From nobody Mon Oct 11 04:13:38 2021 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A13E3A0E8A for ; Mon, 11 Oct 2021 04:13:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=NRzeck/q; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=NRzeck/q Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BVHicYlA05iU for ; Mon, 11 Oct 2021 04:13:27 -0700 (PDT) Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2089.outbound.protection.outlook.com [40.107.20.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE01C3A0DB5 for ; Mon, 11 Oct 2021 04:13:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P7DNMUJCAJCURY788z0KyzTdTEs+EdpSDnhICnjQ+Ig=; b=NRzeck/qItSKTR9qkDQfKacsBBgEBLgYePvhLE0xZQ2S7/+lk7FdUjT87SxvooRfYZLFs0jMJ15DeA+JYO6VuZ2wn5Ai7UVt3wOHsdGwomaZEqDvQFWAH112OvKwYChiq825npONn/kSWmxBIyxz8fsOBmockGK+iR5cYrPpfNk= Received: from AS8PR04CA0186.eurprd04.prod.outlook.com (2603:10a6:20b:2f3::11) by DB7PR08MB3115.eurprd08.prod.outlook.com (2603:10a6:5:1d::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.18; Mon, 11 Oct 2021 11:13:04 +0000 Received: from VE1EUR03FT047.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:2f3:cafe::b8) by AS8PR04CA0186.outlook.office365.com (2603:10a6:20b:2f3::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.25 via Frontend Transport; Mon, 11 Oct 2021 11:13:04 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT047.mail.protection.outlook.com (10.152.19.218) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.18 via Frontend Transport; Mon, 11 Oct 2021 11:13:02 +0000 Received: ("Tessian outbound 2e7020cc8961:v103"); Mon, 11 Oct 2021 11:13:02 +0000 X-CR-MTA-TID: 64aa7808 Received: from e941b9e735fb.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id FA44C92D-9BAF-41F5-9EA9-C672C22EF24A.1; Mon, 11 Oct 2021 11:12:56 +0000 Received: from EUR02-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id e941b9e735fb.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 11 Oct 2021 11:12:56 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=S55vXASh+7xjZL6FU7wraj23UhldY3UGkgzBI4lJ1VzwX/WTR6RpuNQkV8okJgK6z42+0bziaQEYYcNywBcutk+TfHmAssilgaamhOzUQyz/rtGXXrkn7pWJxexP0fNyGDasvdnKs8AxzZbtJTknC4OivydPjcK5zHzCSVxrbcsEW5glZR7GgqQN/aLw5+co4cfyfbmICeqJ6ibpGuceSO9aQdLeca/N+LxE9p5y/sUtTfLpHnfaRBa8zs4pZ8sLnivj8ugkQ5RbndJDqa8/M25ivbKnbe8KmizqjF4uzeQRLfkGu2hh8HMMhK1Rpzfbmaw58azaHWcoImyD5LM3yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=P7DNMUJCAJCURY788z0KyzTdTEs+EdpSDnhICnjQ+Ig=; b=TrfAUGmF+6901ypDGhboAkwzo/wz1WbzUum+kh8HNOWmt+PjAUZYGJy9F3grR1q8RayBQ+zwWwSmUHuvElaQ2Y8CG1p2yocGsjGu0o51BqjdWsO5ct4BiSOTlu+LMQ531d0YdLytDldk/ai89Bq+jK4KtfoRKyIN+kO0rxbWTb0DfH+9iPrCMfo0hyh0FTcqf+zT8KnKi4iXug5xhjyLyh9DX5l86NYfFZxLks/8Ei7gfUyxEEXGCcRYxZlIT4/vJ+eUXU7A4ub6QywZ/EV0NavY6bqLYy5U2EXdOp2K+u+gWJffZnV/9bJB95GaHtzDRRiP3TfY4zvcOvbkseC2JQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P7DNMUJCAJCURY788z0KyzTdTEs+EdpSDnhICnjQ+Ig=; b=NRzeck/qItSKTR9qkDQfKacsBBgEBLgYePvhLE0xZQ2S7/+lk7FdUjT87SxvooRfYZLFs0jMJ15DeA+JYO6VuZ2wn5Ai7UVt3wOHsdGwomaZEqDvQFWAH112OvKwYChiq825npONn/kSWmxBIyxz8fsOBmockGK+iR5cYrPpfNk= Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by DB6PR08MB2789.eurprd08.prod.outlook.com (2603:10a6:6:20::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.25; Mon, 11 Oct 2021 11:12:54 +0000 Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::4514:95de:c5e0:ddbe]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::4514:95de:c5e0:ddbe%9]) with