Re: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-iss-auth-resp-03: (with COMMENT)
"Rob Wilton (rwilton)" <rwilton@cisco.com> Wed, 05 January 2022 15:40 UTC
Return-Path: <rwilton@cisco.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 694EB3A0D25; Wed, 5 Jan 2022 07:40:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.596
X-Spam-Level:
X-Spam-Status: No, score=-9.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=N/4N85Mg; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=IBBxjuGd
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n8Krb2j93ueh; Wed, 5 Jan 2022 07:40:22 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE6143A0D23; Wed, 5 Jan 2022 07:40:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4482; q=dns/txt; s=iport; t=1641397222; x=1642606822; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=sqUviiiWdLrgrRAjjICsZkMHDdE9knUAwxErB+L1XR0=; b=N/4N85MgW4dMaq8gKfPwh87njm0TGrmLw/yM/DoMAg2bVf4T5e6kYDYL CMakQYsx7sV1XJEdnyWyC7YefRKBS8Pa9ZdYB2TUcASGAgGVSFVoC6vaQ WTfds48VHb51RImypvMAvt5PwNrZFvgqLfrcwEapkvCUxaDkDDPgDoy3/ E=;
IronPort-PHdr: A9a23:Epe+3BKZ/EHfxoJ+vNmcuWEyDhhOgF28FgIW659yjbVIf+zj+pn5J0XQ6L1ri0OBRoTU7f9Iyo+0+6DtUGAN+9CN5XYFdpEfWxoMk85DmQsmDYaMAlH6K/i/aSs8EYxCWVZp8mv9P1JSHZP1ZkbZpTu56jtBcig=
IronPort-Data: A9a23:lF3XC6zbswAU9ejRNn96t+fBxCrEfRIJ4+MujC+fZmUNrF6WrkUFymIdUGvVPamDNGb1f952PdzloxsDsZbRn4drGlFtrFhgHilAwSbn6Xt1DatR0xt/paQvdWo/hyklQoSGfJBcokP0/E/3aOC49SQkj8lke5KlYAL6EnEpLeNbYH9JZSJLw4bVs6Yw6TSLK1rlVeDa+6UzDGSYNwtcaQr43U4sRCRH55wesBtA1rA3iGsiUFX2zxH5B7pHTU29wueRf2VaIgK6b76rILCR5GjV+VImDcmo1+q9eUwRSbmUNg+L4pZUc/H92V4Z+WpjieBiaad0hUR/011lm/hr19RJqZu2YQwoJabL3u8aVnG0FgkvYvwbpeGefiLXXcu7iheun2HX6/l0BU8qeIwV5ugyBmhT6fxdKSsWKxmem+Lz2r+gUsFti9gtas7xM+s3vXh90THxDPs6T9bEWaqizdhRwSsww8tOFPfEfOIYZCZhKhPabHVnO1oMB7o/kfumwH7lfFVwsl6ZjaE6+XSVyxZ+uIUBmvK9lseiX85ZmAOToXjLuji/CRABP9vZwj2Amk9AT9TnxUvTML/+3pXhnhKyvGCu+w==
IronPort-HdrOrdr: A9a23:+zBtDa54f4XONAzqtwPXwWqBI+orL9Y04lQ7vn2ZFiY1TiXIra6TdaoguiMc0AxhJ03Jmbi7Sc69qADnhOBICO4qTPaftWjdySWVxeRZjbcKrAeQYBEWmtQtsJuINpIOdOEYbmIKzfoSgjPIaerIqePvmMvD6IuurAYOcegpUdAc0+4TMHf8LqQCfng/OXNPLuvk2iMonUvFRV0nKuCAQlUVVenKoNPG0Lj8ZwQdOhIh4A6SyRu19b/TCXGjr1QjegIK5Y1n3XnOkgT/6Knmmeq80AXg22ja6IkTsMf9y+FEGNeHhqEuW3fRY0eTFcFcso+5zXcISdKUmRAXeR730k4d1vFImjfsl6eO0EPQMkfboW0TAjTZuC6laDPY0LzErXQBepB8bUYzSGqE16Lm1+sMjZ6jlljpxKZ/HFfOmj/w6MPPUAwvnk2ooWA6mepWlHBHV5ACAYUh4LD30XklW6voJhiKorzP0dMee/309bJTaxeXfnrZtm5gzJilWWkyBA6PRgwHttaO2zZbkXhlxw9ArfZv0Uso5dY4Ud1J9u7EOqNnmPVHSdIXd7t0AKMETdGsAmLATBrQOCaZIEjhFqsAJ3XRwqSHrIkd9aWvYtgF3ZEykJPOXBdRsnMzYVvnDYmU0JhC4nn2MS2AtPTWu4hjDrRCy8jBrYvQQFu+oQoV4rmdSt0kc7nmZ8o=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BKAADgutVh/5tdJa1aHAEBAQEBAQcBARIBAQQEAQFAgUUHAQELAYFRVQd4WjcxiA4DhFlghQ6DAgObH4EuFIERA1QLAQEBDQEBNQwEAQGBTYM5AoM9AiU0CQ4BAgQBAQESAQEFAQEBAgEGBIEJE4VoDYZCAQEBAQMSKAYBATcBCwQCAQgOAwQBAR8QMh0IAgQBDQUIGoJdgmUDLwEOoH8BgToCih94gTOBAYIIAQEGBASBSkGDABiCNgMGgToBgw2HHIQIJxyBSUSBFUOCZz6CYwIDgSgBEgEJGoNNgi6PE3VqBCIZGHsdQigRGQY0kXgQBKwUCYEkCoNCinKUcBWDcIwIhliRGJY3IIxglCULhHgCBAIEBQIOAQEGgWE7aXBwFTEPex2BIylRGQ+OIAwWFYM7hRSFSnQ4AgYLAQEDCY8eAQE
