[OAUTH-WG] OAuth Proof of Possession Tokens with HTTP Message Signature
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 11 October 2021 11:13 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A13E3A0E8A for <oauth@ietfa.amsl.com>; Mon, 11 Oct 2021 04:13:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=NRzeck/q; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=NRzeck/q
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BVHicYlA05iU for <oauth@ietfa.amsl.com>; Mon, 11 Oct 2021 04:13:27 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2089.outbound.protection.outlook.com [40.107.20.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE01C3A0DB5 for <oauth@ietf.org>; Mon, 11 Oct 2021 04:13:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P7DNMUJCAJCURY788z0KyzTdTEs+EdpSDnhICnjQ+Ig=; b=NRzeck/qItSKTR9qkDQfKacsBBgEBLgYePvhLE0xZQ2S7/+lk7FdUjT87SxvooRfYZLFs0jMJ15DeA+JYO6VuZ2wn5Ai7UVt3wOHsdGwomaZEqDvQFWAH112OvKwYChiq825npONn/kSWmxBIyxz8fsOBmockGK+iR5cYrPpfNk=
Received: from AS8PR04CA0186.eurprd04.prod.outlook.com (2603:10a6:20b:2f3::11) by DB7PR08MB3115.eurprd08.prod.outlook.com (2603:10a6:5:1d::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.18; Mon, 11 Oct 2021 11:13:04 +0000
Received: from VE1EUR03FT047.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:2f3:cafe::b8) by AS8PR04CA0186.outlook.office365.com (2603:10a6:20b:2f3::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.25 via Frontend Transport; Mon, 11 Oct 2021 11:13:04 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT047.mail.protection.outlook.com (10.152.19.218) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.18 via Frontend Transport; Mon, 11 Oct 2021 11:13:02 +0000
Received: ("Tessian outbound 2e7020cc8961:v103"); Mon, 11 Oct 2021 11:13:02 +0000
X-CR-MTA-TID: 64aa7808
Received: from e941b9e735fb.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id FA44C92D-9BAF-41F5-9EA9-C672C22EF24A.1; Mon, 11 Oct 2021 11:12:56 +0000
Received: from EUR02-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id e941b9e735fb.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 11 Oct 2021 11:12:56 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=S55vXASh+7xjZL6FU7wraj23UhldY3UGkgzBI4lJ1VzwX/WTR6RpuNQkV8okJgK6z42+0bziaQEYYcNywBcutk+TfHmAssilgaamhOzUQyz/rtGXXrkn7pWJxexP0fNyGDasvdnKs8AxzZbtJTknC4OivydPjcK5zHzCSVxrbcsEW5glZR7GgqQN/aLw5+co4cfyfbmICeqJ6ibpGuceSO9aQdLeca/N+LxE9p5y/sUtTfLpHnfaRBa8zs4pZ8sLnivj8ugkQ5RbndJDqa8/M25ivbKnbe8KmizqjF4uzeQRLfkGu2hh8HMMhK1Rpzfbmaw58azaHWcoImyD5LM3yw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=P7DNMUJCAJCURY788z0KyzTdTEs+EdpSDnhICnjQ+Ig=; b=TrfAUGmF+6901ypDGhboAkwzo/wz1WbzUum+kh8HNOWmt+PjAUZYGJy9F3grR1q8RayBQ+zwWwSmUHuvElaQ2Y8CG1p2yocGsjGu0o51BqjdWsO5ct4BiSOTlu+LMQ531d0YdLytDldk/ai89Bq+jK4KtfoRKyIN+kO0rxbWTb0DfH+9iPrCMfo0hyh0FTcqf+zT8KnKi4iXug5xhjyLyh9DX5l86NYfFZxLks/8Ei7gfUyxEEXGCcRYxZlIT4/vJ+eUXU7A4ub6QywZ/EV0NavY6bqLYy5U2EXdOp2K+u+gWJffZnV/9bJB95GaHtzDRRiP3TfY4zvcOvbkseC2JQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P7DNMUJCAJCURY788z0KyzTdTEs+EdpSDnhICnjQ+Ig=; b=NRzeck/qItSKTR9qkDQfKacsBBgEBLgYePvhLE0xZQ2S7/+lk7FdUjT87SxvooRfYZLFs0jMJ15DeA+JYO6VuZ2wn5Ai7UVt3wOHsdGwomaZEqDvQFWAH112OvKwYChiq825npONn/kSWmxBIyxz8fsOBmockGK+iR5cYrPpfNk=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by DB6PR08MB2789.eurprd08.prod.outlook.com (2603:10a6:6:20::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.25; Mon, 11 Oct 2021 11:12:54 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::4514:95de:c5e0:ddbe]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::4514:95de:c5e0:ddbe%9]) with mapi id 15.20.4587.025; Mon, 11 Oct 2021 11:12:54 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: oauth <oauth@ietf.org>
Thread-Topic: OAuth Proof of Possession Tokens with HTTP Message Signature
Thread-Index: Ade+j8a0Khb2TbSnSkG67XJCSPrG3A==
Date: Mon, 11 Oct 2021 11:12:53 +0000
Message-ID: <DBBPR08MB5915A052C7D30F10E6AC865CFAB59@DBBPR08MB5915.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 1CFFE429FA5F7A43AB830AA159576653.0
x-checkrecipientchecked: true
Authentication-Results-Original: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: d7b4d0c8-2655-4fd9-19dc-08d98ca81789
x-ms-traffictypediagnostic: DB6PR08MB2789:|DB7PR08MB3115:
