Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-03.txt

Brian Campbell <bcampbell@pingidentity.com> Fri, 09 April 2021 15:04 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2755E3A241E for <oauth@ietfa.amsl.com>; Fri, 9 Apr 2021 08:04:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rEzcx_K_ZEYn for <oauth@ietfa.amsl.com>; Fri, 9 Apr 2021 08:04:16 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB57E3A241B for <oauth@ietf.org>; Fri, 9 Apr 2021 08:04:15 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id x13so47345lfr.2 for <oauth@ietf.org>; Fri, 09 Apr 2021 08:04:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LKBrDcPzHy5D1ah49QFvDEcp1h/J/9SRT2wIatiZoaA=; b=TkM3PyoE8mBVGiLRJqfmhXex/uoMUNvWCOzT3uwtd7XO2HNcBeBlh72j0ZOyNzdQdH hvaiVYDJ13URm7AjiKp/hqfu0S3OBY50Yph7717vwtQ0sczEFPUkNNgY1Z/oVSYcDHwE Mrc7VvQjGcd3pHpFc+oj9t/c3eBKgoS4ev15TB9UCM65Rv+C4nkimVo7ozKZmh5Cypfe BPZy7tEAC8blMd0AIYF749oB1FFl9L5b4WGB8j44ld4NYYfnNTvI1lZq/OolKn4dUayT VAmo+OBJUFODxIX8jvr3tQbGKmn9bh/kUu+gIatVGrtnQrZwnpfGmDx+0JNPgSb/x/6f xRSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LKBrDcPzHy5D1ah49QFvDEcp1h/J/9SRT2wIatiZoaA=; b=C0xZ3GaDSqvIlU0LuFjc224OivP/hFkWOl83IBykYJ381KObtfxNsmX4CD0K318qgE r0ACarTedJXIdiR2PQCEj3PsDGKX2L5G99POCFbnA9z/vZZB6QDQoIpud7hePKp00P6i s65tSw2cDPARY4eZl2UWnZ8+zs2+Wc3+vIIMzr9OyJ7KandTBNzO771CsWJ1XyB0kPvJ Q4qFQQypn5Qao7aT6b6k49XHFOZtDcHSKCebMz+OiqO5DMyM7BF+fTvPmQLADMpwT9aU 6kRpnlhrnzXQaibZaFbTQxo6R3H5zw62mPENS0OE+8QuT9PS8Gw2hcPeCM1bpaLvENZn LHEQ==
X-Gm-Message-State: AOAM532Q626+T2HAKOpMw5OCsbVEiBOSAXuKaHt1rsUL69JBBModgY+U WlrsDO7jTjNConM/vKSUConECY7KS8cNYNKUHG8b+J7mHwnpiz10t/wP/tvghCzR8/50VcpAXTD 1Hz1U8HCiyVXF2g==
X-Google-Smtp-Source: ABdhPJxTdn64wiShBsvOgC/1V4cC9+vzkeFFLVlufv59CSuH2CZ2Sii83tQJAwXKeF8tRQfWYzMbttVh09VPgoVGkj4=
X-Received: by 2002:a05:6512:31c2:: with SMTP id j2mr11295153lfe.77.1617980653141; Fri, 09 Apr 2021 08:04:13 -0700 (PDT)
MIME-Version: 1.0
References: <MW2PR00MB0426A27B97B4C96D29604C6CF5739@MW2PR00MB0426.namprd00.prod.outlook.com> <F37BACD5-6D66-45DE-8B50-DC9265128376@gmail.com>
In-Reply-To: <F37BACD5-6D66-45DE-8B50-DC9265128376@gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 9 Apr 2021 09:03:46 -0600
Message-ID: <CA+k3eCQAFu62dCg4x3HV8zNrZnaexcraXL_ZcAQ-c+0dcLKKtw@mail.gmail.com>
To: Filip Skokan <panva.ip@gmail.com>
Cc: Mike Jones <Michael.Jones@microsoft.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001597c005bf8b7a14"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/giZxDG6sz5Jdb8vTU0_iSUvCkLk>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 15:04:22 -0000

For a hash of the access token in the proof JWT, discussion about whether
to use the existing 'at_hash' claim or define a new 'ath' claim using only
SHA-256 have been floating around since last year
(https://mailarchive.ietf.org/arch/msg/oauth/QKMHo6gGRAaANadsAWWlSuRDzXA/
<https://mailarchive.ietf.org/arch/msg/oauth/QKMHo6gGRAaANadsAWWlSuRDzXA/>
attempts to describe the tradeoffs) without a clear consensus emerging for
one over the other. I've been on the fence myself seeing the merits and
drawbacks in both. In the absence of clear preference or an obvious 'best'
option, the PR from Justin
https://mailarchive.ietf.org/arch/msg/oauth/C2G9cUetGSj6WnNcRdZE8wLR19I/
with the SHA-256 only 'ath' claim was sufficient to make the decision.

I'm not married to the 'ath' but don't want to change it back and forth. I
would like to see something like consensus for making a change. And strong
consensus has been elusive here.






On Fri, Apr 9, 2021 at 1:45 AM Filip Skokan <panva.ip@gmail.com> wrote:

> I would support that too but only if the way it's calculated would get
> aligned as well. If it remains being a fixed sha256 of the whole token
> rather than what at_hash does, using a new claim makes sense.
>
> Odesláno z iPhonu
>
> 9. 4. 2021 v 5:38, Mike Jones <Michael.Jones=
> 40microsoft.com@dmarc.ietf.org>gt;:
>
> 
>
> I had expected that we would use the existing member name “at_hash” for
> the access token hash value, rather than the new name “ath”, since there’s
> already precedent for using it.  Could we change to the standard name for
> this when we publish the next version?
>
>
>
>                                                           Thanks,
>
>                                                           -- Mike
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of * Brian Campbell
> *Sent:* Wednesday, April 7, 2021 1:30 PM
> *To:* oauth <oauth@ietf.org>
> *Subject:* [OAUTH-WG] Fwd: New Version Notification for
> draft-ietf-oauth-dpop-03.txt
>
>
>
> A new revision of DPoP has been published. The doc history snippet is
> copied below. The main change here is the addition of an access token hash
> claim.
>
>
>    -03
>
>    *  Add an access token hash ("ath") claim to the DPoP proof when used
>       in conjunction with the presentation of an access token for
>       protected resource access
>
>    *  add Untrusted Code in the Client Context section to security
>       considerations
>
>    *  Editorial updates and fixes
>
>
>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org>
> Date: Wed, Apr 7, 2021 at 2:16 PM
> Subject: New Version Notification for draft-ietf-oauth-dpop-03.txt
>
>
>
> A new version of I-D, draft-ietf-oauth-dpop-03.txt
> has been successfully submitted by Brian Campbell and posted to the
> IETF repository.
>
> Name:           draft-ietf-oauth-dpop
> Revision:       03
> Title:          OAuth 2.0 Demonstrating Proof-of-Possession at the
> Application Layer (DPoP)
> Document date:  2021-04-07
> Group:          oauth
> Pages:          32
> URL:
> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-03.txt
> Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
> Html:
> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-03.html
> Htmlized:       https://tools.ietf.org/html/draft-ietf-oauth-dpop-03
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-03
>
> Abstract:
>    This document describes a mechanism for sender-constraining OAuth 2.0
>    tokens via a proof-of-possession mechanism on the application level.
>    This mechanism allows for the detection of replay attacks with access
>    and refresh tokens.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._