IETF Logo Mail Archive

Re: [OAUTH-WG] [IANA #1264432] expert review for draft-ietf-oauth-dpop (http-fields)

Mark Nottingham <mnot@mnot.net> Thu, 09 March 2023 01:36 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B472C15270B for <oauth@ietfa.amsl.com>; Wed, 8 Mar 2023 17:36:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b="Q3HNFZrN"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="ap6CsRCR"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M0tJjGGHEKVM for <oauth@ietfa.amsl.com>; Wed, 8 Mar 2023 17:36:27 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13466C151707 for <oauth@ietf.org>; Wed, 8 Mar 2023 17:36:16 -0800 (PST)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 3F8325C00A1; Wed, 8 Mar 2023 20:36:16 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Wed, 08 Mar 2023 20:36:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm2; t= 1678325776; x=1678412176; bh=y72edz/BmmDB0YIX1bUullbbdynjSO8z/8q OifzR+7c=; b=Q3HNFZrNQx3ys9tSKjRunN3HfoWYrsjp1g2OrG9SdBBK4iTHtaG JJ5pM2bcyRMR8MfM8Lp8GyAIQJjvY9fBqc1FGEHtcmQvsbfyU13Roi8ylL+mS3gu NuPxxPRVJXn3dmPSucS0/SRCs0ywiiA0upmEx6LFmyAG46PxOJKG6JDMqtLbVZiA QNkJ1yC65wC0kX8GjV1he1nneVze/WoidBat6pCkTHxk8GvfuCIht6j/z165CWX8 4iyzkS7e9MHy+o+BXdQ4v2SSo06PUbxNj1HXIJ+8NeTXfJk3Z9eprq6/Ua9gpR0H cK8npFnkDt8G5fbwLLmtooSUouga8Qm1RYQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1678325776; x=1678412176; bh=y72edz/BmmDB0YIX1bUullbbdynjSO8z/8q OifzR+7c=; b=ap6CsRCRbPjUTwcG7NxYY8kARU1XQA+MRei/hF4YyVR5E7CEROJ /UJx5QTKJeWaqz68t2FEk3keE4ryu3u5Kv/zsZ0BNqJ57FQ4bQzXv9h0Wt+m8x4s RjHM5glRCoroBty3RvEKYCODUONEo1x5kimp1hGOXfgLoi8LaGCNx/CAu03/wG3r PJnuEH6QE1EcHmeQH6Z1nbu86XEarZUco5R2VPM3ta3GgqazO9ZE3x2Sodslf7rB QiSLiaSAbV2DjJLz4wcnF1DitZ0za3egyq2Kb9mmsRpnYhrBxYpu34QorCdt9ofH 4CH2BUWZvh74aZ21RI59IdMm2MJs/cpCc8g==
X-ME-Sender: <xms:DzgJZN3Mh_EceNFQXlVzE3GrwtLVbwm4JggzS5Rum01XQdkdlXvyhQ> <xme:DzgJZEHkkqK91-CORAl9A1M6Jxzqglont7Ap48CVOdtfnjbEWG-bjl1ijeCTTPoPb 46pG9_ZAskuxv4TCQ>
X-ME-Received: <xmr:DzgJZN7t6fKV1FB83YkoqiUVkfmmXH6lHmiV0CHiJwFBIm9P0pPoqFt78F5UMSIDITu2O_2r-Fprn8d191zcqR4XbcStqsA1_XKx_s8W4IJIzA4FDHK-MZSO>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddugedgfeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpeforghr khcupfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrth htvghrnhepgfeikeeuveehuefhueefhfffgfegtdevjeegvedtgeehuefhhfffudduheef heegnecuffhomhgrihhnpehivghtfhdrohhrghdpghhithhhuhgsrdgtohhmpdhhthhtph dqfhhivghlughshhhimhgrrhhklhhikhgvsghrihgrnhhirghpphhrvggtihgrthgvhiho uhhruggvthgrihhlvggurhgvvhhivgifrdhmhidphhhtthhprhgvqhhuvghsthhhvggrug gvrhhfihgvlhgurdhinhdphhhtthhpfihgrdhorhhgnecuvehluhhsthgvrhfuihiivgep tdenucfrrghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:EDgJZK0n26rYw0c8yK43zcUQsrAKXqaSr3r1neqGOj-4JACuyG2mqQ> <xmx:EDgJZAEXtXpbfTw-BUH42SyN1O1LfJ8RtEYq3VZXPhB_wb1fHQLO_A> <xmx:EDgJZL9NmIXZsIYN9CBFp3YEmSETvS5l0ZFvxCI9FlSIjX-Y-KZ0Fw> <xmx:EDgJZFSjkfnZE2HP7z12mMXHeKEj4rOB7QJQ9rikJ0JrnZtncASaCg>
