Re: [OAUTH-WG] JARM

Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 24 January 2020 03:06 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5370412001A for <oauth@ietfa.amsl.com>; Thu, 23 Jan 2020 19:06:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tBraK4SSRnlw for <oauth@ietfa.amsl.com>; Thu, 23 Jan 2020 19:06:17 -0800 (PST)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12516120019 for <oauth@ietf.org>; Thu, 23 Jan 2020 19:06:16 -0800 (PST)
Received: by mail-pl1-x62a.google.com with SMTP id d9so169408plo.11 for <oauth@ietf.org>; Thu, 23 Jan 2020 19:06:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=rufX44uyo3mZxBInqFwQ74+ql4zj3g7UxHPL6ZsAnn8=; b=jsZbNgmj0kj+rbjrOw7Pc04GZxvTlUuZtaxoJ9M0KmLElbg7ZXYfJmf6b7/unIfbgY SRCphqRR/e62c4R/mPOegl4A9Ewv0l5wvinK7UMLcSUJiHp/bcPCcmMzx3Zyv+4Eezuj 0unhu0WO4hBGWQCbf1kaBzQAHz5DJBprQS255jvKbaRbaw0kuF16vKGjGxf/z9ESTYIp FiOJf+arsDsOZdU6HCdIolg/g8aE6/h+hARXPtfI7VrHuM4XI1eZkWetvuaBboAc9++x xvUmTYxNMB4Wt7wNYD5+A28Q2N0/SuFY/ycNyNKhki5rHqekYpOEEwXf3odU5NF6Y6RV gM/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=rufX44uyo3mZxBInqFwQ74+ql4zj3g7UxHPL6ZsAnn8=; b=BFwgJvQRfI9qB3WGDVbRGhA+/9A7I4a1ra+LZC7iSBb1B7zrVEZLPrv1xW8U+Ruavp azSWuJlDjCZKIUArN89/LvWB3AXxfaxheSZ3ZmmRzt40Qu3NCyegQNu/x6qPEbduBxaV vPT3GLU8su5DnbUeLC2xGVUgdNDDevVtZkeFXvfPA+W5B/hccDWVwa0GNxCl5izu7TBE eD9hcZfsoo34Fi9As0JPgMybyY/uOYdG8xM5BlXXvlEbxgE0Hnru+C0OWQTGeMA16Lgv Ko4vZDXIADUwPvOOi9GPR92j8z0Yc4KZolU5J7wRY679Noh1li5IgAYyjuIVHy60D5n6 pVyg==
X-Gm-Message-State: APjAAAWMfAmArNXYKTSd8zOxOpyTFFBffr6sjiBJHSxoLt/tF0A5LPbx UYucO/xWPtdUblXDj0f+e01IjQ==
X-Google-Smtp-Source: APXvYqxFFdhhLpasQvbHQk4mw7dwWtuA4yYFHBm2RlBkNNM0wTTP8zVppB0EvQMUQXYN3Crf1nnXVw==
X-Received: by 2002:a17:90a:d787:: with SMTP id z7mr947179pju.10.1579835175874; Thu, 23 Jan 2020 19:06:15 -0800 (PST)
Received: from [172.20.10.2] (153.176.138.210.rev.vmobile.jp. [210.138.176.153]) by smtp.gmail.com with ESMTPSA id b26sm4235285pgn.1.2020.01.23.19.06.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Jan 2020 19:06:15 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <E2C20237-747E-4BD1-ACA6-27195E8CC691@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_131372D8-9F84-4778-8D48-C9E0BCF53BB3"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Date: Fri, 24 Jan 2020 12:04:55 +0900
In-Reply-To: <1CBDEC38-D1C6-4E2E-AA68-C26A219F3AE4@forgerock.com>
Cc: Takahiko Kawasaki <taka@authlete.com>, Brian Campbell <bcampbell@pingidentity.com>, Annabelle Backman <richanna@amazon.com>, Nat Sakimura <nat@sakimura.org>, oauth <oauth@ietf.org>
To: Neil Madden <neil.madden@forgerock.com>
References: <CAHdPCmN4qNZiDHvKg0e75u03KB54N1Dhyfc+gVgRZ1KQEvE=1Q@mail.gmail.com> <1CBDEC38-D1C6-4E2E-AA68-C26A219F3AE4@forgerock.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GoXk0GiF9fcrC4HyPad43MEZVpA>
Subject: Re: [OAUTH-WG] JARM
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 03:06:18 -0000

Excellent question. Since the authorisation response contains that code only in this case, one basically gains sender authentication and non-repudiation.

> On 23. Jan 2020, at 16:03, Neil Madden <neil.madden@forgerock.com> wrote:
> 
> If you’re using auth code and PKCE, what does JARM add?
> 
> Neil
> 
>> On 23 Jan 2020, at 06:03, Takahiko Kawasaki <taka@authlete.com> wrote:
>> 
>> 
>> I think that JARM is good and even feel that JARM should exist there from a logical perspective because JARM is to Authorization Response what Request Object is to Authorization Request. It is good that we don't have to use "ID Token as Detached Signature" (Financial-grade API Part 2) when JARM is used.
>> 
>> FWIW, I (Authlete) finished implementing JARM at the beginning of October, 2018, about a year and 3 months ago.
>> 
>> Best Regards,
>> Takahiko Kawasaki
>> 
>> On Sat, Jan 18, 2020 at 5:22 AM Brian Campbell <bcampbell=40pingidentity..com@dmarc.ietf.org> wrote:
>> I'd be in favor of it. 
>> 
>> On Thu, Jan 16, 2020 at 9:28 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>> 
>> 
>>> Am 16.01.2020 um 16:48 schrieb Justin Richer <jricher@mit.edu>:
>>> 
>>> Maybe PAR and JAR (and JARM?) end up going out as a bundle of specs.
>> 
>> Since Justin brought it up, I would like to know whether the community has appetite to standardize JARM as well.
>> 
>> Here is the link to the spec: https://openid.net/specs/openid-financial-api-jarm-ID1.html
>> 
>> What do you think?
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited...  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth