Re: [OAUTH-WG] [IANA #1264432] expert review for draft-ietf-oauth-dpop (http-fields)
Mark Nottingham <mnot@mnot.net> Thu, 09 February 2023 02:43 UTC
Return-Path: <mnot@mnot.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0443FC14CEE5 for <oauth@ietfa.amsl.com>; Wed, 8 Feb 2023 18:43:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b="XSN85zov"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Tv6aE5A+"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v_ecF31Q1XoU for <oauth@ietfa.amsl.com>; Wed, 8 Feb 2023 18:43:00 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38F6EC14F74B for <oauth@ietf.org>; Wed, 8 Feb 2023 18:43:00 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 7F0F65C00F0; Wed, 8 Feb 2023 21:42:59 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Wed, 08 Feb 2023 21:42:59 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1675910579; x= 1675996979; bh=k/rK9UCQX+LXjSAdeNdXC/2B0CKfzpmN1eu5dLRmDYo=; b=X SN85zovI1HmXXOlHzxTZbOV3u4AG7closiNdOOTDgm7UfFiPMMUDwtThdnTovaQw 4MmqILO8hOP70MvQIND1r35wMdSnspajp+rYrQc2O44utGuGFq3zCjgqBBrWXwSz +WM6JNVsuLf6t87uyuZ3e8T6RCaQycu/TTW6qlDs8NHUyt84n47PwgN9Tn3fWuYH hmxq0zW0l7d0BU6KKZXqthuA2NRzyEkVvPUv+RefiwFiSWxmViTgJzi2OAAeFxIU wNBg4eSnQkzvgHHVt9Dp46xvzMGjO2HwmISlMsa30qoeJqZ0VEEEmlAjGa9vN6Na jxMcjPkHfkVlBgr9hvWpw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1675910579; x= 1675996979; bh=k/rK9UCQX+LXjSAdeNdXC/2B0CKfzpmN1eu5dLRmDYo=; b=T v6aE5A+NwqJT8JYDgem4rOheThQ+WNZjnp7InR+3KkJ/ichMv2Wcw7cMIPHGCGcd asHWusW+so8GUmYBvz80JXCeBKldFNE2kMoPFgWKffgg4V6UNyOSHZt3O2kLnzES z33rraT6lIp2/ZFX3RCd9eaqsWmqJd4cyxln4tQdOH/SI2l/Oq5Xmn+hcT7wIkj8 SgKSrNN7B+iIq7dEGk5H2BBnyugCMM++X0uhla33isqrg3tpofQmZQeUSunXeFIJ tSGy/IuwXstCmhY6HMPga+GaWjIeQt3HlBRHXF1QliByBFXyjYMDggAGB13lEy3x FB+qnr2niAC+23/G2wr7A==
X-ME-Sender: <xms:s13kY_CzHbCnRelDaRpzg7WBCDCvGkzYh-AWhPihGSWmNKy3Udsx_g> <xme:s13kY1hZhfUEKl4DI81yYrp3GOeQfeJHKGU6CJHqgwIILA1TmHU-ROhIlC9k62jUv 26EwyPy96BE-opFWA>
X-ME-Received: <xmr:s13kY6lyjPzxWAfcKfy97UxQeDtuLZz-O60X3pSzNnwiOUYA0sk9n0QMCJ72VJCLUqEmWgHstD2xIZZCdK50eO1iwPZAdxXzNpZWMpZOBnFAe0-Kxk10p0Wq>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrudehuddgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpegtggfuhfgjffevgffkfhfvofesthhqmhdthhdtvdenucfhrhhomhepofgr rhhkucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhnohhtrdhnvghtqeenucggtffrrg htthgvrhhnpefhgfdvfeehhfegieeggeduvdejfeeuffdtheehhfdufffghfekudffffej ieejtdenucffohhmrghinhepihgvthhfrdhorhhgpdhhthhtphifghdrohhrghenucevlh hushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmnhhothesmhhn ohhtrdhnvght
X-ME-Proxy: <xmx:s13kYxwUgD3yxAxZkwRMXNjCIsyRvhnnxKegl9M_Vh4tJA71HWSWNQ> <xmx:s13kY0R8rU_hbivXcgu0H3ntMGE6bxIq8ZeH9TuVdElrEHcatQDnEQ> <xmx:s13kY0adGdIpWa7PspW97QUrM4laIilNufIvXeBQc_u2UMY8PrgisQ> <xmx:s13kY5Tp189PdkE38v-x39-yHB0C12OFILHDzRgAh2BNbLZ1pi-hSA>
Feedback-ID: ie6694242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 8 Feb 2023 21:42:56 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <rt-5.0.3-2984994-1675797139-106.1264432-9-0@icann.org>
Date: Thu, 09 Feb 2023 13:42:34 +1100
Cc: oauth@ietf.org, ryanridenour92@gmail.com, neil.e.madden@gmail.com, Mike Jones <Michael.Jones@microsoft.com>, Justin Richer <jricher@mit.edu>, Roy Fielding <fielding@gbiv.com>, david@alkaline-solutions.com, bcampbell@pingidentity.com
Content-Transfer-Encoding: quoted-printable
Message-Id: <D76B3FE8-79FB-43B3-AEE1-2B1385C271C1@mnot.net>
References: <RT-Ticket-1264432@icann.org> <rt-5.0.3-41757-1674065064-1576.1264432-9-0@icann.org> <rt-5.0.3-46491-1674066633-577.1264432-9-0@icann.org> <CC85682F-99E6-4D1D-8877-A81426526429@mnot.net> <CA+k3eCT0HN+LFkQCnfP2BhhPV=NaXaReRuV-ktA1Y=LNOsZ_qw@mail.gmail.com> <2D7F6171-D53F-4F3A-B46C-CF587B2AEDCF@mnot.net> <MW4PR00MB1028EF0ECBF9572B800E01ADF5C99@MW4PR00MB1028.namprd00.prod.outlook.com> <rt-5.0.3-608687-1674546169-1593.1264432-9-0@icann.org> <rt-5.0.3-2984994-1675797139-106.1264432-9-0@icann.org>