Feedback-ID: ie6694242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 8 Mar 2023 20:36:13 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <MW4PR00MB1028D9273CBCD4EE23E5A841F5B59@MW4PR00MB1028.namprd00.prod.outlook.com>
Date: Thu, 09 Mar 2023 12:35:51 +1100
Cc: Roy Fielding <fielding@gbiv.com>, Amanda Baber via RT <drafts-expert-review-comment@iana.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CB4AAF4F-DF75-4B3B-A8A5-86940789D3FD@mnot.net>
References: <RT-Ticket-1264432@icann.org> <rt-5.0.3-41757-1674065064-1576.1264432-9-0@icann.org> <rt-5.0.3-46491-1674066633-577.1264432-9-0@icann.org> <CC85682F-99E6-4D1D-8877-A81426526429@mnot.net> <CA+k3eCT0HN+LFkQCnfP2BhhPV=NaXaReRuV-ktA1Y=LNOsZ_qw@mail.gmail.com> <2D7F6171-D53F-4F3A-B46C-CF587B2AEDCF@mnot.net> <MW4PR00MB1028EF0ECBF9572B800E01ADF5C99@MW4PR00MB1028.namprd00.prod.outlook.com> <MW4PR00MB10283AB246D53FB6DCA96DA0F5B49@MW4PR00MB1028.namprd00.prod.outlook.com> <51BBBE87-4B05-4E8A-A823-4F498E2D3EC5@mnot.net> <MW4PR00MB1028A0ECD6B18AC3F26D63E3F5B49@MW4PR00MB1028.namprd00.prod.outlook.com> <MW4PR00MB1028D9273CBCD4EE23E5A841F5B59@MW4PR00MB1028.namprd00.prod.outlook.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YdpDq_05IxmMGNaaCASV4o5fNoo>
Subject: Re: [OAUTH-WG] [IANA #1264432] expert review for draft-ietf-oauth-dpop (http-fields)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2023 01:36:32 -0000

I thought we already had; if not, approved.

Cheers,


> On 9 Mar 2023, at 12:32 pm, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
> 
> Hi Mark,
>  We’ve published https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-14.html, which incorporates the PR.  Could you please approve IANA registration of the HTTP fields on that basis?
>  Thanks again for your help with the draft.
>                                                         -- Mike
>  From: OAuth <oauth-bounces@ietf.org> On Behalf Of Mike Jones
> Sent: Tuesday, March 7, 2023 8:58 PM
> To: Mark Nottingham <mnot=40mnot.net@dmarc.ietf.org>
> Cc: Roy Fielding <fielding@gbiv.com>; Amanda Baber via RT <drafts-expert-review-comment@iana.org>; oauth@ietf.org
> Subject: Re: [OAUTH-WG] [IANA #1264432] expert review for draft-ietf-oauth-dpop (http-fields)
>  Thanks - will do. 
>  From: Mark Nottingham <mnot=40mnot.net@dmarc.ietf.org>
> Sent: Tuesday, March 7, 2023 7:55:29 PM
> To: Mike Jones <Michael.Jones@microsoft.com>
> Cc: Brian Campbell <bcampbell@pingidentity.com>; Amanda Baber via RT <drafts-expert-review-comment@iana.org>; oauth@ietf.org <oauth@ietf.org>; Roy Fielding <fielding@gbiv.com>
> Subject: Re: [OAUTH-WG] [IANA #1264432] expert review for draft-ietf-oauth-dpop (http-fields)
>  Hi Mike,
> 
> Thanks. I left a comment on the PR, suggesting two small tweaks.
