Re: [OAUTH-WG] JARM
Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 24 January 2020 03:06 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5370412001A for <oauth@ietfa.amsl.com>; Thu, 23 Jan 2020 19:06:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tBraK4SSRnlw for <oauth@ietfa.amsl.com>; Thu, 23 Jan 2020 19:06:17 -0800 (PST)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12516120019 for <oauth@ietf.org>; Thu, 23 Jan 2020 19:06:16 -0800 (PST)
Received: by mail-pl1-x62a.google.com with SMTP id d9so169408plo.11 for <oauth@ietf.org>; Thu, 23 Jan 2020 19:06:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=rufX44uyo3mZxBInqFwQ74+ql4zj3g7UxHPL6ZsAnn8=; b=jsZbNgmj0kj+rbjrOw7Pc04GZxvTlUuZtaxoJ9M0KmLElbg7ZXYfJmf6b7/unIfbgY SRCphqRR/e62c4R/mPOegl4A9Ewv0l5wvinK7UMLcSUJiHp/bcPCcmMzx3Zyv+4Eezuj 0unhu0WO4hBGWQCbf1kaBzQAHz5DJBprQS255jvKbaRbaw0kuF16vKGjGxf/z9ESTYIp FiOJf+arsDsOZdU6HCdIolg/g8aE6/h+hARXPtfI7VrHuM4XI1eZkWetvuaBboAc9++x xvUmTYxNMB4Wt7wNYD5+A28Q2N0/SuFY/ycNyNKhki5rHqekYpOEEwXf3odU5NF6Y6RV gM/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=rufX44uyo3mZxBInqFwQ74+ql4zj3g7UxHPL6ZsAnn8=; b=BFwgJvQRfI9qB3WGDVbRGhA+/9A7I4a1ra+LZC7iSBb1B7zrVEZLPrv1xW8U+Ruavp azSWuJlDjCZKIUArN89/LvWB3AXxfaxheSZ3ZmmRzt40Qu3NCyegQNu/x6qPEbduBxaV vPT3GLU8su5DnbUeLC2xGVUgdNDDevVtZkeFXvfPA+W5B/hccDWVwa0GNxCl5izu7TBE eD9hcZfsoo34Fi9As0JPgMybyY/uOYdG8xM5BlXXvlEbxgE0Hnru+C0OWQTGeMA16Lgv Ko4vZDXIADUwPvOOi9GPR92j8z0Yc4KZolU5J7wRY679Noh1li5IgAYyjuIVHy60D5n6 pVyg==
X-Gm-Message-State: APjAAAWMfAmArNXYKTSd8zOxOpyTFFBffr6sjiBJHSxoLt/tF0A5LPbx UYucO/xWPtdUblXDj0f+e01IjQ==
X-Google-Smtp-Source: APXvYqxFFdhhLpasQvbHQk4mw7dwWtuA4yYFHBm2RlBkNNM0wTTP8zVppB0EvQMUQXYN3Crf1nnXVw==
X-Received: by 2002:a17:90a:d787:: with SMTP id z7mr947179pju.10.1579835175874; Thu, 23 Jan 2020 19:06:15 -0800 (PST)
Received: from [172.20.10.2] (153.176.138.210.rev.vmobile.jp. [210.138.176.153]) by smtp.gmail.com with ESMTPSA id b26sm4235285pgn.1.2020.01.23.19.06.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Jan 2020 19:06:15 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <E2C20237-747E-4BD1-ACA6-27195E8CC691@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_131372D8-9F84-4778-8D48-C9E0BCF53BB3"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Date: Fri, 24 Jan 2020 12:04:55 +0900
In-Reply-To: <1CBDEC38-D1C6-4E2E-AA68-C26A219F3AE4@forgerock.com>
Cc: Takahiko Kawasaki <taka@authlete.com>, Brian Campbell <bcampbell@pingidentity.com>, Annabelle Backman <richanna@amazon.com>, Nat Sakimura <nat@sakimura.org>, oauth <oauth@ietf.org>
To: Neil Madden <neil.madden@forgerock.com>
References: <CAHdPCmN4qNZiDHvKg0e75u03KB54N1Dhyfc+gVgRZ1KQEvE=1Q@mail.gmail.com> <1CBDEC38-D1C6-4E2E-AA68-C26A219F3AE4@forgerock.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GoXk0GiF9fcrC4HyPad43MEZVpA>
Subject: Re: [OAUTH-WG] JARM
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 03:06:18 -0000
Excellent question. Since the authorisation response contains that code only in this case, one basically gains sender authentication and non-repudiation. > On 23. Jan 2020, at 16:03, Neil Madden <neil.madden@forgerock.com> wrote: > > If you’re using auth code and PKCE, what does JARM add? > > Neil > >> On 23 Jan 2020, at 06:03, Takahiko Kawasaki <taka@authlete.com> wrote: >> >> >> I think that JARM is good and even feel that JARM should exist there from a logical perspective because JARM is to Authorization Response what Request Object is to Authorization Request. It is good that we don't have to use "ID Token as Detached Signature" (Financial-grade API Part 2) when JARM is used. >> >> FWIW, I (Authlete) finished implementing JARM at the beginning of October, 2018, about a year and 3 months ago. >> >> Best Regards, >> Takahiko Kawasaki >> >> On Sat, Jan 18, 2020 at 5:22 AM Brian Campbell <bcampbell=40pingidentity..com@dmarc.ietf.org> wrote: >> I'd be in favor of it. >> >> On Thu, Jan 16, 2020 at 9:28 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote: >> >> >>> Am 16.01.2020 um 16:48 schrieb Justin Richer <jricher@mit.edu>: >>> >>> Maybe PAR and JAR (and JARM?) end up going out as a bundle of specs. >> >> Since Justin brought it up, I would like to know whether the community has appetite to standardize JARM as well. >> >> Here is the link to the spec: https://openid.net/specs/openid-financial-api-jarm-ID1.html >> >> What do you think? >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited... If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] PAR: pushed requests must become JWTs Richard Backman, Annabelle
- Re: [OAUTH-WG] PAR: pushed requests must become J… Torsten Lodderstedt
- Re: [OAUTH-WG] PAR: pushed requests must become J… Richard Backman, Annabelle
- Re: [OAUTH-WG] PAR: pushed requests must become J… Torsten Lodderstedt
- Re: [OAUTH-WG] PAR: pushed requests must become J… Torsten Lodderstedt
- Re: [OAUTH-WG] PAR: pushed requests must become J… Richard Backman, Annabelle
- Re: [OAUTH-WG] PAR: pushed requests must become J… Brian Campbell
- Re: [OAUTH-WG] PAR: pushed requests must become J… John Bradley
- Re: [OAUTH-WG] PAR: pushed requests must become J… Brian Campbell
- Re: [OAUTH-WG] PAR: pushed requests must become J… John Bradley
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Benjamin Kaduk
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Torsten Lodderstedt
- Re: [OAUTH-WG] JARM Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Dave Tonge
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Brian Campbell
- Re: [OAUTH-WG] JARM Brian Campbell
- Re: [OAUTH-WG] JARM Takahiko Kawasaki
- Re: [OAUTH-WG] JARM Neil Madden
- Re: [OAUTH-WG] JARM Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Aaron Parecki
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Justin Richer