mapi id 15.20.4587.025; Mon, 11 Oct 2021 11:12:54 +0000 From: Hannes Tschofenig To: oauth Thread-Topic: OAuth Proof of Possession Tokens with HTTP Message Signature Thread-Index: Ade+j8a0Khb2TbSnSkG67XJCSPrG3A== Date: Mon, 11 Oct 2021 11:12:53 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ts-tracking-id: 1CFFE429FA5F7A43AB830AA159576653.0 x-checkrecipientchecked: true Authentication-Results-Original: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com; x-ms-publictraffictype: Email X-MS-Office365-Filtering-Correlation-Id: d7b4d0c8-2655-4fd9-19dc-08d98ca81789 x-ms-traffictypediagnostic: DB6PR08MB2789:|DB7PR08MB3115: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true nodisclaimer: true x-ms-oob-tlc-oobclassifiers: OLM:8882;OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: qSKKYNRAeTug1H0ZEAuBrnS9rvOaFZEakqFCiiWunbKx2eb5roE/tGBW2qP/iXpUGCLpGpk7uVNLvmicEcxmEVYxrTrmSA50tEhKcud7o7L+cF/vpDAg7wUF1tUxTVJY6KJ6dXaZMIPHLOQG/XTLOl5Jqu3oUzE2tEhuhpoN29gATYWPi6/6LhF8HCP05DOTckt1+ns5wRwUdGPpaVaiR2BcHJb8A0A7GHIGZuxOQifCzreY1aZciaOV76D2HYSR9erqEcZNVNQIFi04ZorY/boVcvw1clydBPXcSy2jW3/ELVTNCcJD6ukET483xICsrMsno3MM9EIwrPceZPCATR7S730sLpam1j3LWZ9ooK60+zYYUDONFsa/Vf0sGx+S9uxX1WePX9DQkPeJjSa828ZObyphEU3xImBUrfpP9SKe8v6QQEeXJ436Z5cnZ296eO2e3wj+Pt+bT+Ylb0OVcc2M0UhQbF9EL3AmgbkJuORP+KOqUvfCrOrttWCbhPW2wdMY1JDaPYLYg9fFEZzdMjATEcdA0XLLIeyXy7p3Pb4ENK6dM2NqhGad3v1uWQp//Eg3ZBXea7Mib04CVs7bohodT0WW3BO1zxgdmavWZZ5zexi+PXQbHE+gIYAAMAmmDHlUDBSVZ7t7pxroz5Fcz6ur0zdQ5Iu/FE0HmTVJupDGLNjYnrz2uaP1ANPwBtCjVT28CCtrI14f+nqp3vTnmWuyuDrr4fVZ9MRutb2ZLrIrEQlTYPOwr9lmtTSr+0daWL4zu52cX2qCtPIihuVjluGdPFu8f8t5Oolas4YGhEA= X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(33656002)(9686003)(7696005)(15650500001)(5660300002)(55016002)(6506007)(122000001)(26005)(83380400001)(8676002)(38100700002)(2906002)(8936002)(52536014)(166002)(38070700005)(186003)(316002)(71200400001)(6916009)(76116006)(66946007)(66556008)(66476007)(64756008)(66446008)(508600001)(86362001); DIR:OUT; SFP:1101; x-ms-exchange-transport-forked: True Content-Type: multipart/alternative; boundary="_000_DBBPR08MB5915A052C7D30F10E6AC865CFAB59DBBPR08MB5915eurp_" MIME-Version: 1.0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR08MB2789 Original-Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com; X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT047.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 16505c06-81fa-43b2-565c-08d98ca81273 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: WJjIrcqoGMh2mU+Gsob7bSOAV3pa0JMWLrpTjGZYh3jfNmgQ61GzhvVkVn/3l5RBoORuUHtaUJJf5RqTBHEhszdNyc2oMFPoGBAcX94KD6YkLITjZOgHNgFS10KuQT9B09FvHBp+HCrWoiIHVBa+HnEgQwjjGJ1m2y1t0+In/Te2ipqqMrHwjnDMUK73llqjX/yNAvYmz+ujL62v+sfR/bWKl5nvYEJ+AT5xMfiZgbCkl60TKEuzF55kGV2wbvdvmK+ja3xK33CNafkbTEngWM6vTeev51VdvpeTVh6YZNSsw09he7U2AOWmrxqymsDJQq0309M2M6IQoAmEnxkQRSKuJe43e+ae0brkorXrGTmeIIryPAdzDyY+kUloqEOXERv9KNopt2x35EblM4+6v1GZ3dvuAdiKJateFHM+dZ2b+adZ9h6X6CnDMjCw4cegH4nIt0q1hqQPNBfID2tE+bw3+tqBVlyzBbf30BV/gn/hKL4aJdzLgHNiVZ3OdFMfqwD4KNHbYOapNavWQToAD1VbnjqA3ptm6Zu93z5h90i0+SoaHQLRyWvl3jSAoRPKE12KkSI7ZM/O94KBQ2a3zb9C22JZnuN8BKdopw27ZgYLL1L2TE4+rcGNxcFbDk1shxOYnDnWOoLRH+3WsPCgG0EOcRocKHntDtsuzlj9KEM7+ThM3UOAYDVNdTXoTd7Oeni008sTf0rpJcoeRl8bpApSsVDE7h62Cw1NgURh1Bg2BxyKTULppXNUU3gN7D1s1g7+6pIhxHjl1k/BHQgO407Tbbiwb57UcPDgBF5jh80= X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(36840700001)(46966006)(33656002)(316002)(70586007)(82310400003)(26005)(70206006)(81166007)(8676002)(508600001)(5660300002)(166002)(356005)(52536014)(6916009)(8936002)(55016002)(7696005)(2906002)(47076005)(36860700001)(6506007)(86362001)(186003)(15650500001)(83380400001)(336012)(9686003); DIR:OUT; SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Oct 