X-Microsoft-Antispam-PRVS: <DB7PR08MB31153D7584CA018284398D96FAB59@DB7PR08MB3115.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:8882;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: qSKKYNRAeTug1H0ZEAuBrnS9rvOaFZEakqFCiiWunbKx2eb5roE/tGBW2qP/iXpUGCLpGpk7uVNLvmicEcxmEVYxrTrmSA50tEhKcud7o7L+cF/vpDAg7wUF1tUxTVJY6KJ6dXaZMIPHLOQG/XTLOl5Jqu3oUzE2tEhuhpoN29gATYWPi6/6LhF8HCP05DOTckt1+ns5wRwUdGPpaVaiR2BcHJb8A0A7GHIGZuxOQifCzreY1aZciaOV76D2HYSR9erqEcZNVNQIFi04ZorY/boVcvw1clydBPXcSy2jW3/ELVTNCcJD6ukET483xICsrMsno3MM9EIwrPceZPCATR7S730sLpam1j3LWZ9ooK60+zYYUDONFsa/Vf0sGx+S9uxX1WePX9DQkPeJjSa828ZObyphEU3xImBUrfpP9SKe8v6QQEeXJ436Z5cnZ296eO2e3wj+Pt+bT+Ylb0OVcc2M0UhQbF9EL3AmgbkJuORP+KOqUvfCrOrttWCbhPW2wdMY1JDaPYLYg9fFEZzdMjATEcdA0XLLIeyXy7p3Pb4ENK6dM2NqhGad3v1uWQp//Eg3ZBXea7Mib04CVs7bohodT0WW3BO1zxgdmavWZZ5zexi+PXQbHE+gIYAAMAmmDHlUDBSVZ7t7pxroz5Fcz6ur0zdQ5Iu/FE0HmTVJupDGLNjYnrz2uaP1ANPwBtCjVT28CCtrI14f+nqp3vTnmWuyuDrr4fVZ9MRutb2ZLrIrEQlTYPOwr9lmtTSr+0daWL4zu52cX2qCtPIihuVjluGdPFu8f8t5Oolas4YGhEA=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(33656002)(9686003)(7696005)(15650500001)(5660300002)(55016002)(6506007)(122000001)(26005)(83380400001)(8676002)(38100700002)(2906002)(8936002)(52536014)(166002)(38070700005)(186003)(316002)(71200400001)(6916009)(76116006)(66946007)(66556008)(66476007)(64756008)(66446008)(508600001)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DBBPR08MB5915A052C7D30F10E6AC865CFAB59DBBPR08MB5915eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR08MB2789
Original-Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT047.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 16505c06-81fa-43b2-565c-08d98ca81273
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: WJjIrcqoGMh2mU+Gsob7bSOAV3pa0JMWLrpTjGZYh3jfNmgQ61GzhvVkVn/3l5RBoORuUHtaUJJf5RqTBHEhszdNyc2oMFPoGBAcX94KD6YkLITjZOgHNgFS10KuQT9B09FvHBp+HCrWoiIHVBa+HnEgQwjjGJ1m2y1t0+In/Te2ipqqMrHwjnDMUK73llqjX/yNAvYmz+ujL62v+sfR/bWKl5nvYEJ+AT5xMfiZgbCkl60TKEuzF55kGV2wbvdvmK+ja3xK33CNafkbTEngWM6vTeev51VdvpeTVh6YZNSsw09he7U2AOWmrxqymsDJQq0309M2M6IQoAmEnxkQRSKuJe43e+ae0brkorXrGTmeIIryPAdzDyY+kUloqEOXERv9KNopt2x35EblM4+6v1GZ3dvuAdiKJateFHM+dZ2b+adZ9h6X6CnDMjCw4cegH4nIt0q1hqQPNBfID2tE+bw3+tqBVlyzBbf30BV/gn/hKL4aJdzLgHNiVZ3OdFMfqwD4KNHbYOapNavWQToAD1VbnjqA3ptm6Zu93z5h90i0+SoaHQLRyWvl3jSAoRPKE12KkSI7ZM/O94KBQ2a3zb9C22JZnuN8BKdopw27ZgYLL1L2TE4+rcGNxcFbDk1shxOYnDnWOoLRH+3WsPCgG0EOcRocKHntDtsuzlj9KEM7+ThM3UOAYDVNdTXoTd7Oeni008sTf0rpJcoeRl8bpApSsVDE7h62Cw1NgURh1Bg2BxyKTULppXNUU3gN7D1s1g7+6pIhxHjl1k/BHQgO407Tbbiwb57UcPDgBF5jh80=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(36840700001)(46966006)(33656002)(316002)(70586007)(82310400003)(26005)(70206006)(81166007)(8676002)(508600001)(5660300002)(166002)(356005)(52536014)(6916009)(8936002)(55016002)(7696005)(2906002)(47076005)(36860700001)(6506007)(86362001)(186003)(15650500001)(83380400001)(336012)(9686003); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Oct 2021 11:13:02.5483 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d7b4d0c8-2655-4fd9-19dc-08d98ca81789
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT047.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR08MB3115
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/grIB9lcqx35Txg_CR5BdO--o3Bk>
Subject: [OAUTH-WG] OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2021 11:13:37 -0000
Hi all Following the virtual interim meeting discussion last week about "OAuth Proof of Possession Tokens with HTTP Message Signature" my main concern is about the unclear boundary between draft-ietf-oauth-dpop<https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/> and the OAuth Proof of Possession Tokens with HTTP Message Signature solution and the resulting confusion by developers. Several active working group participants have in the past expressed concerns about the confusion our specification create in the developer community. Having two (or more) solutions that offer the same or similar functionality will for sure lead to confusion. If the group could come up with a description of when to use what solution that would be valuable. At the conference call there was a disagreement between Brian and Justin about where that boundary is. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [OAUTH-WG] OAuth Proof of Possession Tokens with … Hannes Tschofenig