Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwsreq-19: (with DISCUSS and COMMENT)

Brian Campbell <bcampbell@pingidentity.com> Sun, 28 July 2019 12:26 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A6761200F7 for <oauth@ietfa.amsl.com>; Sun, 28 Jul 2019 05:26:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YobTnVOQWrBX for <oauth@ietfa.amsl.com>; Sun, 28 Jul 2019 05:26:15 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4C7C12013B for <oauth@ietf.org>; Sun, 28 Jul 2019 05:26:09 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id j5so110081915ioj.8 for <oauth@ietf.org>; Sun, 28 Jul 2019 05:26:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GBjES4xfyrsv0pliY4zi0RFZWYpvqkqk2IuH6q04xl8=; b=Kawkh3Sappl59FOjtJSp1sQPGAoiBnCPjmibrTdgSbF97kbkFYBRIMAuTasA7HjzXe wMstIxg146dr21Wv1einpMFV6u4KuRSEeV3t4KyXA1qktQ1tQwhjiVQYzC4HRKx4ZJh7 6wBXqGhdURykaibyRC1vxygeeeeBzwjjLJPqM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GBjES4xfyrsv0pliY4zi0RFZWYpvqkqk2IuH6q04xl8=; b=XjggzBfcg9PR1GX+ZyiidIrZS5ALRd3aim4pjmf1idOM5EnG/MO9mFgnw0gAXtb3So cq0noRCS9OJO5vTXf6QS6j9amPsvPPc0geMOjbuQsrXR3H3BiuKPzF6pNB6G85/sT3r0 i3WGcAddgVJitz0tbrwMkZ5G/rxQr1k7O9vFw7wPqW13TdHjeWK+XvRVGs35uULeylR/ 6s+WSUBLIhN6rjPdImefAcisSeidO59rIeEO430KY0bjm82dxiHUfBg4WQMmKGAgUqii jnL3DTxm1UYRS2/7fdPt3STO+J3ZBZwOhjCgHRuUKzCqc6o2YeB0aw4ZPOrDxfEWO/bE rgew==
X-Gm-Message-State: APjAAAWdlWE81adIcyB5u+Dm5DX9aHgmyrpfhXVHum9wP0/YFkbtmc71 WaE3MZdqJ9qd4RVCWjnyn76XocTX6BLY4mfnER7duhEVrON/nVLYyGg/SfxkHoA5Qboi+cH0B/R cf4MY+4C6COp/ug==
X-Google-Smtp-Source: APXvYqw4GjdqZsE7J4OQu0vA2bYyRRFx1axJfC5AZ2UWUdVcZ5GA78+ZdAj4xGQkNK3bGB8RLyRO1I573OKP4tdQTAg=
X-Received: by 2002:a05:6638:201:: with SMTP id e1mr26929440jaq.45.1564316768603; Sun, 28 Jul 2019 05:26:08 -0700 (PDT)
MIME-Version: 1.0
References: <156218034597.14836.482712385966674562.idtracker@ietfa.amsl.com> <CABzCy2AvNBGAUrfHNY+LoEZACt5F9q1zx1P81zqj8hNo3FjgTQ@mail.gmail.com> <CA+k3eCS0JBh=fRDTnBKNHw2yncLKZCd+MN8sojhkJw23yFvbwg@mail.gmail.com> <CABzCy2Aaga-YVyx3a4pz=Zm-k4iwkj4JUavH8HJ37Sf2NX3dSg@mail.gmail.com>
In-Reply-To: <CABzCy2Aaga-YVyx3a4pz=Zm-k4iwkj4JUavH8HJ37Sf2NX3dSg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 28 Jul 2019 06:25:42 -0600
Message-ID: <CA+k3eCRuiOQ50ZfbM4xt_FJa7XX_f61+=Br45qhx7b0-bHc-mw@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, draft-ietf-oauth-jwsreq@ietf.org, oauth-chairs@ietf.org, The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004f36fb058ebce1f6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/iAldS85aQyFWizhhEHy5WhTg-Qk>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwsreq-19: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Jul 2019 12:26:21 -0000

I'm honestly not sure I follow all that or how it would really work to
prevent name collisions. As a lipnus test, would the one real world
instance of the issue (name collision with 'aud') have been averted by this?

