LQ+/zH0xUbOOBICYPMK3sOCgexeDXSUpV0L+yh2Q==
Content-Type: multipart/alternative; boundary="------------8BS5JA4dPn14EIf0tBhQO6mU"
Message-ID: <db786098-6ae7-8a45-18b3-a78b2ede306b@danielfett.de>
Date: Thu, 13 Apr 2023 09:06:27 +0200
MIME-Version: 1.0
Content-Language: de-DE
To: Vittorio Bertocci <vittorio=40auth0.com@dmarc.ietf.org>, Murray Kucherawy <superuser@gmail.com>
Cc: draft-ietf-oauth-step-up-authn-challenge@ietf.org, oauth@ietf.org, The IESG <iesg@ietf.org>, oauth-chairs@ietf.org
References: <168136196076.46946.14361049726064538738@ietfa.amsl.com> <CAEFJvap5yO_52FABDw750w5CAqbcYQBCDnLdkCwsOYuLP6h36Q@mail.gmail.com>
From: Daniel Fett <fett@danielfett.de>
In-Reply-To: <CAEFJvap5yO_52FABDw750w5CAqbcYQBCDnLdkCwsOYuLP6h36Q@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/G1c8kp4kwu8tY_TZItMdXK6x_EE>
Subject: Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-step-up-authn-challenge-14: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 07:06:42 -0000


Am 13.04.23 um 08:11 schrieb Vittorio Bertocci:
> On the SHOULD on top of S4. There are pretty common situations in 
> which failing to get a response from an API is an acceptable outcome, 
> and presenting an interactive prompt isn't. A classic example is a 
> background update that the client can use to proactively fetch fresh 
> data, that isn't critical for the application function and wasn't 
> initiated by the user. As such, an interactive prompt could disrupt 
> the user experience by requiring an action without clear context and 
> not in pursuit of a goal the user expressed. A MUST would force a 
> complying client to act on the challenge, making those scenarios hard 
> to handle.
>
> On the SHOULD on top of S5. There we are just describing what the OIDC 
> specification mandates for ID tokens, hence not providing any new 
> normative guidance.We echo what OIDC mandates for ID tokens there 
> because we want to apply the same logic for access tokens, as we later 
> describe in the same section. In that description we don't introduce a 
> more restrictive MUST because that would make it hard for the (many) 
> existing authorization server+OIDC implementations to comply, limiting 
> adoption and for a relatively small return.
>
> On the quotes: Brian has more experience in RFC authoring than I do, 
> but it's night on his part of the world hence I cannot consult him :) 
> However in the only other spec I authored (rfc9068) I did use quotes 
> for every claim occurrence in the text, hence I am confident we can do 
> the same here. Thanks for the catch!

Since the same comment was raised also for DPoP, my two cents on this:

We discussed this very topic when finalizing RFC9207. Back then, we 
noticed that when using the correct markup in the XML (<tt>), the HTML 
renders fine (gray background, monospaced font) but depending on how the 
textual format is created, there may or may not be quotes around the 
parameter. Adding quotes manually in the XML source does not make too 
much sense as they'll needlessly show up in the HTML as well. IIRC there 
was some version of xml2rfc that added quotes around <tt> parts but that 
was removed again.

So the consensus was that prioritizing proper HTML output makes sense 
and we did not add any quotes (with the blessing of the RFC editor).

-Daniel



>
> On Wed, Apr 12, 2023 at 9:59 PM Murray Kucherawy via Datatracker 
> <noreply@ietf.org> wrote:
>
>
>       This message originated outside your organization.
>
>
>     Murray Kucherawy has entered the following ballot position for
>     draft-ietf-oauth-step-up-authn-challenge-14: No Objection
>
>     When responding, please keep the subject line intact and reply to all
>     email addresses included in the To and CC lines. (Feel free to cut
>     this
>     introductory paragraph, however.)
>
>
>     Please refer to
>     https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
>
>     for more information about how to handle DISCUSS and COMMENT
>     positions.
>
>
>     The document, along with other ballot positions, can be found here:
>     https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/
>
>
>
>     ----------------------------------------------------------------------
>     COMMENT:
>     ----------------------------------------------------------------------
>
>     Thanks to Robert Sparks for the ARTART reviews and Mark Nottingham
>     for the
>     HTTPDIR review.  Please make sure the former was fully addressed
>     before
>     proceeding.
>
>     The SHOULD at the top of Section 4 is bare.  What happens if I
>     don't do that?
>     Or should this really be a MUST?
>
>     Same question for the first SHOULD in Section 5.  Is there ever a
>     legitimate
>     reason not to do what it says?
>
>     I feel that claim names such as "acr" should be quoted.  They look
>     like
>     misspelled words otherwise.
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email