IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP JWT claims

Dick Hardt <dick.hardt@gmail.com> Thu, 16 June 2022 19:50 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0928CC159489 for <oauth@ietfa.amsl.com>; Thu, 16 Jun 2022 12:50:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mmHZ2l-Wqp9z for <oauth@ietfa.amsl.com>; Thu, 16 Jun 2022 12:50:40 -0700 (PDT)
Received: from mail-oa1-x34.google.com (mail-oa1-x34.google.com [IPv6:2001:4860:4864:20::34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EC00C14F745 for <oauth@ietf.org>; Thu, 16 Jun 2022 12:50:40 -0700 (PDT)
Received: by mail-oa1-x34.google.com with SMTP id 586e51a60fabf-fe023ab520so3090080fac.10 for <oauth@ietf.org>; Thu, 16 Jun 2022 12:50:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=Sc60ZZ0Z98kWP1RebqdAyE6PmD0B/97OKMFRELlHlE0=; b=bOV0hIkDMAatZq6FxEL+K3DK/978YfskhQfSNubGRRmex1vzsoxfkGBgEtTR/vY2pq jyM+whnpC238EE9CBBETmzK1PfOBNC5AFAbJlye5sexnXQelXRyGAE6L49oJGxK7LNmU /6cmgsVOam1YX1pAX5wk8Mt+oOKHimktgk67krA3mBdkNcaxV/40rCfioDURAjFx8/oh /uoi+B/Q6EoOu4F0q6NO24grXVbUPAqR2kcfxXzA2hzWxgc0cb2rDuPdf3bAF1JWa466 F5MXvR2zk+0nS1pkNL8Bg6oPMi2KhW8pLeksxkIHRAalHJREOVqfAAvRwtg5fBN2PaV3 jpxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=Sc60ZZ0Z98kWP1RebqdAyE6PmD0B/97OKMFRELlHlE0=; b=FBtGTfV5Ht3C5uPbjDWzs58CLn+cD7hDJG7fGYPd5RpFN3/Qsrfj/nd2kK9pK5fzcB gz1Wjii7vYfLfB/bWXPxaPFI9rOPibCMfpFWx1Opc9jKcIpkc1+0UMi8olhuSO6r07QN yroFj4Fog5LRBIt0KHS7Z22sauUdnRczrS2Zln7+Y/n0IuVenlI+M5pJnFRseN0J8Q7q boEouE92lvIY3b6cSvrjQtTf42OEtQ7WvjZeLz3TGTcoluaMj9+M5lYSO7ZTx2BewmnW B5iz8tY1G1k1vkQkYUVpONlB4Fih2yrA8W4xO1nzqwqdROziek1TNxKiKENcDaiarQP4 gB5g==
X-Gm-Message-State: AJIora/l8NncMH99rL19XJTs1t3Oi1RWyRHOc6pXWUx99qoP4eHC0Pss 0j8rQtMAui19wWuV4StqtTi3Q1PUdYGT4XNEsc8=
X-Google-Smtp-Source: AGRyM1uCUe+l4cHsmuFrVn7whPv6IR4iUXzmRdkx/ZDdMunkmZQu3t5OzlRUCmkOnx6CvrvUvZgABQq3qh0cfQNtl84=
X-Received: by 2002:a05:6870:9727:b0:101:21cb:7176 with SMTP id n39-20020a056870972700b0010121cb7176mr3778413oaq.290.1655409039404; Thu, 16 Jun 2022 12:50:39 -0700 (PDT)
MIME-Version: 1.0
References: <B162D6F6-7ECD-4786-9C67-BB76B15F87F5@forgerock.com> <CAJot-L1PqR4YBRTFi2760viyJ9ue489+W67dsUsTf7XNSrMj7Q@mail.gmail.com>
In-Reply-To: <CAJot-L1PqR4YBRTFi2760viyJ9ue489+W67dsUsTf7XNSrMj7Q@mail.gmail.com>
Reply-To: Dick.Hardt@gmail.com
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 16 Jun 2022 12:50:28 -0700
Message-ID: <CAD9ie-siSJZ-8OUFhHKdWY=ZT7r=6GaBAu8LWBs3J4BoqTCtqQ@mail.gmail.com>
To: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
Cc: Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c0755e05e195f399"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fKkAtHRT7cEC5YSe9iXUNBL3Azo>
Subject: Re: [OAUTH-WG] DPoP JWT claims
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2022 19:50:44 -0000

Registering the names provides clarity on use and avoids confusion on the
meaning of a claim — ie two specs won’t have conflicting definitions of
“htm”

On Thu, Jun 16, 2022 at 10:20 AM Warren Parad <wparad=
40rhosys.ch@dmarc.ietf.org> wrote:

> I think the registration really helps with discovery, especially as an
> implementer. When you see or observe these claims in a JWT, you can google
> them potentially returning no results. If you know about the IANA registry
> you can find them, even if you don't know that the tokens have anything to
> do with DPoP.
>
> On Thu, Jun 16, 2022 at 6:21 PM Neil Madden <neil.madden@forgerock.com>
> wrote:
>
>> The DPoP spec registers the “htm”, “htu”, and “ath” claims [1]. But do
>> these claims actually make sense outside of a DPoP proof? Presumably the
>> risk of naming collision within a DPoP proof is pretty small, so is there
>> any benefit to registering them rather than just using them as private
>> claims?
>>
>> (I guess I could ask the same question about lots of other entries in the
>> current registry at IANA, many of which look completely app-specific to me).
>>
>> [1]:
>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-12.7
>>
>> — Neil
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email