Re: [OAUTH-WG] New podcast on identity specifications

[Denis <denis.ietf@free.fr>]

Hello  Brian,

The text was not mentioning explicitly draft-ietf-oauth-dpop-01. While 
re-reading the text, it only appears in a link.

I am NOT arguing that collaborationattacks are something that DPoP is 
expected to address.
I am arguing that DPoP should mention in its Security Considerations 
section that collaborationattacks are something that DPoP does not address.

At the moment, section 9 (Security Considerations) of 
draft-ietf-oauth-dpop-01 is not conformant to RFC 3552 (Guidelines for 
Writing RFC Text
on Security Considerations), since section 5 from RFC 3552 states:

    Authors MUST describe

       1.   which attacks are out of scope (and why!)
       2.   which attacks are in-scope
             2.1  and the protocol is susceptible to
             2.2  and the protocol protects against

Denis


> Hello Denis,
>
> The most recent version of the DPoP draft is not 
> draft-fett-oauth-dpop-04 but rather draft-ietf-oauth-dpop-01, which 
> doesn't expire until November. I realize that the naming and 
> versioning conventions of IETF documents are a bit esoteric and can 
> lend themselves to such mistakes. But someone who insists on making 
> unhelpful criticism of said documents should probably be more mindful 
> of such details.
>
> This WG (and it's not the only WG where this has happened) has 
> repeatedly confirmed the rough consensus that these so-called 
> collaborationattacks are not something that DPoP, or any of the other 
> documents you've said the same about, is expected to address. Nor that 
> there is even reason enough to think that readers need to be told so. 
> Your personal enthusiasm for the topic does not change that and 
> doesn't change the fundamental nature of how OAuth works.
>
> I am sorry to hear that you felt the podcast was too long. I can 
> certainly empathize with feeling like one's time has been wasted.
>
>
>
>
> On Wed, Sep 23, 2020 at 3:38 AM Denis <denis.ietf@free.fr 
> <mailto:denis.ietf@free.fr>> wrote:
>
>     Hello Brian and Vittorio,
>
>     I have two observations:
>
>       * draft-fett-oauth-dpop-04 which is the last version expired on
>         5 September 2020,
>       * the podcast as well as draft-fett-oauth-dpop-04 omit to
>         mention the client/user collaborative attack against which
>         draft-fett-oauth-dpop-04 is ineffective.
>
>
>     Denis
>
>     PS. The podcast is a nice effort but is far too long (29:37).
>>
>>     The mTLS vs DPoP was good in articulating how the two specs are
>>     alike, how they differ and which particular type of app they are
>>     meant to serve.
>>
>>     I'm saying this as a person who is generally allergic to
>>     technical podcasts :)
>>
>>     Maybe every RFC that comes out of this WG should have a podcast
>>     link at the top, where the authors discuss it in simple, honest
>>     and non-speccy terms, because that's often how people are best
>>     able to perceive the spirit and subtleties of some technical or
>>     spec work.
>>
>>     Vladimir
>>
>>     On 21/09/2020 09:40, Vittorio Bertocci wrote:
>>>
>>>     Dear all,
>>>
>>>     This is an informal mail to inform you that there’s a new
>>>     podcast <http://identityunlocked.com/>, identityunlocked.com
>>>     <http://identityunlocked.com/>, dedicated to inform and explain
>>>     new identity specs developments for developers.
>>>
>>>     You can find a more detailed explanation of the podcast’s goals
>>>     in
>>>     https://auth0.com/blog/identity-unlocked-a-podcast-for-developers/,
>>>     but the TL;DR is that the spec themselves aren’t all that easy
>>>     to read for the non-initiated, and a lot of useful info emerges
>>>     during the discussions leading to the spec but rarely surface in
>>>     a usable form to the people who don’t participate in discussions.
>>>
>>>     The first episode
>>>     <https://auth0.com/blog/identity-unlocked-explained-episode-1/>,
>>>     featuring Brian Campbell discussing MTLS & DPoP, should give you
>>>     an idea of what season 1 of the show will look like.
>>>
>>>     The full list of the first run is available here
>>>     <https://auth0.com/blog/auth0-launches-identity-unlocked-the-identity-podcast-for-developers/>.
>>>     Of 6 episodes, 3 of them are about specifications coming out of
>>>     this WG- and all guests are actively involved in the IETF.
>>>
>>>     My main goals sharing this info here are
>>>
>>>       * *Letting you know that the podcast exists*, so that you can
>>>         make use of it if you so choose (e.g. referring people to it
>>>         if they need to better understand something covered in an
>>>         episode)
>>>       * *Soliciting proposals for new episodes*: topics you believe
>>>         are currently underserved, topics you are often asked about,
>>>         topics you would like to be interviewed about on the show
>>>       * *Growing the show’s subscriber base*. I was able to get
>>>         backing from my company to produce a podcast that has
>>>         exactly ZERO product pitches and is purely about identity
>>>         specs promotion, on the gamble that the topic does have an
>>>         audience finding it useful. So far the reception has been
>>>         great, and we need to keep it up if we want to have a season 2.
>>>
>>>     I hope you’ll find the initiative useful!
>>>
>>>     Cheers,
>>>
>>>     V.
>>>
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and 
> privileged material for the sole use of the intended recipient(s). Any 
> review, use, distribution or disclosure by others is strictly 
> prohibited.  If you have received this communication in error, please 
> notify the sender immediately by e-mail and delete the message and any 
> file attachments from your computer. Thank you./