Re: [OAUTH-WG] draft-fett-oauth-dpop-00
Mike Jones <Michael.Jones@microsoft.com> Thu, 28 March 2019 11:30 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1ED312052A for <oauth@ietfa.amsl.com>; Thu, 28 Mar 2019 04:30:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUgbYOlclk18 for <oauth@ietfa.amsl.com>; Thu, 28 Mar 2019 04:30:56 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650092.outbound.protection.outlook.com [40.107.65.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16B341205B4 for <oauth@ietf.org>; Thu, 28 Mar 2019 04:28:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mMIjStP/0qE/IQ93eVyAt81TS2FDzPkXKQduw5cwGzg=; b=Hn3NhZvRcjVsnHLB/OEIeUviiqLU8sjuDaFYPkh8ibcseUL32jmqyi06h2ohnAq7Vb6QJxAmTZwCxmZAxLi4ouhkbi/ge/n17bWLjVPJBUqKMhQDPjZ7va9R7FFIKSJf/Hh84IQ8UpnZB5bjKKViYxEyXjowwFICq2VgN3osqAM=
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=kO/cqliXyw8fviWDj77aCleUk/UmwEjo84QZMUlIcxfnC5mNxsAm2eQQqvG586JhXh0JPG/eWt5Pp0upcHp3wuw97nyOAP9lTvUFgrde5E7v2Kx6+Wt4lhwxi9EakPQKKZobBi0PBQcOFOalw6QZ88VxLStfI3a0akTHOK6uq1c=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mMIjStP/0qE/IQ93eVyAt81TS2FDzPkXKQduw5cwGzg=; b=gOK4lNH1g99nqpxXj1FjKqgy+2Q8/4GY8ETcaWl7rUjVtZs4qRZFTwO6yA8KMhlHq5sctubzbzpRE2iKi/90N7Ag07s7Vpj1hyfxvYJbcvj06lQSqUQ9gS25/MrWDDu6WehNDEYzNA7vHOn/DMahYbi3wiqQu3uMZjFomxlkOhc=
ARC-Authentication-Results: i=1; test.office365.com 1;dmarc=none action=none header.from=microsoft.com;arc=none
Received: from BL0PR00MB0292.namprd00.prod.outlook.com (52.132.19.158) by BL0PR00MB0340.namprd00.prod.outlook.com (52.132.20.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1790.0; Thu, 28 Mar 2019 11:28:52 +0000
Received: from BL0PR00MB0292.namprd00.prod.outlook.com ([fe80::601c:4d1:dc81:12dc]) by BL0PR00MB0292.namprd00.prod.outlook.com ([fe80::601c:4d1:dc81:12dc%7]) with mapi id 15.20.1791.000; Thu, 28 Mar 2019 11:28:52 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Ludwig Seitz <ludwig.seitz@ri.se>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] draft-fett-oauth-dpop-00
Thread-Index: AQHU5U+1X32rBXdg1kq2TBwNTiZWFKYg4aQAgAAGeMA=
Date: Thu, 28 Mar 2019 11:28:51 +0000
Message-ID: <BL0PR00MB0292CA3C921F1E21A3E96ED7F5590@BL0PR00MB0292.namprd00.prod.outlook.com>
References: <0a9af6f6-1b5d-244d-06af-9d14461b1d69@yes.com> <22f70452-ae33-17a8-317e-1efbfc44d508@ri.se>
In-Reply-To: <22f70452-ae33-17a8-317e-1efbfc44d508@ri.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=26537b83-631d-4ed0-a23f-0000efd82bbf; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-03-28T11:28:30+0100; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
x-originating-ip: [62.168.35.69]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: eeaf14aa-24f3-41e2-42fc-08d6b3708e5e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:BL0PR00MB0340;
x-ms-traffictypediagnostic: BL0PR00MB0340:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BL0PR00MB03404CAC1A7487055D2C3EC4F5590@BL0PR00MB0340.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0990C54589
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(346002)(396003)(366004)(39860400002)(376002)(53754006)(13464003)(51914003)(189003)(199004)(6506007)(229853002)(53546011)(26005)(6346003)(102836004)(25786009)(186003)(6436002)(305945005)(76176011)(486006)(10290500003)(446003)(476003)(6246003)(11346002)(86612001)(81166006)(7696005)(86362001)(71200400001)(71190400001)(110136005)(8676002)(81156014)(966005)(52536014)(14454004)(256004)(14444005)(72206003)(478600001)(5660300002)(8936002)(99286004)(22452003)(6306002)(55016002)(97736004)(53936002)(9686003)(2906002)(10090500001)(68736007)(316002)(74316002)(6116002)(3846002)(7736002)(33656002)(66066001)(8990500004)(2501003)(105586002)(106356001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR00MB0340; H:BL0PR00MB0292.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Ny1HckkSunYEGSsUAZP0Ape1VJocgmexahbOWXYNfizC6ZjaLRLds2G8HlFwdaawE9MzbOUpiNnuCCBPa2Ad59LewuS8VxXbmPCGKsKe8TpRuKjM519baZx4X9T5p3JubxbqLnGJBl6LpHEqi58uZPF2MfsyUfTI4o7qkknDipl1LeQvEiPQ94jjx5cFjzV5K7QcKp8OOGVR0nnBb5RmGdecCNx69a3pn1oefJlKB+1T7iWHB7AEtANQ/3exs2MlXx+PW0/FftdVO4FhdQ1GQ4JffDDvHCTt8Mm0C548aQj+skvjKelaosJ4ogruu3CfecQVnFPTHeumc/QBohJBF0vsStGUUDWuVb0YfEvpDbkC+sxq9Rjhq6qzaF36AFywtPgQFIdC8ukGwnN93I9G+obBaHyw5EDxqqgMx79HU08=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: eeaf14aa-24f3-41e2-42fc-08d6b3708e5e
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2019 11:28:51.8779 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0340
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nYsa9wAtX1630M05lQI2FQjM1FE>
Subject: Re: [OAUTH-WG] draft-fett-oauth-dpop-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 11:31:12 -0000
Good observation, Ludwig. We should do that. -- Mike -----Original Message----- From: OAuth <oauth-bounces@ietf.org> On Behalf Of Ludwig Seitz Sent: Thursday, March 28, 2019 12:05 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] draft-fett-oauth-dpop-00 On 28/03/2019 11:17, Daniel Fett wrote: > Hi all, > > I published the first version of the DPoP draft at > https://tools.ietf.org/html/draft-fett-oauth-dpop-00 > > Abstract > > This document defines a sender-constraint mechanism for OAuth 2.0 > access tokens and refresh tokens utilizing an application-level > proof-of-possession mechanism based on public/private key pairs. > > > Thanks for the feedback I received so far from John, Mike, Torsten, > and others during today's session or before! > > If you find any errors I would welcome if you open an issue in the > GitHub repository at https://github.com/webhamster/draft-dpop > > - Daniel > > A quick nit: in figure 3 you seem to be using the "jwk" claim to include the pop-key in the token. Any reason for not using the "cnf" claim from RFC 7800? /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51
- [OAUTH-WG] draft-fett-oauth-dpop-00 Daniel Fett
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Mike Jones
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Ludwig Seitz
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Filip Skokan
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Filip Skokan
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 rich levinson
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Brian Campbell
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Ludwig Seitz
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 George Fletcher
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Daniel Fett
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 George Fletcher
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Phil Hunt
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Justin Richer
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Brian Campbell
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Justin Richer
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 David Waite
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Simon Moffatt