While my understanding is obliviously a requirement here, I do have more
familiarity with this stuff than the average person, so my lack of
understanding might serve as a good indicator about the likely simplicity
and efficacy of what's been suggested.


On Sat, Jul 27, 2019 at 12:02 AM Nat Sakimura <sakimura@gmail.com>; wrote:

> Brian,
>
> Perhaps I should have spelled out what I have stated as "grandfather the
> currently registered OAuth Authorization Request parameters into JWT Claims
> Registry and keep any incoming OAuth Authz param in sync with the JWT
> Claims Registry by creating a modified instruction for IANA processings.
>
> I felt that to find out what is being added to the JWT Claims registry as
> potentially OAuth Authz Request extension parameters that are coming in the
> future a bit arbitrary and not-so-simple while an instruction to add
> incoming OAuth Authz Request parameters to JWT Claims Registry is
> deterministic and therefore simple.
>
> On Fri, Jul 26, 2019 at 4:47 PM Brian Campbell <bcampbell@pingidentity.com>;
> wrote:
>
>> Nat, you suggest that the "simplest solution probably is to register the
>> authorization request parameters to the JWT Claims registry." However, as
>> I've attempted to articulate several times this week (
>> https://mailarchive.ietf.org/arch/msg/oauth/0EenxmThjII52SAr9atpBStRtcs
>> and muliple comments on https://bitbucket.org/openid/connect/issues/1019)
>> and even back in 2017 (
>> https://mailarchive.ietf.org/arch/msg/oauth/_E14Trqu962cReu3t6FquPEyigY),
>> I believe the pragmatic solution to this is to register some of the main
>> JWT claims into the OAuth parameters registry (not the other way around, as
>> you're suggesting which wouldn't even have caught the one name collision
>> we've actually had where a draft, more than one actually, wanted to call an
>> authorization request parameter "aud", which would conflicted with the JWT
>> claim of the same name and cause big problems when used together with JAR).
>> I suppose the iron clad way to "fix" this would be to merge the two
>> registries and keep them in sync forever. But that seems awfully heavy
>> handed and unnecessary. JAR is a specific application of JWT being used to
>> convey an OAuth authz request. JAR explicitly uses a few core JWT claims
>> (aud, iss) and one could reasonably imagine other core ones being used as
>> well (exp, iat, nbf, jti, etc). An authorization request parameter being
>> introduced that uses one of those names is far and away the most likely
>> point of collision (and has already happened, as noted previously). A new
>> JWT claim being introduced that collides with an existing authorization
>> request parameter name AND would be used in the context of JAR is far far
>> less likely to happen. So unlikely, in fact, that I don't think it's
>> necessary or even useful to pollute the JWT claims registry with the names
>> of all the authorization request parameters. I happen to be one of the DEs
>> on the JWT claims registry so, in theory, I have some idea what I'm talking
>> about here. In theory. And I do have to be upfront at this point and say
>> that I will push back on a request for registration of a bunch of
>> authorization request parameters into the JWT claims registry without
>> without more compelling reason.
>>
>> On Fri, Jul 26, 2019 at 12:23 PM Nat Sakimura <sakimura@gmail.com>; wrote:
>>
>>>
>>> Thanks very much for the comments.
>>> Here are my responses to your comments.
>>>
>>> On Wed, Jul 3, 2019 at 2:59 PM Benjamin Kaduk via Datatracker <
>>> noreply@ietf.org>; wrote:
>>> >
>>> > Benjamin Kaduk has entered the following ballot position for
>>> > draft-ietf-oauth-jwsreq-19: Discuss
>>> >
>>> > When responding, please keep the subject line intact and reply to all
>>> > email addresses included in the To and CC lines. (Feel free to cut this
>>> > introductory paragraph, however.)
>>> >
>>> >
>>> > Please refer to
>>> https://www.ietf.org/iesg/statement/discuss-criteria.html
>>> > for more information about IESG DISCUSS and COMMENT positions.
