Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP
Brian Campbell <bcampbell@pingidentity.com> Mon, 30 November 2020 16:49 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 27C663A0E99
for <oauth@ietfa.amsl.com>; Mon, 30 Nov 2020 08:49:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id whNFbexLS1Mp for <oauth@ietfa.amsl.com>;
Mon, 30 Nov 2020 08:49:53 -0800 (PST)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com
[IPv6:2a00:1450:4864:20::135])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id CA1123A0EBF
for <oauth@ietf.org>; Mon, 30 Nov 2020 08:49:52 -0800 (PST)
Received: by mail-lf1-x135.google.com with SMTP id v14so22919845lfo.3
for <oauth@ietf.org>; Mon, 30 Nov 2020 08:49:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=pingidentity.com; s=google;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=NY2m/7r+rTNMp5dI1Lvy/NglcupZGJDrbveZGcRXsoo=;
b=b/61fmNUBmUhW4MVBUrvpxelLSnYs7rFcSBY+49E2ysSZ052PPJ3f/whBExZ9PRv0N
Cp0L97H+jw5axqZlkBR3FBrvStw2kiCZP4EH6ZCFZMl12siEPyBohFOh6pGc267e2ok9
zh202a9h1aEZHuO4Tr/j/Gq78igiwXg1NN3ZxdlasIEZnIr2FR8pS8q0mdLYfTDmfNnK
z83mbJiN2TAp+Tpxa2gLQ//VPvJeBb0gzDgdCdpstOfW1Heq1t/EsuwfYGG+5hqVSthD
AK6nlXPqXl7i8D4GIK2o+7kIjg+vlZm2SrgVRK09zjhnXgacwSqVbFxNorCf63WqViOI
aqug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=NY2m/7r+rTNMp5dI1Lvy/NglcupZGJDrbveZGcRXsoo=;
b=Zlzg2Rgho3xvtNTnxLXpHhrvRnXtk1pVGnqGvGaOM7snu2Ymug43ubXnEcU1Spt0b/
K2qVsCNmZLZgbPDLUCTiQQ01sB+e/FbAgc6eVI8F3LzkD5CXQddNsF7C3F4Qucd3kYr5
/bKye5R2/xCKXCLMIaXQ+GKg5a2ChcpAMKNsH1vSqru6FvGgd8VU1BWZymya/IkuC1Z2
vCtk96NKeYYEuQZx9uuPc96dSvaDuWTx+rDcAa2m9BcHMlRTNlUdsyYPUATSyAG1/Fpi
0a459e4VYl11KGC1ydLPm71MptCOTzjqqKgQo4lprr5HlfbzzmAYyR+ditIKdrsa5Y5A
iJRA==
X-Gm-Message-State: AOAM533uyiCZFdoL4YfFwPZ6mxVXjZempWlw0QwP2Hiogvi9OBbofyZJ
j4l0/6w80n7vBD00cIRoOebatbq4ZE1H3eauztdhUIfl6Sq7RzOVLiSDTLFSU9TGvYxt1+UEEEB
vLrZAPbPhZbHGag==
X-Google-Smtp-Source: ABdhPJxlXtuB9+RNuU6kxqJl6Z2aJ7gpbTH6ADsTkW3hlVQVu2PTTQexg3EW8HuYw8vntzhDih7/WdO/4rkj1wyhbJs=
X-Received: by 2002:a19:5215:: with SMTP id m21mr7291908lfb.407.1606754990983;
Mon, 30 Nov 2020 08:49:50 -0800 (PST)
MIME-Version: 1.0
References: <CADNypP-ef3z6WJ1DDOBhmh0CN4kRK_VACkzFaCLVxA3zCoEx0A@mail.gmail.com>
<1b584adf-14f9-ba2e-657d-f22b57d87675@free.fr>
In-Reply-To: <1b584adf-14f9-ba2e-657d-f22b57d87675@free.fr>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 30 Nov 2020 09:49:24 -0700
Message-ID: <CA+k3eCQ+QKWfW8RsutYk94LmeHR+NWwHmxWJRnXLkHkRHEER-w@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007ab25f05b555ccf4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Srp-zHqYvKbyGoV23etB9aAmUvg>
Subject: Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
<mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
<mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2020 16:49:55 -0000
Hi Denis, The choice to use "iat" vs. "exp" was made in the summer of last year. You can see some of the discussion from then in https://github.com/danielfett/draft-dpop/issues/38. I believe it pretty well has consensus at this point and thus unlikely to be changed. While I do believe there are reasonable arguments that can be made on both sides of using either of "iat" or "exp", it's difficult (and honestly time consuming and very frustrating) to try and have such discussions or even respond in a coherent way when fundamental aspects of the draft are misrepresented or misunderstood. For example, the DPoP proof JWT is created by the client not the AS so the advantages you put forward are nonsensical in the context of the actual workings of the draft. On Mon, Nov 30, 2020 at 8:45 AM Denis <denis.ietf@free.fr> wrote: > One comment on slide 5 about the *time window*. > > At the bottom, on the left, it is written: "Only valid for a limited *time > window* relative to creation time". > > While the creation time is defined by "iat", the *time window* is > currently left at the discretion of each RS. > > It would be preferable to mandate the inclusion in the JWT of the exp > (Expiration Time) Claim. > In this way, the *time window *would be defined by the AS using both the > "iat" and the "exp" claims. > > This would have the following advantages: > > - The client will know whether a token is still usable and is unlikely > to get a rejection of the token > because of an unknown time window defined by a RS. > > > - The RS is able to manage better the "jti" claim values, because it > will be able to discard "jti" claim values > as soon as they are outside the time window defined by the AS in a JWT. > > Denis > > All, > > This is a reminder that we have an Interim meeting this Monday, Nov 30th @ > 12:00pm ET, to discuss the latest with the *DPoP *document: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > You can find the details of the meeting and the slides here: > https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth > > Regards, > Rifaat & Hannes > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Reminder - Interim Meeting to discuss … Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Reminder - Interim Meeting to disc… Denis
- Re: [OAUTH-WG] Reminder - Interim Meeting to disc… Brian Campbell
- Re: [OAUTH-WG] Reminder - Interim Meeting to disc… Denis
- Re: [OAUTH-WG] Reminder - Interim Meeting to disc… Daniel Fett
- Re: [OAUTH-WG] Reminder - Interim Meeting to disc… Dick Hardt
- Re: [OAUTH-WG] Reminder - Interim Meeting to disc… Brian Campbell
- Re: [OAUTH-WG] Reminder - Interim Meeting to disc… Denis
- Re: [OAUTH-WG] Reminder - Interim Meeting to disc… Brian Campbell
- [OAUTH-WG] draft-ietf-oauth-dpop-02: The size of … Denis
- Re: [OAUTH-WG] Reminder - Interim Meeting to disc… Neil Madden
- Re: [OAUTH-WG] Reminder - Interim Meeting to disc… Brian Campbell
- Re: [OAUTH-WG] Reminder - Interim Meeting to disc… Denis
- Re: [OAUTH-WG] Reminder - Interim Meeting to disc… Brian Campbell