2021 11:13:02.5483 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: d7b4d0c8-2655-4fd9-19dc-08d98ca81789 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT047.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR08MB3115 Archived-At: Subject: [OAUTH-WG] OAuth Proof of Possession Tokens with HTTP Message Signature X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Oct 2021 11:13:37 -0000 --_000_DBBPR08MB5915A052C7D30F10E6AC865CFAB59DBBPR08MB5915eurp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi all Following the virtual interim meeting discussion last week about "OAuth Pro= of of Possession Tokens with HTTP Message Signature" my main concern is abo= ut the unclear boundary between draft-ietf-oauth-dpop and the OAuth Proof of Possession Token= s with HTTP Message Signature solution and the resulting confusion by devel= opers. Several active working group participants have in the past expressed concer= ns about the confusion our specification create in the developer community.= Having two (or more) solutions that offer the same or similar functionalit= y will for sure lead to confusion. If the group could come up with a description of when to use what solution = that would be valuable. At the conference call there was a disagreement bet= ween Brian and Justin about where that boundary is. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confid= ential and may also be privileged. If you are not the intended recipient, p= lease notify the sender immediately and do not disclose the contents to any= other person, use it for any purpose, or store or copy the information in = any medium. Thank you. --_000_DBBPR08MB5915A052C7D30F10E6AC865CFAB59DBBPR08MB5915eurp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi all

 

Following the virtual interim meeting discussion las= t week about “OAuth Proof of Possession Tokens with HTTP Message Sign= ature” my main concern is about the unclear boundary between draft-i= etf-oauth-dpop and the OAuth Proof of Possession Tokens with HTTP Messa= ge Signature solution and the resulting confusion by developers.

 

Several active working group participants have in th= e past expressed concerns about the confusion our specification create in t= he developer community. Having two (or more) solutions that offer the same = or similar functionality will for sure lead to confusion.

 

If the group could come up with a description of whe= n to use what solution that would be valuable. At the conference call there= was a disagreement between Brian and Justin about where that boundary is.

 

Ciao

Hannes

 

IMPORTANT NOTICE: The contents of this email and any attachments are confid= ential and may also be privileged. If you are not the intended recipient, p= lease notify the sender immediately and do not disclose the contents to any= other person, use it for any purpose, or store or copy the information in any medium. Thank you. --_000_DBBPR08MB5915A052C7D30F10E6AC865CFAB59DBBPR08MB5915eurp_--