>>> >
>>> >
>>> > The document, along with other ballot positions, can be found here:
>>> > https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>>> >
>>> >
>>> >
>>> > ----------------------------------------------------------------------
>>> > DISCUSS:
>>> > ----------------------------------------------------------------------
>>> >
>>> > My apologies; my previous position was incomplete.  Updated to note
>>> > namespacing issues, and one minor terminology nit about "DNS-ID".
>>> >
>>> > There seem to be some pretty serious namespacing issues that are not
>>> > discussed at all in this document.  Specifically, using JWT as a
>>> > container for OAuth 2.0 authorization request parameters (including
>>> > extension parameters) introduces the usage of many new names (of JSON
>>> > name/value pairs) into the JWT claims namespace.  Furthermore, the
>>> > addition is not bounded, as any new OAuth extension parameters are
>>> > implicitly permitted to be used as well!  The IANA Considerations make
>>> > no mention of the collapsed namespace for JWT claims and OAuth 2.0
>>> > (authorization request) parameters, leaving substantial potential for
>>> > collisions in the future.
>>>
>>> The simplest solution probably is to register the authorization request
>>> parameters to the JWT Claims registry.
>>> According to my checking, the relevant but not yet registered parameters
>>> are:
>>>
>>> Claim Name: "code_challenge"
>>> Claim Description: OAuth PKCE Code Challenge
>>> Change Controller: IESG
>>> Specification Document(s): Section 3 of RFC 7636
>>>
>>> Claim Name: "code_challenge_method"
>>> Claim Description: OAuth PKCE Code Challenge
>>> Change Controller: IESG
>>> Specification Document(s): Section 3 of RFC 7636
>>>
>>> Claim Name: "redirect_uri"
>>> Claim Description: OAuth Redirection URI
>>> Change Controller: IETF
>>> Specification Document(s): Section 4.1.1 of RFC 6749
>>>
>>> Claim Name: "response_type"
>>> Claim Description: OAuth Authorization Response type
>>> Change Controller: IETF
>>> Specification Document(s): Section 3.1.1 of RFC 6749
>>>
>>> Claim Name: "state"
>>> Claim Description: OAuth state parameter
>>> Change Controller: IETF
>>> Specification Document(s): Section 4.1.1 of RFC 6749
>>>
>>> Claim Name: "vtr"
>>> Claim Description: Vector of Trust request
>>> Change Controller: IESG
>>> Specification Document(s): Section 4.1 of RFC 8485
>>>
>>> > Relatedly, using "application/jwt" as the Content-type of the
>>> > HTTP response from dereferencing the request_uri with no explicit
>>> > indication of the type/profile of JWT used (whether in the content type
>>> > or in the JWT claims themselves) gives some risk of misinterpretation
>>> of
>>> > the content..  Consider, for example, when that request_uri is
>>> > dereferenced not by the authorization server in the process of
>>> > fulfilling an authorization request, but instead by some other service
>>> > that expects a different type of JWT.
>>>
>>> I am making the change to "application/oauth-authz-req+jwt" and add IANA
>>> request.
>>>
>>> >
>>> > This second point is a "discuss discuss" -- it's an important question
>>> > and I'd like to talk about it, but it's not clear that any change to
>>> the
>>> > document will be needed.
>>> >
>>> > The introduction notes as an advantage of JWT that:
>>> >
>>> >    (d)  (collection minimization) The request can be signed by a third
>>> >         party attesting that the authorization request is compliant
>>> with
>>> >         a certain policy.  For example, a request can be pre-examined
>>> by
>>> >         a third party that all the personal data requested is strictly
>>> >         necessary to perform the process that the end-user asked for,
>>> >         and statically signed by that third party.  The authorization
>>> >         server then examines the signature and shows the conformance
>>> >         status to the end-user, who would have some assurance as to the
>>> >         legitimacy of the request when authorizing it.  In some cases,
>>> >         it may even be desirable to skip the authorization dialogue
>>> >         under such circumstances.
>>> >
>>> > I'm pretty uncomfortable about suggesting that the authorization
>>> > dialogue can/should be skipped; do we need to keep this example?
