[OAUTH-WG] client_secret_expires_at redux again (was Re: Dynamic Client Registration Sent to the IESG)
Brian Campbell <bcampbell@pingidentity.com> Thu, 11 September 2014 22:20 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 177821A017A for <oauth@ietfa.amsl.com>; Thu, 11 Sep 2014 15:20:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RwlUCwSL8QjX for <oauth@ietfa.amsl.com>; Thu, 11 Sep 2014 15:20:17 -0700 (PDT)
Received: from na6sys009bog009.obsmtp.com (na6sys009bog009.obsmtp.com [74.125.150.58]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 660A51A0172 for <oauth@ietf.org>; Thu, 11 Sep 2014 15:20:17 -0700 (PDT)
Received: from mail-ie0-f171.google.com ([209.85.223.171]) (using TLSv1) by na6sys009bob009.postini.com ([74.125.148.12]) with SMTP ID DSNKVBIgIBGy7FjdjhRcS5UKcfiY6fAl90H7@postini.com; Thu, 11 Sep 2014 15:20:17 PDT
Received: by mail-ie0-f171.google.com with SMTP id y20so4087850ier.30 for <oauth@ietf.org>; Thu, 11 Sep 2014 15:20:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=nUtGSdfPDmLgyEiRJJSa3oJWOZI1Q5GL0LBcY314tiU=; b=OFfDBa0EfL5NDCS61+u/Xp+atZf7CML0Ng8h98T9U7/bF8YoUiY+KnjJDg5RkjtzLA pdMIQ2d4Ews8tVc4shitImlFsYCU3996Hm2rDF5O4Dvb70beJ3oCI/0hGHq4Hav063rA 5L/am2vdJ/68bO+fXP6WGseWwqVnZ8DnEIbS4g3mxCAEWlIAEEVKkilD5pUjQeb0QZf/ zzbiVdVaWEs22lB5brUqAWRbq+hQ4Y1rq8e3ySK04QejSk6klREwfsCJuJmjRvYDZu9y puSt4opqGshG7mni9ihszmD3XZ+9sAb9PQ1XeFRePctT+5JsyB6loIiSEtD729hFoRFe pLow==
X-Gm-Message-State: ALoCoQksIKbJGYvtEtS+diz2UFxXtq9Ze7zqB1CiRUQ1FZm5RlV9ia1uXVHCRLB/h6acCX//XVtmhYWg6xyRULQJHVQtitz82Kk4oiL6c1slfd6070ljJPbh2hu2/lvpt7lh2bU378dN
X-Received: by 10.51.17.66 with SMTP id gc2mr6635984igd.40.1410474016137; Thu, 11 Sep 2014 15:20:16 -0700 (PDT)
X-Received: by 10.51.17.66 with SMTP id gc2mr6635968igd.40.1410474015984; Thu, 11 Sep 2014 15:20:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.12.137 with HTTP; Thu, 11 Sep 2014 15:19:45 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 11 Sep 2014 16:19:45 -0600
Message-ID: <CA+k3eCT4u1h9zDa_6z9jx9RpQQvVCyRAO4+NmJPN6FpKWRYWAw@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="001a1135f3a4b0c2e30502d19285"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Pl6yvVMcjzm4f_C7t8vlKY2ewRo
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: [OAUTH-WG] client_secret_expires_at redux again (was Re: Dynamic Client Registration Sent to the IESG)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 22:20:21 -0000
Why does expiration only apply to the client secret[1]? If there's a need for the AS to set an expiration, isn't it broader than that and apply to the whole client or the client id? If there's a need to signal an expiration time on the client secret, doesn't it follow that the client's JSON Web Key Set (the jwks parameter) might also need to be expired? And what about strictly implicit clients or other public clients, is there no case that an AS would want to expire them? I realize I've asked this before (more than once) but I've never gotten an answer. To me, whats in this draft that's on its way to the IESG is awkward and/or incomplete. I believe that either the client_secret_expires_at should be removed from draft-ietf-oauth-dyn-reg or it should be changed to something that isn't specific to the client secret - something like client_expires_at or client_id_expires_at. [1] client_secret_expires_at in https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-20#section-4.1 On Wed, Sep 10, 2014 at 5:50 PM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi all, > > I have just sent the Dynamic Client Registration document to the IESG. > The final shepherd write-up for the document can be found here: > http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/shepherdwriteup/ > > Ciao > Hannes > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] client_secret_expires_at redux again (… Brian Campbell
- Re: [OAUTH-WG] client_secret_expires_at redux aga… Richer, Justin P.
- Re: [OAUTH-WG] client_secret_expires_at redux aga… John Bradley
- Re: [OAUTH-WG] client_secret_expires_at redux aga… Brian Campbell