Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-par-02.txt

Brian Campbell <bcampbell@pingidentity.com> Wed, 22 July 2020 22:14 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 029983A0828 for <oauth@ietfa.amsl.com>; Wed, 22 Jul 2020 15:14:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X6NBnx3J0MIz for <oauth@ietfa.amsl.com>; Wed, 22 Jul 2020 15:14:05 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D0E93A081B for <oauth@ietf.org>; Wed, 22 Jul 2020 15:14:04 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id q7so4231399ljm.1 for <oauth@ietf.org>; Wed, 22 Jul 2020 15:14:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FzSjJ92IlO+hO2wiS3AwgUlMtq3P3Obwo5+1C3jZ0Rs=; b=B+zaQvZKOxS97q8EcwAQo139ILgiAylVCk1yR8cFrQA7tIMF6rwohumBw8djiTO0Gc o5fdeAxY2hRzwyEhFHNY5jxvHnSxcX+BtwpRlFYnF66Ftg9i61Iry+DHsS94kqzBx40r Yp1hYwQgnld14Wgfpqi4I3FOsfWyDrRbWjMeCAfr0TWVW96EtVD7iXZ3b3OrxEfb8dpV plqxJisPVVeTxbmqsE4POoHh46R/xVf+m0Dh2eX4IstaHV0nrQbv00jyvZFsk/LhQr3b hRnhsdB20DNGRfB0nKCEgn6+AVjqHcxl82XyCodlIol/IlzWNZ8uI4MPcdTlAWBykVh0 59sQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FzSjJ92IlO+hO2wiS3AwgUlMtq3P3Obwo5+1C3jZ0Rs=; b=Ye1tzvbclPY1doCnZlRSRC+jQmX5ruNBK2YbJZDKA2V/QF5e/IUxCunh3Qj3G0GRIw 2HPdwwIUUAbiyCbR7a3LxzQd4s4bNNSitFkgvgYzKtotSTsORUTP0MPUiJKZE9hKef2n /Fcs7GCa5aF/sRUenn42dl5yzRhkjzw3Dja3rNtgOcoxyfKVp4c5WoQgoxIDaOApcZg4 fT8X1qzjqJMaOd/pF3ltkam6jbiYvgyTUTZBCO+zrEgh/9E+mVy4Hh4dmY/aLEBhS2Y0 QN4VNZFDrHia+6fXpKyIYUH2i1AYwwOWTu1hjCkJYEaeY5+VP4FAFwuDp68Fn/llReMC xkyw==
X-Gm-Message-State: AOAM530QqOvHFRWmZvodyNmsmiQ40Qhgk5pHapPht8nOgJzSAlW8UO2C KFSB+lF5GAMDODs6Zr7EPh8LvVafkE0SiKv+oTt7vt6LfD8VSCSqYfYwzZkkn01Q+8Jk9EGgQSY NpyVaqlISLOc73g5GO2A=
X-Google-Smtp-Source: ABdhPJzhR40cdVg010pGf2R3BccsiXH31HVy8hyDP1c+T94FSj0Yq32ch4y6c0xI2dta79InHgxwKbzCo7qtZVQrmE4=
X-Received: by 2002:a2e:9943:: with SMTP id r3mr522897ljj.280.1595456042327; Wed, 22 Jul 2020 15:14:02 -0700 (PDT)
MIME-Version: 1.0
References: <159440889543.18992.875170114115905147@ietfa.amsl.com> <CA+k3eCQzkFo_NPsRp+vb05YyDsuPzQNH-0Ldm26uvwtCRfgvSA@mail.gmail.com> <67e8c6aa-4077-cdae-f6a2-0fc3f3aa82ac@connect2id.com>
In-Reply-To: <67e8c6aa-4077-cdae-f6a2-0fc3f3aa82ac@connect2id.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 22 Jul 2020 16:13:35 -0600
Message-ID: <CA+k3eCRWSFGHPb9Yo1POR_YqZLELyhEuYuUsObcXMebxtnySBg@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a87bce05ab0f0e3b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Qu4eCm0vsHeP0TBBSustJVINBIM>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-par-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2020 22:14:07 -0000

Thanks Vladimir, both comments should be easy to address in -03 (HTTPS/TLS
required and SHOULD on short lifetime *and* single use).

On Sun, Jul 19, 2020 at 12:55 PM Vladimir Dzhuvinov <vladimir@connect2id.com>
wrote:

> Thanks for the update. With the "require PAR" AS and client metadata the
> spec is now "policy complete". I can't think of what else there is to add.
>
>
> I have two comments about -02:
>
>
> https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2
>
> I didn't see a mention of https / TLS being required for the PAR endpoint.
> The reader could assume http is fine.
>
>
> https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2.2
>
>    Since the request URI can be replayed, its lifetime SHOULD be short
>    and preferably limited to one-time use.
>
> The SHOULD is ambiguous here - does it apply to the lifetime only, or to
> the lifetime and the single use.
>
>
> Vladimir
>
>
> On 10/07/2020 21:36, Brian Campbell wrote:
>
> WG,
>
> A new -02 draft of "OAuth 2.0 Pushed Authorization Requests" has been
> published. A summary of the changes, taken from the document history, is
> included below for ease of reference.
>
>    -02
>
>    *  Update Resource Indicators reference to the somewhat recently
>       published RFC 8707 <https://datatracker.ietf.org/doc/html/rfc8707>
>
>    *  Added metadata in support of pushed authorization requests only
>       feature
>
>    *  Update to comply with draft-ietf-oauth-jwsreq-21 <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-21>, which requires
>       "client_id" in the authorization request in addition to the
>       "request_uri"
>
>    *  Clarified timing of request validation
>
>    *  Add some guidance/options on the request URI structure
>
>    *  Add the key used in the request object example so that a reader
>       could validate or recreate the request object signature
>
>    *  Update to draft-ietf-oauth-jwsreq-25 <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-25> and added note regarding
>       "require_signed_request_object"
>
>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org>
> Date: Fri, Jul 10, 2020 at 1:21 PM
> Subject: New Version Notification for draft-ietf-oauth-par-02.txt
> To: Filip Skokan <panva.ip@gmail.com>om>, Torsten Lodderstedt <
> torsten@lodderstedt.net>gt;, Brian Campbell <bcampbell@pingidentity.com>om>,
> Dave Tonge <dave@tonge.org>rg>, Nat Sakimura <nat@sakimura.org>
>
>
>
> A new version of I-D, draft-ietf-oauth-par-02.txt
> has been successfully submitted by Brian Campbell and posted to the
> IETF repository.
>
> Name:           draft-ietf-oauth-par
> Revision:       02
> Title:          OAuth 2.0 Pushed Authorization Requests
> Document date:  2020-07-10
> Group:          oauth
> Pages:          18
> URL:
> https://www.ietf.org/internet-drafts/draft-ietf-oauth-par-02.txt
> Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-par/
> Htmlized:       https://tools..ietf.org/html/draft-ietf-oauth-par-02
> <https://tools.ietf.org/html/draft-ietf-oauth-par-02>
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-par-02
>
> Abstract:
>    This document defines the pushed authorization request endpoint,
>    which allows clients to push the payload of an OAuth 2.0
>    authorization request to the authorization server via a direct
>    request and provides them with a request URI that is used as
>    reference to the data in a subsequent authorization request.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
> --
> Vladimir Dzhuvinov
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._