> 
> Cheers,
> 
> 
> > On 8 Mar 2023, at 2:33 pm, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
> > 
> > Hi Mark,
> > 
> > I've created the pull request https://github.com/danielfett/draft-dpop/pull/180 to incorporate your suggestions.  Please also see some additional replies below, which are prefixed by "Mike>".
> > 
> > Please let us know if you'd like to see any changes to the PR before we merge it and publish an updated draft incorporating your suggestions.
> > 
> > Thanks,
> > -- Mike
> > 
> > -----Original Message-----
> > From: Mike Jones 
> > Sent: Monday, January 23, 2023 11:42 PM
> > To: 'Mark Nottingham' <mnot=40mnot.net@dmarc.ietf.org>; Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
> > Cc: Amanda Baber via RT <drafts-expert-review-comment@iana.org>; oauth@ietf.org; Roy Fielding <fielding@gbiv.com>
> > Subject: RE: [OAUTH-WG] [IANA #1264432] expert review for draft-ietf-oauth-dpop (http-fields)
> > 
> > Hi Mark,
> > 
> > Like Brian, I appreciate your detailed review.  My thoughts on the review points are interleaved with the discussion text below.
> > 
> >> Keep in mind that HTTP header fields are basically sets of constrained octets with weird combination rules; if you don't use SF, you should be specifying (for example) what happens when two header values (and/or fields) are present (as per below). SF does a lot of the legwork here, even if from a type system standpoint it's not a perfect fit.
> > 
> > I agree that we should specify these things - probably using language parallel to that in the SF draft, where appropriate.  I also share your assessment that, unfortunately, the SF type system is not an ideal fit for the DPoP headers.
> > 
> > Mike> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-13.html#name-checking-dpop-proofs does include the validation check "there is not more than one DPoP HTTP request header field".  In the PR, I also explicitly added that the there is a single field value.
> > 
> >> That said, personally I'd deconstruct the JWT and convey it as separate binary values, so that if binary structured headers ever does catch on, it can get the perf/compactness advantages of that.
> > 
> > Deconstructing the JWT would entail defining a new JWT serialization (representation).  Currently there is exactly one JWT serialization and this specification uses it.  I suspect developers would like us to keep it that way.
> > 
> > Only one of the fields of a signed JWT is actually binary (the signature); the header and payload are JSON.  All are encoded using the base64 URL-safe character set (letters, numbers, -, and _ with no trailing =s) for safe transmission with encoded fields separated by the also URL-safe character period.  Furthermore, the signature is computed over the base64url-encoded values of the first two fields with a period between them.  The base64url encoding and concatenation is integral to the computation of the signature.  Any different serialization would still have to perform these computations.
> > 
> > (Note also that some JWTs have three base64url-encoded fields separated by period characters and some have five, depending upon whether they are signed (three) or encrypted (five); deconstructing a value with a variable number of non-independent fields seems like significant unnecessary complexity.)
> > 
> >>> ABNF syntax for the nonce value is provided at https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-12.html#section-8-9 along with the description of its use in the DPoP exchange.
> > 
> >> I see. It'd be better if it were explicitly called out as the syntax for the field (ideally with a section title that makes this clear), rather than making the reader do that work.
> > 
> > Mike> The nonce syntax ABNF now has its own section title in the PR.
> > 
> > I'm fine with us making the editorial improvement that you suggest.
> > 
> >>> I believe that the SF String type would accommodate the content we intended to allow servers to use for the nonce (it's basically a server chosen value that the client treats as opaque and sends back in subsequent DPoP proof JWTs). However, that would be a breaking change, which shouldn't be undertaken lightly.
> > 
> >> Right. It really depends on how advanced deployment of this is; if there's only modest production use, it may still be reasonable to make such a change (especially keeping in mind that people who adopt drafts need to bear the consequences of doing so).
> > 
> > I'm with Brian here.  I don't believe that the cost/benefit tradeoff of the breaking change versus using the SF String type is a good one.
> > 
> >> To be concrete -- what should an implementation do when it receives two DPoP header fields, both with valid values? When it receives one with two comma-separated values?
> > 
> > These are great questions.  I'll commit to us answering them in the next draft.
> > 
> > Mike> Per my earlier comment about the validation rules, these issues are both addressed in the rules.
