IETF Logo Mail Archive

[OAUTH-WG] Re: [Technical Errata Reported] RFC9470 (7951)

Justin Richer <jricher@mit.edu> Wed, 22 May 2024 23:06 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 541BCC14F6FE for <oauth@ietfa.amsl.com>; Wed, 22 May 2024 16:06:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.749
X-Spam-Level:
X-Spam-Status: No, score=-0.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDwtsvfVSEhc for <oauth@ietfa.amsl.com>; Wed, 22 May 2024 16:06:30 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2111.outbound.protection.outlook.com [40.107.244.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80B57C14F6A8 for <oauth@ietf.org>; Wed, 22 May 2024 16:06:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TGNDsRJ/oWMTA1Idfnpzg86GiOSvSMSMUN7tyNog23mS2dKqusFG13W0b/GPC6Rp3WoGVjMxFNUvFSoFythEBeo25JECAGrD/Pb207db8qLLn0qbrI5wJoW99DdoIfdpg0GNCttnALc8taoccr4zbPtMcjW/aFOWMuZSyUbYBC3XBnpThIiuXB5zbW2Gge4zRewOBo4BdjUV2cGdRjg9WQIUs5NQydNQrC2DriBqZ8MzGPsiZVaE2eSutpxT5Y5P5OLDV2KKOFIPcw9Sxr9K1kCUKjBAA5qmKw98e7U4S12OyFTB1qnmp+721krQ1JdJBvfL+g+Nfdc6dm69DpEQRA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7jSxbHlUUvb6iCJ31aVfBgTXxhfbT6OIj4ZedFJx2Tg=; b=Y4fm/CsmJr6pERkMy7VrCK1G0xfGeeG5QqO+JjtfiRWDH44wWaxMks+xMb1NnOO4pHrf4uqw7WMKSgcNtVL+GwuaS5usoKzrDbgjBxbssi+HPt5TUKQuInvnc/UVTEDlIofAaC0u2tpZ+9FxCat51Wn8tDZGlWH6xjh1PLZKP6Pycq9nJHSeH5FqHN5XY38u4bY2nTYPkXPtPOJDsql+pcTc1RbE9061NBPZqkLuDzcVoHOuDVpJ2SXg4ZKM8eETeWDOeH2mvLeXBdRoTaOTmtsvFhM0+9DidDdIEF/GkThD1chpOoYG0fTGOKIFO9N48b13WYt1u1oGEd4+Ps6HDA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7jSxbHlUUvb6iCJ31aVfBgTXxhfbT6OIj4ZedFJx2Tg=; b=KddpwfgHTrFT/+cmYAgDd7OhmKu8seSjFj5Rg0FCgzuGUsKLz4B/zbeUdc1RTozl+m+48u6dcXW0Ri+8EaXP8JSJPZclKXQmnxulvahLuZfTjOex14j+NRxKE2eX1ZFZyuXQmwjEujxsnGswWDUldjyOKnr0TT+4FFht/MA01VE=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by CYYPR01MB8567.prod.exchangelabs.com (2603:10b6:930:c2::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7587.36; Wed, 22 May 2024 23:06:28 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820%4]) with mapi id 15.20.7611.016; Wed, 22 May 2024 23:06:28 +0000
From: Justin Richer <jricher@mit.edu>
To: RFC Errata System <rfc-editor@rfc-editor.org>, "vittorio@auth0.com" <vittorio@auth0.com>, "bcampbell@pingidentity.com" <bcampbell@pingidentity.com>, "debcooley1@gmail.com" <debcooley1@gmail.com>, "paul.wouters@aiven.io" <paul.wouters@aiven.io>, "hannes.tschofenig@arm.com" <hannes.tschofenig@arm.com>, "rifaat.s.ietf@gmail.com" <rifaat.s.ietf@gmail.com>
Thread-Topic: [OAUTH-WG] [Technical Errata Reported] RFC9470 (7951)
Thread-Index: AQHarHZAOd1FiwOhXESNbUVg2uwn67Gj36IE
Date: Wed, 22 May 2024 23:06:28 +0000
Message-ID: <LV8PR01MB8677AC4BEDE87DA9FC70CE3DBDEB2@LV8PR01MB8677.prod.exchangelabs.com>
References: <20240522183054.DCCFEC000063@rfcpa.rfc-editor.org>
In-Reply-To: <20240522183054.DCCFEC000063@rfcpa.rfc-editor.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|CYYPR01MB8567:EE_
x-ms-office365-filtering-correlation-id: a6bfb697-644b-429e-0bf7-08dc7ab3cfbd
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230031|366007|1800799015|376005|38070700009;