>>> >
>>>
>>> I have actually deliberately put this text as there seem to be some
>>> disconnect between the engineering community and the privacy regulators
>>> community. Asking for "consent" is something that should be considered as
>>> an exception and should use other lawful basis if possible as UK ICO (The
>>> data protection regulator in the UK) advises. As the editor of "ISO/IEC
>>> 29184 Privacy notice and consent", which is being developed with close
>>> coordination with regulators such as European Data Protection Board, I
>>> would have to agree to that position and I took OAuth JAR as one of the
>>> opportunity to call it out. I will add some text explaining it such as:
>>>
>>> In some cases, it is deemed harmful to ask for consent when it is not
>>> necessary: i.e., the processing is performed under other lawful basis than
>>> consent, as it would make the consent, that should be an exception, stand
>>> out less. Under such circumstances, this mechanism can be used to skip the
>>> authorization dialogue.
>>>
>>> >
>>> > ----------------------------------------------------------------------
>>> > COMMENT:
>>> > ----------------------------------------------------------------------
>>> >
>>> > Section 1
>>> >
>>> >    While it is easy to implement, the encoding in the URI does not
>>> allow
>>> >    application layer security with confidentiality and integrity
>>> >    protection to be used.  While TLS is used to offer communication
>>> >
>>> > nit: this wording is a little hard to read; it might be easier to
>>> > reorder to "does not allow application layer security to be used to
>>> > provide confidentiality and integrity protection".
>>>
>>> Thanks. I will make the change.
>>>
>>> >
>>> >    The use of application layer security allows requests to be prepared
>>> >    by a third party so that a client application cannot request more
>>> >    permissions than previously agreed.  This offers an additional
>>> degree
>>> >    of privacy protection.
>>> >
>>> > (side note) what would an example of such a third party be.  (We
>>> already
>>> > have the resource owner, the client, and the authorization server ...
>>> > maybe it's a fourth party?)
>>>
>>> It is a fourth party, e.g., a trust framework provider or an information
>>> fiduciary.
>>> The text need to be modified though as I found an error.
>>> Since now all the OAuth Request parameters must be in the request object,
>>> only the pattern that can be supported for something like this is to push
>>> the request object to the TFP and have the TFP check if it meets the
>>> policy
>>> and return request_uri only it is evelauted as OK.
>>>
>>> >
>>> >    Furthermore, the request by reference allows the reduction of over-
>>> >    the-wire overhead.
>>> >
>>> > We only barely mentioned by-reference at this point (one line in the
>>> > Abstract), so I'd suggest "passing the request by reference".
>>>
>>> Thanks. I will make the change.
>>>
>>> >
>>> >    (4)  its development status that it is an RFC and so is its
>>> >         associated signing and encryption methods as [RFC7515] and
>>> >         [RFC7516]
>>> >
>>> > nit: I'd suggest "its development status as a Proposed Standard, along
>>> > with the associated signing and encryption methods [RFC7515]
>>> [RFC7516]."
>>>
>>> Thanks. I will make the change.
>>>
>>> >
>>> >    (c)  (confidentiality protection) The request can be encrypted so
>>> >         that end-to-end confidentiality can be provided even if the TLS
>>> >         connection is terminated at one point or another.
>>> >
>>> > nit: TLS is always terminated at or before the user-agent, though.  So
>>> > maybe the user agent needs to get called out here as well (there could
>>> > of course be TLS termination earlier than the user-agent in some cases,
>>> > too).
>>>
>>> Thanks. I will make the change.
>>>
>>> >
>>> >    2.  When the client does not want to do the crypto.  The
>>> >        Authorization Server may provide an endpoint to accept the
>>> >        Authorization Request through direct communication with the
>>> >        Client so that the Client is authenticated and the channel is
>>> TLS
>>> >        protected.
>>> >
>>> > How can you "not want to do [the] crypto" but still be doing TLS (with
>>> > crypto)?  Perhaps we're looking for "not want to pay the additional
>>> > overhead of JWS/JWE cryptography on top of TLS"?
>>>
>>> Thanks. I will make the change.
>>>
>>> >
>>> > Section 1.1
>>> >
>>> > RFC 8174 has updated BCP 14 boilerplate text to use.
>>>
>>> Thanks. I will make the change.
>>>
>>> >
>>> > Section 3
>>> >
>>> > nit: should this section be 2.3 to get wrapped into "terminology"?
>>>
>>> It could, but I suppose it could be as is.
