[OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-iss-auth-resp-03: (with COMMENT)

Robert Wilton via Datatracker <noreply@ietf.org> Tue, 30 November 2021 10:30 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CEC153A11ED; Tue, 30 Nov 2021 02:30:34 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Robert Wilton via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-oauth-iss-auth-resp@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rifaat.s.ietf@gmail.com, rifaat.s.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.40.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Robert Wilton <rwilton@cisco.com>
Message-ID: <163826823482.22222.14507198184402043742@ietfa.amsl.com>
Date: Tue, 30 Nov 2021 02:30:34 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YoM3C_y_MSxv2dQMF6MzfSSIZJs>
Subject: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-iss-auth-resp-03: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 10:30:35 -0000

Robert Wilton has entered the following ballot position for
draft-ietf-oauth-iss-auth-resp-03: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Hi,

Thanks for this document, just one comment on a couple of sentences in the
security section that I found unclear in this paragraph:

   There are also alternative countermeasures to mix-up attacks.  When
   an authorization response already includes an authorization server's
   issuer identifier by other means, and this identifier is checked as
   laid out in Section 2.4, the use and verification of the iss
   parameter is not necessary and MAY be omitted.  This is the case when
   OpenID Connect response types that return an ID token from the
   authorization endpoint (e.g., response_type=code id_token) or JARM
   response mode are used, for example.  However, if a client receives
   an authorization response that contains multiple issuer identifiers,
   the client MUST reject the response if these issuer identifiers do
   not match.  The details of alternative countermeasures are outside of
   the scope of this specification.

I'm probably missing something but this seems to suggest both:
 - the use and verification of the iss parameter is not necessary and MAY be
 omitted. - if a client receives an authorization response that contains
 multiple issuer identifiers,
   the client MUST reject the response if these issuer identifiers do not match.

These seems to conflict to me, but perhaps I'm misunderstanding their intent?

Regards,
Rob