X-IronPort-AV: E=Sophos;i="5.88,264,1635206400"; d="scan'208";a="979556172"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Jan 2022 15:40:20 +0000
Received: from mail.cisco.com (xbe-rcd-003.cisco.com [173.37.102.18]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 205FeKUt010568 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Wed, 5 Jan 2022 15:40:20 GMT
Received: from xfe-aln-002.cisco.com (173.37.135.122) by xbe-rcd-003.cisco.com (173.37.102.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Wed, 5 Jan 2022 09:40:20 -0600
Received: from xfe-rcd-001.cisco.com (173.37.227.249) by xfe-aln-002.cisco.com (173.37.135.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Wed, 5 Jan 2022 09:40:20 -0600
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-001.cisco.com (173.37.227.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Wed, 5 Jan 2022 09:40:19 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ny8t1mEefhFDIAmfYJkXTxL5I0rkGkvsxblYoZpb2Ytkq3pVF3n7bwIGuFpNNiOg+30x2g9Adz/e1jtlPLzuuGrhg9puFZABSpV5Xvv8u9TZWYK+MDdYKEDR0A9b6JFvrDCOfHAvgSiRmXU76cwD5sqniyG3Qz6NM3Sc+urPlN3OZfWoOeIuAm14jgnwGmchfkUIDZoyZsvKXG6MIHNq873hwYmXIY1X//KisZU/udiZcP+nuenihIGJhOTce9WzlerOwP4ZyIsiiV8r0zeRBhT/pu/vlgN+UCBbFKN2+Yk8CRqcB5f/jdXTkN1EWR5zVW4kSP6p1y29tc8bi9E88w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=khI+F51Txh/vDJRt6sbxMKEpD/VvptaBJvN6zmYpra8=; b=jt1ksBZQsctQtIeAYFcjP3oBgaO9oj41WdeJsrfIlfHDLSbdb6gQ26BV/2C8VDTpxoW/fb1BtWpFTs6e/V+pacJuySkEKZ60nKZ5wk2F/FKWm1/901HmsUDclCUVoFTAYwVPIaqHj9AGlP4lTug31Q1jh0EPNu2WwmRyl0T0GQQJZ/70M7kWJ4ftWGh2zz0d1uhV6JnNYONaBsevBc3bFlrog4Bu90hG8P5cXb5s4mVGHLHCZ5iFZ5ZAVwe8yFSQoMsVrZcGqiBGCi+m560JVUk6KHzey63JHukU4mT+pE2qGZjL+UT4oz0nyI2Cf2nXinQ2hsibSW2udCGmjMbisA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=khI+F51Txh/vDJRt6sbxMKEpD/VvptaBJvN6zmYpra8=; b=IBBxjuGdhEphOUbZCPU9yU5FdydoW/oCG5Y5WyVjHAb0uEe2yqKEOav+JjythleE8TtQ7fw6Ql0QB7FDumxx9gbTIlqfWEZiAulchVNX/RsJGRMMAQgkiwBE7cOQ8pVsmlvbjvwngD4OLzFD4USAz0x8cKeHqqm2gbE5ABHbVb0=
Received: from CH2PR11MB4198.namprd11.prod.outlook.com (2603:10b6:610:3b::31) by CH0PR11MB5753.namprd11.prod.outlook.com (2603:10b6:610:101::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4844.16; Wed, 5 Jan 2022 15:40:18 +0000
Received: from CH2PR11MB4198.namprd11.prod.outlook.com ([fe80::cf7:74d7:69f6:2cfd]) by CH2PR11MB4198.namprd11.prod.outlook.com ([fe80::cf7:74d7:69f6:2cfd%6]) with mapi id 15.20.4844.016; Wed, 5 Jan 2022 15:40:18 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "draft-ietf-oauth-iss-auth-resp@ietf.org" <draft-ietf-oauth-iss-auth-resp@ietf.org>