>>>
>>> >
>>> > It might also be worth putting references in for the terms, though they
>>> > are largely common knowledge at this point.
>>>
>>> Hopefully, they are public knowledge ...
>>>
>>> >
>>> > Section 4
>>> >
>>> >    A Request Object (Section 2.1) is used to provide authorization
>>> >    request parameters for an OAuth 2.0 authorization request.  It MUST
>>> >    contains all the OAuth 2.0 [RFC6749] authorization request
>>> parameters
>>> >    including extension parameters.  The parameters are represented as
>>> >
>>> > nit: "all the parameters" kind of sounds like "all that are defined"..
>>> > But I think the intent here is "any parameter used to process the
>>> > request must come from the request object and URL query parameters are
>>> > ignored", so maybe "MUST contain all the parameters (including
>>> extension
>>> > parameters) used to process the OAuth 2.0 [RFC6749] authorization
>>> > request; parameters from other sources MUST NOT be used", akin to what
>>> > we say down in Sections 5 and 6.3..
>>> > But we need to be careful about the wording to not exclude the usage of
>>> > the "request" and "request_uri" query parameters to  find the Request
>>> > Object!
>>>
>>> Thanks. I will make the description more exact.
>>>
>>> >
>>> >    the JWT claims.  Parameter names and string values MUST be included
>>> >
>>> > nit: maybe "the JWT claims of the object"?
>>>
>>> Thanks. I will probably make it "the JWT claims of the request object."
>>>
>>> >
>>> >    any extension parameters.  This JSON [RFC7159] constitutes the JWT
>>> >    Claims Set defined in JWT [RFC7519].  The JWT Claims Set is then
>>> >    signed or signed and encrypted.
>>> >
>>> > nit: I  think we want "This JSON [RFC7159] object".
>>>
>>> Thanks. I will fix it as suggested.
>>>
>>> >
>>> > (Long quote incoming)
>>> >
>>> >    The following is an example of the Claims in a Request Object before
>>> >    base64url encoding and signing.  Note that it includes extension
>>> >    variables such as "nonce" and "max_age".
>>> >
>>> >      {
>>> >       "iss": "s6BhdRkqt3",
>>> >       "aud": "https://server..example.com <https://server.example.com>
>>> ",
>>> >       "response_type": "code id_token",
>>> >       "client_id": "s6BhdRkqt3",
>>> >       "redirect_uri": "https://client..example.org/cb
>>> <https://client.example.org/cb>";,
>>> >       "scope": "openid",
>>> >       "state": "af0ifjsldkj",
>>> >       "nonce": "n-0S6_WzA2Mj",
>>> >       "max_age": 86400
>>> >      }
>>> >
>>> >    Signing it with the "RS256" algorithm results in this Request Object
>>> >    value (with line wraps within values for display purposes only):
>>> >
>>> >      eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ew0KICJpc3MiOiAiczZCaGRSa3
>>> >      F0MyIsDQogImF1ZCI6ICJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsDQogInJl
>>> >      c3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsDQogImNsaWVudF9pZCI6ICJzNk
>>> >      JoZFJrcXQzIiwNCiAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vY2xpZW50LmV4YW1w
>>> >      bGUub3JnL2NiIiwNCiAic2NvcGUiOiAib3BlbmlkIiwNCiAic3RhdGUiOiAiYWYwaW
>>> >      Zqc2xka2oiLA0KICJub25jZSI6ICJuLTBTNl9XekEyTWoiLA0KICJtYXhfYWdlIjog