x-microsoft-antispam-message-info: BTxN5xuGzg/7VYHv+zJZgWKWMQ2TQn/zcrG6meClF6vS9iYYFiQ3yBqbetP3s2MsE3L7R5A0LQyE8+3dqmdTJaeJQqEfkcpMyNr+Jln6KizkEmB2Bxi2nhxjtIuogHWj0ajeOvpe8ox3ZHrgyqse5PMC6oxhWADRw6ZN1ZHdni5Qvuf73bF8N1G2RzQKT5aZal8nuQZKpw0THjcublPXAeQuBn01DntREahRLUxCvZjJXHpHt078vKkEYi12aD3yO+Cj/Oy547ykcGwRp4PR9IXXqoynVSASwgpH1I1StXyv28RJf4hVwoIkj5NcyW75mkV5qOwmLhOI2+mgKBuijUk8AnZb9IXLQ2Ehx9rWibr/x5kpKPeWtDwarLIaassN+DrfMVjqbT6atWi44YkdaZt5JR/vIk6JAA5fEGMow7CabvKAQvLBFjwOLMyyad5nhmZgKSHhwkWHkY8BVENuhYY6fVO1bMecxEt302kUHgoW1AKvl/LuhOGrUpM3LCjAVmU0JwY+SAQTtPv4Cz9dIngQNP5SlNs0GdjQZwo+5kRsvhoPXZGkB9b5Io9UeoR3Cr64f9FBARdVYatQI67cbtQfvYfb0cQJ1AfNTGh5PDto4URFaQ/16gQU86FCkcbp0ltjSc1feHc4eZUNzX26GEVE6ycU1KGabPchzwPLyI6MFgTCCbUGOoyuLq5oyWsWsb64bmlDoXO0ciILHZSsMi1ZjjaGufrfPh/iaqg68UwTqm9y4GLbF15F3MVFoyEhcil6PKHUc8bx20B6xQAzE1jE5s1W5UjyTGVH6d/dtj+R37Ll9b26X7dseisxZWFJhOdLv9laueDMJieLdxmt1PQAMhvNes5oYiXQlwbB/AQrYxKs1t4TFT0jrXFJ3at50WiW5WLL/vCPCv5vRbXTsoB5+SeKBlenyfHFAKDZ4xLsKT9Xl1GHmXwVcHureFxwHvlXJq28bGMrQmw+6RgSjpoQMYS4hKHupD7VNoge1yeomvfPze0sVAy8kv3zCLuzMFVNi1BaJr0HiEvIo1lSTssUxF09idzC3XVHVY+AHcMSSzxnsdjp9OLmE7IslrDdfn4xW/eOjU94dWDzSjFhN+GYFHqNaWn+Yz0eUtduLOeXTfNfi5PLAHqWrjk8DGEIp7k1ctQu9aFO6TC+Z0WPSHAWwFw3Wzc5Ow6Dzpw0zyUZkMXNweB0kXrZ+QvConcFCW1abXlnSS1IEN2aciM4gE3FLCJPoWjcITcnITj9ISq15fqTuSA8Wav2XIGD/J8My9WgAWoXIuR9IFNDn8Af0Q==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR01MB8677.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230031)(366007)(1800799015)(376005)(38070700009);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gFljediEtFSyaoXdibJN0dgaVLu0cTu+ICmFFjlvOZwegPUEYuZrmjaoUboCHQKYIfC17hBGXzDScXeZAkeEwZyavLjeQDgONbAzLP7tSCayBaPi9fMs7cnPVXVHTtz9pYVqKHBcIcQF/OC57oeAVmJ61Lwcfxzb6Eo3tfRog0ovqe+4NJg0aWYC/ea65NOls9R5Iur/lQ2OIjgr2sRe11niuXS4cGGwkwE7lI8cT1w/Z/lqmeazO4uWLatfFX85T16olbDtsovhJ3dD7u2wacxtW3NZmut2xv6w+RLP9cykwcwDPfwMr8l3+GX3od3CVPXXU/Ix1IUnt+t9ytOLtiUbL707cb+H1Trvnvh+BXa/LdBzg/PC8h3sM0+mK5PpDgd69MbewopbKFMWj56ghyqag46dmTz0mc76PZ8tVp+eDUAn9t/xQjLbo9aCU5wodwJwnaXWilXDIDrwtjstltG5uYlfF4euoih8YvgMPSbwUrZBllr+Onqjdku65bYUAkMhXN7EMnKCWcESMo1AqTtoTp54DHdE2HDr5YZ/BHjY64/I9Y+FZ1CKg6nI2/hh6v8iJ8zTRUteDmKqdyFYDc/Hm9cI4xe4eo2de/8QneHgQ8QCefvoEIBTNHkv2zpHM42tmrRG/oJaMHGq8vEoTOYLv5VyUFzKmnZDMJd0ZA94BxjxlZOceKmDQ/jyBeaEHCB7tDSI8SQDeubtEvOmruUTZMeeIXME3wm1hEn7wyBzoZU4t6vyjcOj87o4VKOvaUKlUITsloXFhwxLTUKzSH19BH1MUtZQjvK2cfb1FYk5Pyl0T0EsThnNVMeX0drKBRpDh+qjV21Nc7BClQp/QLpLjwB8ljtNxiGqRLv3mXdKPUq8M8OFV/cH2EBnyEAc6c+6mdaq+v8VWOIWAv1h96zBjVifq91c5Wxm846TJ5ntvi3UC9Zyl2vGUtn9S0KW2LKdmYY8BTWMupiWFOqP3ODY2q5exi49XvR9aV6eS0PlQ4oqgoPx7rVQUJQ94rp00teVPKsgEyLzpeEwjN3wrtDx5LFl9emN1C4ZqQw2qvugLsuUjdFjtmAgV7VfRlg3S6bt+7C/ne6MbG5nlehCRdgly+3SeYFsGmPw/yu77CQbjeAmsCDL4FhKucsQYkFLrRVTk7jyRsojJzTZVJ5ED4JxfbxupF5z4amcyBEOFK6uHt0cZ/TBrdwoh/zjs1kJg2O1raRkOSArKApf9y2yhgh8Vn1k9WpHYapnz5FllDoENXAM57twFEqPzCNMR3CEqLJh4bRzGEZep9cMSbrDbNY8E76l7z8BtorsYgliG3yI/8iVmV4l07k81azraQeGdv9QE1y5HDtt0pEAxtCe2UQXipjOKIo8b3BvKzN5mn0TDs8mRYDbK9BF/YLLJIaHzOVQjrDlgQnULx/kkI8OSVfprLhCDdps2psuVdUhC+upg5NLzMkGS9LjnhMbGOOk7bvYk/mqrnmW+WgzNRSDvrIlJXL6TqONzR63Os9e/6Yw4M3UCIGmShIqqgLiCv9shXXtWGRusasZnRiQCDqX75aAPdQm09l3URqr8jIYqjo=
Content-Type: multipart/alternative; boundary="_000_LV8PR01MB8677AC4BEDE87DA9FC70CE3DBDEB2LV8PR01MB8677prod_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a6bfb697-644b-429e-0bf7-08dc7ab3cfbd
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 May 2024 23:06:28.2687 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QTbzwX9eyS9NPz/10N43xUYVsra/j11W7eb/4F+EVY0hpcT9cj+KYT735ykr3a3U
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYYPR01MB8567
Message-ID-Hash: WQ5JIFYV7TDBSP53FWDGHE3XEFHRQBK5
X-Message-ID-Hash: WQ5JIFYV7TDBSP53FWDGHE3XEFHRQBK5
X-MailFrom: jricher@mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tomasz.kuczynski@man.poznan.pl" <tomasz.kuczynski@man.poznan.pl>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: [Technical Errata Reported] RFC9470 (7951)
List-Id: OAUTH WG <oauth.ietf.org>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