Thread-Topic: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-iss-auth-resp-03: (with COMMENT)
Thread-Index: AQHX5dVX+v13sG5mPUufUNyRd0iJFqxUwckAgAACIVA=
Date: Wed, 05 Jan 2022 15:40:18 +0000
Message-ID: <CH2PR11MB4198B7EDBE918625E2FD8312B54B9@CH2PR11MB4198.namprd11.prod.outlook.com>
References: <163826823482.22222.14507198184402043742@ietfa.amsl.com> <BN2P110MB11077BCECA3284EEBE01D579DC4B9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB11077BCECA3284EEBE01D579DC4B9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2d292131-1f6a-44ce-97a6-08d9d061ad02
x-ms-traffictypediagnostic: CH0PR11MB5753:EE_
x-microsoft-antispam-prvs: <CH0PR11MB5753557740AEE8CE289111FAB54B9@CH0PR11MB5753.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JKw9h3WV8q/lED3TCxHc4znIFTA/YyRwDNXh9f99PaM/FCe7cJJvEPd++NuNo0H3nV7ECvbvYjderCVSNnXj/0OPXt6IMjITR6r+B91PLJlPJJMtPt/2gFdF05zfKf7y/ojUT0Ck9GikWAMb3UFb5oke+3+rfGYKL3ldpsn5Ql89TaS6aWikgp+XOEvCpLGAw3vvic2Gtefzehhje9BaaYPsLPtg7XA0FOfSzjiPJK92xGAkTgR8K2MDuA47RLa8CxZw9NVmw/4s9g3ig/JRqstBoTULGpk39x2Vi7C0c8yKDkiPVgIF+f+TQrzA3SW9fRu90n7ImEyCTe0ZmRLP9VCB9/3FdAnsMdC+4nf7+pl8nWjz2zoaHZCyCevqSQImQWyJplMEb04DSmtS1LGPvqdS/9/Z2nYEfnV4Qcwg6ERHxAsIRDLVmd4OvAux0dihvUdARreGR5pEKSbWpYQxwMRVZp7xb+1FnJAA1PpBH0bftdmorQFUpgVyUdck2bV751k+aBD5lDe63XRdnl9c4xw4XqJtJtFLZGH6Bc0L0vYH8AqSQ4VzuA1UrTCCHCSkCq95M0MuIJggjFMUfi1Y5kCFaUt7DtA/IjPOAGWGWKRt/QfrP/yJEkH/hW3tWlEPhirJQjA4j9+GZdYuIiopt3nNFYIj6oWzRuimMZfCjaoTCrKJSC7Uh/YINxI6BfoPAoQ7hm0J6a/Qr6S9Liz2LFTQJd3H8XtiG2TBUwoiyreAMt6f4Df2NqKDFb/Taoa3iNkcFpP9c2zXLLYWV2jPmLoG1h4xhA9ASOFIDTfF6SzsBcB8i5C9ww/fGaBn53i3
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR11MB4198.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(6506007)(7696005)(53546011)(66446008)(966005)(2906002)(71200400001)(38100700002)(33656002)(76116006)(55016003)(54906003)(316002)(110136005)(64756008)(38070700005)(186003)(83380400001)(5660300002)(122000001)(4326008)(52536014)(8676002)(86362001)(66556008)(26005)(508600001)(66476007)(8936002)(9686003)(66946007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8JYRmFCdLPYej1MscWGtFytU+6a/duR18S5VqeVGAbjjKkLtqhiynxuSK+lnYD2rGwRugRzySjODNk2ZI0sPC5donsx/r2xVcl6IXtiSgAi/TmYsnQDXWLKGXdvht1t842ueQE6FqfpQGGAI6BYUc3k+lMLw7zLb9DySx/2Q16JvYORLlSHOnlud6g2GcQ/Unl1z8hby9tuhGR18VseRlhHoqyuyF+CS7yxP6Z+q4JdKV0oy+FlBC1Jxqj2MUROFSP9vnAewhu58d8kvgdupsgf7nbfOxcKEAQd3Rgkngg9A1C3mTYffNdyTIcudPgrrX9xj2AkFbbg4B8ymaeILgV6Jg20S4DGvlcEvdgbd8SpFXcuuf6bDsP/3Hp2+bvLCHFyKdShrUYh+nHmF7IqgFuMzBJOYur5jcyXr3BANXvL9TpJVIgWpCEacXQ2miGIiIReYzswTqIQstdIY0N/dcKy/5IrdLufOCqiDSr8leUctUJ2LfZXaAPFMGr1/Mf1Yqkgx/LwkthhI+kmI83s8HyRur0tPMcMJUu53c9EF5mqNA3UHg2zyATsuZ9YdQpe2Wvso22RUDRnllHF+tsjuZEvsoThnpgvQRGhs9G9itFEk/Oh15jdhO/yGdW5beINAMyqeEgsqrwa/i4KaDBC3nlYWzBYjiGId1Ni/vOMo9v8o+FSWQtNABpwv623jch7mZjGlCEtzbj84z/8PJyR7YiUrRTkpHshHcz/JuiVlld37bzUXaumDI5jznbrBzneKmyT/SIgV9x6CIi/cRbP22T2KwKdNs5OZ0wWGaCd986ZJZAij3ZdRanhsjlMJtlVKR37vvHII3jCMQjMEBPq7lpUrHjQLBFEl6NiSxcaeGSTiv5QOyiMqFlltJuaHGbdZVvhOJMx2pbmGhlifvbPtco8j7EbhA0eX043h4N2Yz8HqwYYFq9wjk31DaiB0hou7a3KPX55EbWlkJlX6eVI6dsXRyMPVuKs0Id1EBsDZjYTD+OHV9aZubHaO9a2Cba1aP6gNJwRbA6UCbYwpBT4Nd/haUYyeeVmXX0KHkQxdjFf6DS5gPJRjasE7Fc+Uj/aIxi93eU4xbv3953G00OADx0pftYU7Oc5LHlGkjTAjnmO0McAq35N4steSn/VFmplsIVCII35O3lrT2n4CfFsAxFpXJ169tFSxMQCP+lkIMpViU4jUUWqwPqMN9gHTX4tGLhMWVcEcbJHfOxdcS3BVl9tbsSHMsQbkxKDiB4astJIe35jePKN3m4v4VVg1lMCxvNLu1prnxgrgVx2lYn5j1WKsMpdH9q5m5IRJjbmqDtUdWcd6oMZmb42PdGOxsXeDQ6RnHQtFvNtvn8Umh9ngaLLSvof7h9ymgiyEaI3NOcSYB1aj/PMQkvI1hL7ais0pyY/rIfsW5hn71S678x8LwBN5XguRHTvLAzU8XS8CkWFkMXi0U+2YD5bQOKm8euErGfXI+hKbFCGlKnvMZ85zDe4LqY6YbuieJLrSnDIFWB8UqhBRPf6ERO7ZM+mqp/wIKvcoJqrKlWVSDhO+1R/q8M8jrpQ7fuxD7fmb0mXtgv6ssR9JqmQfimmqQMLqan7/WFZ7lOy9IGmCLI5G21vxFw==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR11MB4198.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2d292131-1f6a-44ce-97a6-08d9d061ad02
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2022 15:40:18.1719 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XnU4/6g5YEcs8P3NENTLklBaUuMnLfMXxWXy7oMc5UgOi84pDNZ1NBPRqZ5VC9W30NoTFwpsmM/InvEB55WD2Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR11MB5753
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.18, xbe-rcd-003.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ct4Sje8z6aJqnxLF9uUZRyF1U3M>
Subject: Re: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-iss-auth-resp-03: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 15:40:28 -0000
Hi Roman, Thanks for getting back to me - I'm somewhat out of my depth here, but really I think that I find this sentence to be somewhat ambiguous: "the use and verification of the iss parameter is not necessary and MAY be omitted." I read this as allowing both: (i) a send can choose to not include the iss parameter (under the given scenarios). (ii) a receiver can choose to not verify the iss parameter (under the given scenarios). >From you comments below, I think that the text is only intended to mean (i). If so, perhaps the sentence would be clearer as just "the iss parameter is not necessary and MAY be omitted"? But if you feel the that text is sufficiently clear that is also okay with me. Thanks, Rob > -----Original Message----- > From: iesg <iesg-bounces@ietf.org> On Behalf Of Roman Danyliw > Sent: 05 January 2022 15:13 > To: Rob Wilton (rwilton) <rwilton@cisco.com>; The IESG <iesg@ietf.org> > Cc: oauth-chairs@ietf.org; oauth@ietf.org; draft-ietf-oauth-iss-auth- > resp@ietf.org > Subject: RE: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth- > iss-auth-resp-03: (with COMMENT) > > Hi Rob! > > Thanks for your review. I wanted to close the loop on your COMMENT. See > below. > > > -----Original Message----- > > From: OAuth <oauth-bounces@ietf.org> On Behalf Of Robert Wilton via > > Datatracker > > Sent: Tuesday, November 30, 2021 5:31 AM > > To: The IESG <iesg@ietf.org> > > Cc: oauth@ietf.org; draft-ietf-oauth-iss-auth-resp@ietf.org; oauth- > > chairs@ietf.org > > Subject: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-iss- > > auth-resp-03: (with COMMENT) > > > > Robert Wilton has entered the following ballot position for > > draft-ietf-oauth-iss-auth-resp-03: No Objection > > > > When responding, please keep the subject line intact and reply to all email > > addresses included in the To and CC lines. (Feel free to cut this introductory > > paragraph, however.) > > > > > > Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ > > for more information about how to handle DISCUSS and COMMENT > positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Hi, > > > > Thanks for this document, just one comment on a couple of sentences in > the > > security section that I found unclear in this paragraph: > > > > There are also alternative countermeasures to mix-up attacks. When > > an authorization response already includes an authorization server's > > issuer identifier by other means, and this identifier is checked as > > laid out in Section 2.4, the use and verification of the iss > > parameter is not necessary and MAY be omitted. This is the case when > > OpenID Connect response types that return an ID token from the > > authorization endpoint (e.g., response_type=code id_token) or JARM > > response mode are used, for example. However, if a client receives > > an authorization response that contains multiple issuer identifiers, > > the client MUST reject the response if these issuer identifiers do > > not match. The details of alternative countermeasures are outside of > > the scope of this specification. > > > > I'm probably missing something but this seems to suggest both: > > - the use and verification of the iss parameter is not necessary and MAY be > > omitted. - if a client receives an authorization response that contains > multiple > > issuer identifiers, > > the client MUST reject the response if these issuer identifiers do not > match. > > Indeed, both are suggested courses of action, but across three scenarios: > > (a) one iss which gets compared against the server's metadata document > (paragraph 2 of Section 2.4) > (b) no iss is present because there is a OpenIDConnect ID token or JARM JWT > (both mechanisms provide a nearly equivalent mitigation to "iss", see last > three paragraphs of Section 2.4) > (c) multiple iss where the above behavior applies for rejection if they don't > match; and also checks per (a) (this text) > > Regards, > Roman
- [OAUTH-WG] Robert Wilton's No Objection on draft-… Robert Wilton via Datatracker
- Re: [OAUTH-WG] Robert Wilton's No Objection on dr… Roman Danyliw
- Re: [OAUTH-WG] Robert Wilton's No Objection on dr… Rob Wilton (rwilton)