>>> >      ODY0MDAsDQogImNsYWltcyI6IA0KICB7DQogICAidXNlcmluZm8iOiANCiAgICB7DQ
>>> >      ogICAgICJnaXZlbl9uYW1lIjogeyJlc3NlbnRpYWwiOiB0cnVlfSwNCiAgICAgIm5p
>>> >      Y2tuYW1lIjogbnVsbCwNCiAgICAgImVtYWlsIjogeyJlc3NlbnRpYWwiOiB0cnVlfS
>>> >      wNCiAgICAgImVtYWlsX3ZlcmlmaWVkIjogeyJlc3NlbnRpYWwiOiB0cnVlfSwNCiAg
>>> >      ICAgInBpY3R1cmUiOiBudWxsDQogICAgfSwNCiAgICJpZF90b2tlbiI6IA0KICAgIH
>>> >      sNCiAgICAgImdlbmRlciI6IG51bGwsDQogICAgICJiaXJ0aGRhdGUiOiB7ImVzc2Vu
>>> >      dGlhbCI6IHRydWV9LA0KICAgICAiYWNyIjogeyJ2YWx1ZXMiOiBbInVybjptYWNlOm
>>> >      luY29tbW9uOmlhcDpzaWx2ZXIiXX0NCiAgICB9DQogIH0NCn0.nwwnNsk1-Zkbmnvs
>>> >      F6zTHm8CHERFMGQPhos-EJcaH4Hh-sMgk8ePrGhw_trPYs8KQxsn6R9Emo_wHwajyF
>>> >      KzuMXZFSZ3p6Mb8dkxtVyjoy2GIzvuJT_u7PkY2t8QU9hjBcHs68PkgjDVTrG1uRTx
>>> >      0GxFbuPbj96tVuj11pTnmFCUR6IEOXKYr7iGOCRB3btfJhM0_AKQUfqKnRlrRscc8K
>>> >      ol-cSLWoYE9l5QqholImzjT_cMnNIznW9E7CDyWXTsO70xnB4SkG6pXfLSjLLlxmPG
>>> >      iyon_-Te111V8uE83IlzCYIb_NMXvtTIVc1jpspnTSD7xMbpL-2QgwUsAlMGzw
>>> >
>>> > Decoding the base64 of the body, we see:
>>> > {
>>> >  "iss": "s6BhdRkqt3",
>>> >  "aud": "https://server.example.com",
>>> >  "response_type": "code id_token",
>>> >  "client_id": "s6BhdRkqt3",
>>> >  "redirect_uri": "https://client.example.org/cb
>>> <https://client..example.org/cb>";,
>>> >  "scope": "openid",
>>> >  "state": "af0ifjsldkj",
>>> >  "nonce": "n-0S6_WzA2Mj",
>>> >  "max_age": 86400,
>>> >  "claims":
>>> >   {
>>> >    "userinfo":
>>> >     {
>>> >      "given_name": {"essential": true},
>>> >      "nickname": null,
>>> >      "email": {"essential": true},
>>> >      "email_verified": {"essential": true},
>>> >      "picture": null
>>> >     },
>>> >    "id_token":
>>> >     {
>>> >      "gender": null,
>>> >      "birthdate": {"essential": true},
>>> >      "acr": {"values": ["urn:mace:incommon:iap:silver"]}
>>> >     }
>>> >   }
>>> > }
>>> >
>>> > I'm not sure where the "claims" claim is coming from -- 6749 doesn't
>>> > seem to talk about it.  (Note that this example is used later on as
>>> > well.)
>>>
>>> It is an extension parameter that is registered in the OAuth
>>> authorization request registry.
>>> It is defined in OpenID Connect Core and OIDF is in the process of
>>> registering it to the JWT Claims registry as well. I have put them to show
>>> that extension parameters can also be used in the request object. Having
>>> said that, they may be confusing. I should just remove them.
>>>
>>> >
>>> > Section 5.2.1
>>> >
>>> >    It is possible for the Request Object to include values that are to
>>> >    be revealed only to the Authorization Server.  As such, the
>>> >    "request_uri" MUST have appropriate entropy for its lifetime.  For
>>> >    the guidance, refer to 5.1.4.2.2 of [RFC6819].  It is RECOMMENDED
>>> >    that it be removed after a reasonable timeout unless access control
>>> >    measures are taken.
>>> >
>>> > It sounds like a link to https://www.w3.org/TR/capability-urls/ might
>>> > also be useful.
>>> >
>>>
>>> Thanks. I will add it.
>>>
>>> > Section 5.2.2
>>> >
>>> > Do we want to remind the reader that the other query parameters are
>>> just
>>> > for backwards compatibility?
>>>
>>> It is probably be better to remove them as they are not allowed to be
>>> used.
