Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP

Brian Campbell <> Mon, 30 November 2020 16:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 27C663A0E99 for <>; Mon, 30 Nov 2020 08:49:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id whNFbexLS1Mp for <>; Mon, 30 Nov 2020 08:49:53 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CA1123A0EBF for <>; Mon, 30 Nov 2020 08:49:52 -0800 (PST)
Received: by with SMTP id v14so22919845lfo.3 for <>; Mon, 30 Nov 2020 08:49:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NY2m/7r+rTNMp5dI1Lvy/NglcupZGJDrbveZGcRXsoo=; b=b/61fmNUBmUhW4MVBUrvpxelLSnYs7rFcSBY+49E2ysSZ052PPJ3f/whBExZ9PRv0N Cp0L97H+jw5axqZlkBR3FBrvStw2kiCZP4EH6ZCFZMl12siEPyBohFOh6pGc267e2ok9 zh202a9h1aEZHuO4Tr/j/Gq78igiwXg1NN3ZxdlasIEZnIr2FR8pS8q0mdLYfTDmfNnK z83mbJiN2TAp+Tpxa2gLQ//VPvJeBb0gzDgdCdpstOfW1Heq1t/EsuwfYGG+5hqVSthD AK6nlXPqXl7i8D4GIK2o+7kIjg+vlZm2SrgVRK09zjhnXgacwSqVbFxNorCf63WqViOI aqug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NY2m/7r+rTNMp5dI1Lvy/NglcupZGJDrbveZGcRXsoo=; b=Zlzg2Rgho3xvtNTnxLXpHhrvRnXtk1pVGnqGvGaOM7snu2Ymug43ubXnEcU1Spt0b/ K2qVsCNmZLZgbPDLUCTiQQ01sB+e/FbAgc6eVI8F3LzkD5CXQddNsF7C3F4Qucd3kYr5 /bKye5R2/xCKXCLMIaXQ+GKg5a2ChcpAMKNsH1vSqru6FvGgd8VU1BWZymya/IkuC1Z2 vCtk96NKeYYEuQZx9uuPc96dSvaDuWTx+rDcAa2m9BcHMlRTNlUdsyYPUATSyAG1/Fpi 0a459e4VYl11KGC1ydLPm71MptCOTzjqqKgQo4lprr5HlfbzzmAYyR+ditIKdrsa5Y5A iJRA==
X-Gm-Message-State: AOAM533uyiCZFdoL4YfFwPZ6mxVXjZempWlw0QwP2Hiogvi9OBbofyZJ j4l0/6w80n7vBD00cIRoOebatbq4ZE1H3eauztdhUIfl6Sq7RzOVLiSDTLFSU9TGvYxt1+UEEEB vLrZAPbPhZbHGag==
X-Google-Smtp-Source: ABdhPJxlXtuB9+RNuU6kxqJl6Z2aJ7gpbTH6ADsTkW3hlVQVu2PTTQexg3EW8HuYw8vntzhDih7/WdO/4rkj1wyhbJs=
X-Received: by 2002:a19:5215:: with SMTP id m21mr7291908lfb.407.1606754990983; Mon, 30 Nov 2020 08:49:50 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Mon, 30 Nov 2020 09:49:24 -0700
Message-ID: <>
To: Denis <>
Cc: oauth <>
Content-Type: multipart/alternative; boundary="0000000000007ab25f05b555ccf4"
Archived-At: <>
Subject: Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 30 Nov 2020 16:49:55 -0000

Hi Denis,

The choice to use "iat" vs. "exp" was made in the summer of last year. You
can see some of the discussion from then in I believe it pretty
well has consensus at this point and thus unlikely to be changed.

While I do believe there are reasonable arguments that can be made on both
sides of using either of "iat" or "exp", it's difficult (and honestly time
consuming and very frustrating) to try and have such discussions or even
respond in a coherent way when fundamental aspects of the draft are
misrepresented or misunderstood. For example, the DPoP proof JWT is created
by the client not the AS so the advantages you put forward are nonsensical
in the context of the actual workings of the draft.

On Mon, Nov 30, 2020 at 8:45 AM Denis <> wrote:

> One comment on slide 5 about the *time window*.
> At the bottom, on the left, it is written: "Only valid for a limited *time
> window* relative to creation time".
> While the creation time is defined by "iat", the *time window* is
> currently left at the discretion of each RS.
> It would be preferable to mandate the inclusion in the JWT of the exp
> (Expiration Time) Claim.
> In this way, the *time window *would be defined by the AS using both the
> "iat" and the "exp" claims.
> This would have the following advantages:
>    - The client will know whether a token is still usable and is unlikely
>    to get a rejection of the token
>    because of an unknown time window defined by a RS.
>    - The RS is able to manage better the "jti" claim values, because it
>    will be able to discard "jti" claim values
>    as soon as they are outside the time window defined by the AS in a JWT.
> Denis
> All,
> This is a reminder that we have an Interim meeting this Monday, Nov 30th @
> 12:00pm ET, to discuss the latest with the *DPoP *document:
> You can find the details of the meeting and the slides here:
> Regards,
>  Rifaat & Hannes
> _______________________________________________
> OAuth mailing listOAuth@ietf.org
> _______________________________________________
> OAuth mailing list

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._