To: Amanda Baber via RT <drafts-expert-review-comment@iana.org>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QXvY1utTCpLKBEFNZJ0PlIRBNxs>
Subject: Re: [OAUTH-WG] [IANA #1264432] expert review for draft-ietf-oauth-dpop (http-fields)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2023 02:43:05 -0000
Hi David, As far as I can tell, very little of our feedback was addressed in the latest draft. Much of it was general review, not about the header registration; from that perspective, I note that the DPoP-Nonce header field syntax still isn't explicitly defined. Cheers, > On 8 Feb 2023, at 6:12 am, David Dong via RT <drafts-expert-review-comment@iana.org> wrote: > > Dear Mark / Roy, > > We see that this document has been updated; could you please let us know if this is OK or if you have further comments? > > Thank you. > > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > Best regards, > > David Dong > IANA Services Specialist > > On Tue Jan 24 07:42:49 2023, Michael.Jones@microsoft.com wrote: >> Hi Mark, >> >> Like Brian, I appreciate your detailed review. My thoughts on the >> review points are interleaved with the discussion text below. >> >>> Keep in mind that HTTP header fields are basically sets of >>> constrained octets with weird combination rules; if you don't use SF, >>> you should be specifying (for example) what happens when two header >>> values (and/or fields) are present (as per below). SF does a lot of >>> the legwork here, even if from a type system standpoint it's not a >>> perfect fit. >> >> I agree that we should specify these things - probably using language >> parallel to that in the SF draft, where appropriate. I also share >> your assessment that, unfortunately, the SF type system is not an >> ideal fit for the DPoP headers. >> >>> That said, personally I'd deconstruct the JWT and convey it as >>> separate binary values, so that if binary structured headers ever >>> does catch on, it can get the perf/compactness advantages of that. >> >> Deconstructing the JWT would entail defining a new JWT serialization >> (representation). Currently there is exactly one JWT serialization >> and this specification uses it. I suspect developers would like us to >> keep it that way. >> >> Only one of the fields of a signed JWT is actually binary (the >> signature); the header and payload are JSON. All are encoded using >> the base64 URL-safe character set (letters, numbers, -, and _ with no >> trailing =s) for safe transmission with encoded fields separated by >> the also URL-safe character period. Furthermore, the signature is >> computed over the base64url-encoded values of the first two fields >> with a period between them. The base64url encoding and concatenation >> is integral to the computation of the signature. Any different >> serialization would still have to perform these computations. >> >> (Note also that some JWTs have three base64url-encoded fields >> separated by period characters and some have five, depending upon >> whether they are signed (three) or encrypted (five); deconstructing a >> value with a variable number of non-independent fields seems like >> significant unnecessary complexity.) >> >>>> ABNF syntax for the nonce value is provided at >>>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop- >>>> 12.html#section-8-9 along with the description of its use in the >>>> DPoP exchange. >> >>> I see. It'd be better if it were explicitly called out as the syntax >>> for the field (ideally with a section title that makes this clear), >>> rather than making the reader do that work. >> >> I'm fine with us making the editorial improvement that you suggest. >> >>>> I believe that the SF String type would accommodate the content we >>>> intended to allow servers to use for the nonce (it's basically a >>>> server chosen value that the client treats as opaque and sends back >>>> in subsequent DPoP proof JWTs). However, that would be a breaking >>>> change, which shouldn't be undertaken lightly. >> >>> Right. It really depends on how advanced deployment of this is; if >>> there's only modest production use, it may still be reasonable to >>> make such a change (especially keeping in mind that people who adopt >>> drafts need to bear the consequences of doing so). >> >> I'm with Brian here. I don't believe that the cost/benefit tradeoff >> of the breaking change versus using the SF String type is a good one. >> >>> To be concrete -- what should an implementation do when it receives >>> two DPoP header fields, both with valid values? When it receives one >>> with two comma-separated values? >> >> These are great questions. I'll commit to us answering them in the >> next draft. >> >>>>> - The long line-wrapped example in Section 4.1 would benefit from >>>>> RFC8792 encoding. In HTTP, a line-wrapped field like the one shown >>>>> has whitespace inserted between each line, which is problematic >>>>> here. >>> >>>> This is a bit of a stylistic preference thing. That example and >>>> others in the draft are intentionally similar (with a note about >>>> line breaks and extra space being for display purposes) to closely >>>> related and referenced documents like RFC7515, RFC7519, and RFC6749. >>>> The examples from these RFCs seem to have worked well for >>>> readers/implementers in practice, and so we'd prefer to keep the >>>> formatting conventions in this draft the same as in those. >>> >>> Consistency between documents that specify HTTP protocol elements is >>> important, so I'd ask you to reconsider; while the community that has >>> been developing and implementing the specification may already be >>> familiar with it, aligning with other documents makes it easier for a >>> broader audience. See, for example, the Signatures specification: >>> https://httpwg.org/http-extensions/draft-ietf-httpbis-message- >>> signatures.html#name-request-response-signature- >> >> I'm fine with us making this editorial change to the examples, since >> you feel that this would help some readers of the specification. >> >> In closing, I'll say that I appreciate that the SF spec has done heavy >> lifting that we would do well to take advantage of. I appreciate you >> bringing it to our attention. That said, since SF's type system does >> not cleanly map to some of the DPoP fields, and since the use of SF is >> optional, I personally believe that the best route for us to take >> advantage of SF is to study it and ensure that the questions that SF >> answers for the field types that it defines are also answered for the >> fields defined by the DPoP draft. >> >> Best wishes, >> -- Mike >> >> -----Original Message----- >> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Mark Nottingham >> Sent: Sunday, January 22, 2023 7:13 PM >> To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> >> Cc: Amanda Baber via RT <drafts-expert-review-comment@iana.org>; >> oauth@ietf.org; Roy Fielding <fielding@gbiv.com> >> Subject: Re: [OAUTH-WG] [IANA #1264432] expert review for draft-ietf- >> oauth-dpop (http-fields) >> >> Hi Brian, >> >>> On 21 Jan 2023, at 5:46 am, Brian Campbell >>> <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote: >>> >>> >>> Hi Mark, >>> >>> Thanks for the review and feedback. I am aware of HTTP Structured >>> Fields and certainly see value in it - even using it in some other >>> work in which I'm involved. However, I'm unsure of its fit or utility >>> for this draft. With that said, I've tried to reply more specifically >>> to your comments inline below. >>> >>> >>> On Wed, Jan 18, 2023 at 3:32 PM Mark Nottingham >>> <mnot=40mnot.net@dmarc.ietf.org> wrote: >>> A few things caught my eye in this document: >>> >>> - Section 4.1 defines the DPoP header field as a JWT, which (as I >>> understand it) is a base64-encoded string. If that's the case, I'd >>> recommend making it a Structured Field Item (see RFC8941 s 3.3) with >>> a fixed type of Byte Sequence (s 3.3.5). That will require changing >>> the syntax to add a prefix and suffix of ":". >>> >>> As Justin pointed out, a JWT is three Base64url encoded segments >>> delimited by the `.