This seems to be logical - the authentication event would always be before the token was issued in the usual case. However, assuming that the AS "upgrades" an existing token in-place during a step up, isn't it possible for the latest relevant authentication event to come after the token was initially issued?

 - Justin
________________________________
From: RFC Errata System <rfc-editor@rfc-editor.org>
Sent: Wednesday, May 22, 2024 2:30 PM
To: vittorio@auth0.com <vittorio@auth0.com>; bcampbell@pingidentity.com <bcampbell@pingidentity.com>; debcooley1@gmail.com <debcooley1@gmail.com>; paul.wouters@aiven.io <paul.wouters@aiven.io>; hannes.tschofenig@arm.com <hannes.tschofenig@arm.com>; rifaat.s.ietf@gmail.com <rifaat.s.ietf@gmail.com>
Cc: tomasz.kuczynski@man.poznan.pl <tomasz.kuczynski@man.poznan.pl>; oauth@ietf.org <oauth@ietf.org>; rfc-editor@rfc-editor.org <rfc-editor@rfc-editor.org>
Subject: [OAUTH-WG] [Technical Errata Reported] RFC9470 (7951)

The following errata report has been submitted for RFC9470,
"OAuth 2.0 Step Up Authentication Challenge Protocol".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7951

--------------------------------------
Type: Technical
Reported by: Tomasz Kuczyński <tomasz.kuczynski@man.poznan.pl>

Section: 6.2

Original Text
-------------
     "exp": 1639528912,
     "iat": 1618354090,
     "auth_time": 1646340198,

Corrected Text
--------------
     "exp": 1639528912,
     "iat": 1618354090,
     "auth_time": 1618354090,

Notes
-----
I noticed a small inconsistency in the example "Figure 7: Introspection Response". It seems that the time for the user-authentication event should be less than or equal to the time of token issuance to ensure logical coherence.

Instructions:
-------------
This erratum is currently posted as "Reported". (If it is spam, it
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party
will log in to change the status and edit the report, if necessary.

--------------------------------------
RFC9470 (draft-ietf-oauth-step-up-authn-challenge-17)
--------------------------------------
Title               : OAuth 2.0 Step Up Authentication Challenge Protocol
Publication Date    : September 2023
Author(s)           : V. Bertocci, B. Campbell
Category            : PROPOSED STANDARD
Source              : Web Authorization Protocol
Stream              : IETF
Verifying Party     : IESG

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org

v2.34.0 | Report a Bug | By Email | System Status