> > 
> >>>> - The long line-wrapped example in Section 4.1 would benefit from RFC8792 encoding. In HTTP, a line-wrapped field like the one shown has whitespace inserted between each line, which is problematic here.
> >> 
> >>> This is a bit of a stylistic preference thing. That example and others in the draft are intentionally similar (with a note about line breaks and extra space being for display purposes) to closely related and referenced documents like RFC7515, RFC7519, and RFC6749. The examples from these RFCs seem to have worked well for readers/implementers in practice, and so we'd prefer to keep the formatting conventions in this draft the same as in those.
> >> 
> >> Consistency between documents that specify HTTP protocol elements is important, so I'd ask you to reconsider; while the community that has been developing and implementing the specification may already be familiar with it, aligning with other documents makes it easier for a broader audience. See, for example, the Signatures specification: https://httpwg.org/http-extensions/draft-ietf-httpbis-message-signatures.html#name-request-response-signature-
> > 
> > I'm fine with us making this editorial change to the examples, since you feel that this would help some readers of the specification.
> > 
> > Mike> I applied RFC 8792 '\' line wrapping.
> > 
> > In closing, I'll say that I appreciate that the SF spec has done heavy lifting that we would do well to take advantage of.  I appreciate you bringing it to our attention.  That said, since SF's type system does not cleanly map to some of the DPoP fields, and since the use of SF is optional, I personally believe that the best route for us to take advantage of SF is to study it and ensure that the questions that SF answers for the field types that it defines are also answered for the fields defined by the DPoP draft.
> > 
> > Best wishes,
> > -- Mike
> > 
> > -----Original Message-----
> > From: OAuth <oauth-bounces@ietf.org> On Behalf Of Mark Nottingham
> > Sent: Sunday, January 22, 2023 7:13 PM
> > To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
> > Cc: Amanda Baber via RT <drafts-expert-review-comment@iana.org>; oauth@ietf.org; Roy Fielding <fielding@gbiv.com>
> > Subject: Re: [OAUTH-WG] [IANA #1264432] expert review for draft-ietf-oauth-dpop (http-fields)
> > 
> > Hi Brian,
> > 
> >> On 21 Jan 2023, at 5:46 am, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> >> 
> >> 
> >> Hi Mark,
> >> 
> >> Thanks for the review and feedback. I am aware of HTTP Structured Fields and certainly see value in it - even using it in some other work in which I'm involved. However, I'm unsure of its fit or utility for this draft. With that said, I've tried to reply more specifically to your comments inline below. 
> >> 
> >> 
> >> On Wed, Jan 18, 2023 at 3:32 PM Mark Nottingham <mnot=40mnot.net@dmarc.ietf.org> wrote:
> >> A few things caught my eye in this document:
> >> 
> >> - Section 4.1 defines the DPoP header field as a JWT, which (as I understand it) is a base64-encoded string. If that's the case, I'd recommend making it a Structured Field Item (see RFC8941 s 3.3) with a fixed type of Byte Sequence (s 3.3.5). That will require changing the syntax to add a prefix and suffix of ":".
> >> 
> >> As Justin pointed out, a JWT is three Base64url encoded segments delimited by the `.` period character, which means it can't be a SF Byte Sequence.  As DW pointed out, a JWT just happens to always start with a letter because the first segment is always encoded JSON, so will always start with 'ey'. So the DPoP header field value does just happen to fit the SF Token syntax, But the SF Token syntax does very little regarding the validity of the JWT. 
> > 
> > Keep in mind that HTTP header fields are basically sets of constrained octets with weird combination rules; if you don't use SF, you should be specifying (for example) what happens when two header values (and/or fields) are present (as per below). SF does a lot of the legwork here, even if from a type system standpoint it's not a perfect fit.
> > 
> > That said, personally I'd deconstruct the JWT and convey it as separate binary values, so that if binary structured headers ever does catch on, it can get the perf/compactness advantages of that.
> > 
> > 
> >> - The DPoP-Nonce header field's syntax isn't obviously specified. It should be. I'd suggest a Structured Field Item with a fixed type of String (RFC 8941 s 3.3.3), which would surrounding the value with quotes.
> >> 
> >> ABNF syntax for the nonce value is provided at https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-12.html#section-8-9 along with the description of its use in the DPoP exchange.