` period character, which means it can't be a SF >>> Byte Sequence. As DW pointed out, a JWT just happens to always start >>> with a letter because the first segment is always encoded JSON, so >>> will always start with 'ey'. So the DPoP header field value does just >>> happen to fit the SF Token syntax, But the SF Token syntax does very >>> little regarding the validity of the JWT. >> >> Keep in mind that HTTP header fields are basically sets of constrained >> octets with weird combination rules; if you don't use SF, you should >> be specifying (for example) what happens when two header values >> (and/or fields) are present (as per below). SF does a lot of the >> legwork here, even if from a type system standpoint it's not a perfect >> fit. >> >> That said, personally I'd deconstruct the JWT and convey it as >> separate binary values, so that if binary structured headers ever does >> catch on, it can get the perf/compactness advantages of that. >> >> >>> - The DPoP-Nonce header field's syntax isn't obviously specified. It >>> should be. I'd suggest a Structured Field Item with a fixed type of >>> String (RFC 8941 s 3.3.3), which would surrounding the value with >>> quotes. >>> >>> ABNF syntax for the nonce value is provided at >>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop- >>> 12.html#section-8-9 along with the description of its use in the DPoP >>> exchange. >> >> I see. It'd be better if it were explicitly called out as the syntax >> for the field (ideally with a section title that makes this clear), >> rather than making the reader do that work. >> >> >>> I believe that the SF String type would accommodate the content we >>> intended to allow servers to use for the nonce (it's basically a >>> server chosen value that the client treats as opaque and sends back >>> in subsequent DPoP proof JWTs). However, that would be a breaking >>> change, which shouldn't be undertaken lightly. >> >> Right. It really depends on how advanced deployment of this is; if >> there's only modest production use, it may still be reasonable to make >> such a change (especially keeping in mind that people who adopt drafts >> need to bear the consequences of doing so). >> >> >>> - Neither header has interoperable parsing or serialisation >>> specified; divergent error handling may cause interoperability >>> problems. Adopting Structured Fields would address this. >>> >>> Both are composed of a narrow set of printable ASCII with parsing, >>> validation, usage, and error handling specified at the application >>> layer. I'm not going to claim that it's perfect by any means. But >>> those interoperability problems seem conjectural and it's not obvious >>> that adopting Structured Fields would add value in the context of >>> this draft. >> >> To be concrete -- what should an implementation do when it receives >> two DPoP header fields, both with valid values? When it receives one >> with two comma-separated values? >> >> >>> - See RFC9110 s 16.3.2 for things that should be considered when >>> defining new HTTP fields. I suspect that the document needs to be >>> more explicit about at least some of these items. Adopting Structured >>> Fields would address some (but not all) of these questions. >>> >>> The authors (on-behalf-of and with the help of the WG) have >>> endeavored to touch on all the considerations needed to ensure >>> interoperability of the protocol overall as well as HTTP related >>> (e.g. caching, applicability to request/response, prohibiting >>> multiple occurrences, scope of applicability). However, the group >>> clearly does not have your depth of HTTP expertise so may well have >>> missed something. If that's the case, it would be very helpful for >>> specifics to be raised. >>> >>> - See also <https://httpwg.org/admin/editors/style-guide#header-and- >>> trailer-fields> for the preferred editorial style when defining new >>> HTTP fields. >>> >>> - The long line-wrapped example in Section 4.1 would benefit from >>> RFC8792 encoding. In HTTP, a line-wrapped field like the one shown >>> has whitespace inserted between each line, which is problematic here. >>> >>> This is a bit of a stylistic preference thing. That example and >>> others in the draft are intentionally similar (with a note about line >>> breaks and extra space being for display purposes) to closely related >>> and referenced documents like RFC7515, RFC7519, and RFC6749. The >>> examples from these RFCs seem to have worked well for >>> readers/implementers in practice, and so we'd prefer to keep the >>> formatting conventions in this draft the same as in those. >> >> Consistency between documents that specify HTTP protocol elements is >> important, so I'd ask you to reconsider; while the community that has >> been developing and implementing the specification may already be >> familiar with it, aligning with other documents makes it easier for a >> broader audience. See, for example, the Signatures specification: >> https://httpwg.org/http-extensions/draft-ietf-httpbis-message- >> signatures.html#name-request-response-signature- >> >> Cheers, >> >> >>> >>> Cheers, >>> >>> >>> >>> >>>> On 19 Jan 2023, at 5:30 am, David Dong via RT <drafts-expert-review- >>>> comment@iana.org> wrote: >>>> >>>> Dear Mark Nottingham and Roy Fielding (cc: oauth WG), >>>> >>>> As the designated experts for the http-fields registry, can you >>>> review the proposed registration in draft-ietf-oauth-dpop for us? >>>> Please see: >>>> >>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ >>>> >>>> The due date is February 1st, 2023. >>>> >>>> If this is OK, when the IESG approves the document for publication, >>>> we'll make the registration at >>>> >>>> https://www.iana.org/assignments/http-fields/http-fields.xhtml >>>> >>>> We'll wait for both reviewers to respond unless you tell us >>>> otherwise. >>>> >>>> With thanks, >>>> >>>> David Dong >>>> IANA Services Specialist >>> >>> -- >>> Mark Nottingham https://www.mnot.net/ >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). >>> Any review, use, distribution or disclosure by others is strictly >>> prohibited. If you have received this communication in error, please >>> notify the sender immediately by e-mail and delete the message and >>> any file attachments from your computer. Thank you. >> >> >> -- >> Mark Nottingham https://www.mnot.net/ >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > -- Mark Nottingham https://www.mnot.net/
- [OAUTH-WG] [IANA #1264432] expert review for draf… David Dong via RT
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Mark Nottingham
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Justin Richer
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Mark Nottingham
- Re: [OAUTH-WG] [IANA #1264432] expert review for … David Waite
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Brian Campbell
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Neil Madden
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Ryan Ridenour
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Mark Nottingham
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Mike Jones
- [OAUTH-WG] [IANA #1264432] expert review for draf… David Dong via RT
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Mark Nottingham
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Mike Jones
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Mike Jones
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Mark Nottingham
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Mike Jones
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Mike Jones
- Re: [OAUTH-WG] [IANA #1264432] expert review for … Mark Nottingham