> > 
> > I see. It'd be better if it were explicitly called out as the syntax for the field (ideally with a section title that makes this clear), rather than making the reader do that work.
> > 
> > 
> >> I believe that the SF String type would accommodate the content we intended to allow servers to use for the nonce (it's basically a server chosen value that the client treats as opaque and sends back in subsequent DPoP proof JWTs). However, that would be a breaking change, which shouldn't be undertaken lightly.
> > 
> > Right. It really depends on how advanced deployment of this is; if there's only modest production use, it may still be reasonable to make such a change (especially keeping in mind that people who adopt drafts need to bear the consequences of doing so).
> > 
> > 
> >> - Neither header has interoperable parsing or serialisation specified; divergent error handling may cause interoperability problems. Adopting Structured Fields would address this.
> >> 
> >> Both are composed of a narrow set of printable ASCII with parsing, validation, usage, and error handling specified at the application layer. I'm not going to claim that it's perfect by any means. But those interoperability problems seem conjectural and it's not obvious that adopting Structured Fields would add value in the context of this draft. 
> > 
> > To be concrete -- what should an implementation do when it receives two DPoP header fields, both with valid values? When it receives one with two comma-separated values?
> > 
> > 
> >> - See RFC9110 s 16.3.2 for things that should be considered when defining new HTTP fields. I suspect that the document needs to be more explicit about at least some of these items. Adopting Structured Fields would address some (but not all) of these questions.
> >> 
> >> The authors (on-behalf-of and with the help of the WG) have endeavored to touch on all the considerations needed to ensure interoperability of the protocol overall as well as HTTP related (e.g. caching, applicability to request/response, prohibiting multiple occurrences, scope of applicability). However, the group clearly does not have your depth of HTTP expertise so may well have missed something. If that's the case, it would be very helpful for specifics to be raised. 
> >> 
> >> - See also <https://httpwg.org/admin/editors/style-guide#header-and-trailer-fields> for the preferred editorial style when defining new HTTP fields.
> >> 
> >> - The long line-wrapped example in Section 4.1 would benefit from RFC8792 encoding. In HTTP, a line-wrapped field like the one shown has whitespace inserted between each line, which is problematic here.
> >> 
> >> This is a bit of a stylistic preference thing. That example and others in the draft are intentionally similar (with a note about line breaks and extra space being for display purposes) to closely related and referenced documents like RFC7515, RFC7519, and RFC6749. The examples from these RFCs seem to have worked well for readers/implementers in practice, and so we'd prefer to keep the formatting conventions in this draft the same as in those.
> > 
> > Consistency between documents that specify HTTP protocol elements is important, so I'd ask you to reconsider; while the community that has been developing and implementing the specification may already be familiar with it, aligning with other documents makes it easier for a broader audience. See, for example, the Signatures specification:
> > https://httpwg.org/http-extensions/draft-ietf-httpbis-message-signatures.html#name-request-response-signature-
> > 
> > Cheers,
> > 
> > 
> >> 
> >> Cheers,
> >> 
> >> 
> >> 
> >> 
> >>> On 19 Jan 2023, at 5:30 am, David Dong via RT <drafts-expert-review-comment@iana.org> wrote:
> >>> 
> >>> Dear Mark Nottingham and Roy Fielding (cc: oauth WG),
> >>> 
> >>> As the designated experts for the http-fields registry, can you review the proposed registration in draft-ietf-oauth-dpop for us? Please see:
> >>> 
> >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
> >>> 
> >>> The due date is February 1st, 2023.
> >>> 
> >>> If this is OK, when the IESG approves the document for publication, we'll make the registration at
> >>> 
> >>> https://www.iana.org/assignments/http-fields/http-fields.xhtml
> >>> 
> >>> We'll wait for both reviewers to respond unless you tell us otherwise.
> >>> 
> >>> With thanks,
> >>> 
> >>> David Dong
> >>> IANA Services Specialist
> >> 
> >> --
> >> Mark Nottingham   https://www.mnot.net/
> >> 
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >> 
> >> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
> > 
> > 
> > --
> > Mark Nottingham   https://www.mnot.net/
> > 
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> 
> --
> Mark Nottingham   https://www.mnot.net/


--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email