>>>
>>> >
>>> > Section 5.2.3
>>> >
>>> >    The following is an example of this fetch process:
>>> >
>>> >      GET /request.jwt HTTP/1.1
>>> >      Host: tfp.example.org
>>> >
>>> > It's useful to show good hygeine in examples; can we get the extra
>>> > entropy in this request that we have in the previous example(s)?
>>>
>>> Thanks for pointing out. I will fix it. (The previous example also needs
>>> to be changed.)
>>>
>>> >
>>> > Section 6.2
>>> >
>>> >    The Authorization Server MUST perform the signature validation of
>>> the
>>> >    JSON Web Signature [RFC7515] signed request object.  For this, the
>>> >    "alg" Header Parameter in its JOSE Header MUST match the value of
>>> the
>>> >    pre-registered algorithm..  The signature MUST be validated against
>>> >    the appropriate key for that "client_id" and algorithm.
>>> >
>>> > Does "the pre-registered algorithm" concept exist in the specs outside
>>> > of draft-ietf-oauth-jwt-bcp?
>>>
>>> Yes. RFC7591 combined with some of the OAuth Dynamic Client Registration
>>> Metadata registry forms the concept. RFC7591 allows clients to register the
>>> claims that is in the OAuth Dynamic Client Registration Metadata registry.
>>> The registry has
>>>
>>>    - request_object_signing_alg
>>>    - request_object_encryption_alg
>>>
>>> besides others. Having said that, it is a bit obscure so I probably
>>> should put some more explanation around it.
>>>
>>> >
>>> > Section 8
>>> >
>>> >    HTTP clients MUST also verify the TLS server certificate, using
>>> >    subjectAltName dNSName identities as described in [RFC6125], to
>>> avoid
>>> >    man-in-the-middle attacks.  The rules and guidelines defined in
>>> >
>>> > It's probably easier to just say "using DNS-ID [RFC6125], to avoid
>>> > man-in-the-middle attacks".
>>>
>>> Thanks. I will do so.
>>>
>>> >
>>> > Section 9
>>> >
>>> > The error codes we list in Section 7 are already registered, for the
>>> > OIDC usage.  Do we want to say anything about that?   (I guess it would
>>> > be disallowed by process to try to update the existing registration to
>>> > also point at this document.)
>>>
>>> OIDC is an extension of OAuth and it should be fine as is.
>>> What we need to be careful is that there will be no conflict going
>>> forward.
>>> I will put the instruction update that will be provided by Mike (Jones).
>>>
>>> >
>>> > Section 10
>>> >
>>> > We probably also want to reference draft-ietf-oauth-jwt-bcp.
>>>
>>> Thanks. I will put the reference as draft.
>>>
>>> >
>>> > Section 10.1
>>> >
>>> >    When sending the authorization request object through "request"
>>> >    parameter, it MUST either be signed using JWS [RFC7515] or encrypted
>>> >    using JWE [RFC7516] with then considered appropriate algorithm.
>>> >
>>> > Up in Section 5 we only allow (a) signed and (b) signed then encrypted;
>>> > similarly, in Section 4 we reiterate "signed then encrypted".  Why is
>>> it
>>> > okay to talk about just "signed or encrypted" here?
>>>
>>> Very good catch. It should be changed to align with other sections.
>>>
>>> >
>>> > Section 10.2
>>> >
>>> >    (b)  Verifying that the symmetric key for the JWE encryption is the
>>> >         correct one if the JWE is using symmetric encryption.
>>> >
>>> > Similarly to the previous point, you also need to check the signature,
>>> > which will always be there.
>>>
>>> You are right. This one should be removed.
>>>
>>> >
>>> >    (d)  Authorization Server is providing an endpoint that provides a
>>> >         Request Object URI in exchange for a Request Object.  In this
>>> >
>>> > I don't think this is a complete sentence (and it's definitely not a
>>> > parallel construction with (a)-(c)!).  I think perhaps a crisp one-line
>>> > summary of this method would be "Delegating the authorization check to
>>> a
>>> > separate "Request Object to Request Object URI" endpoint on the
>>> > Authorization Server".  (The writing in the rest of this paragraph
>>> could
>>> > also use an editing pass.)
>>>
>>> Thanks for pointing it out. Changing as follows would be ok?
>>>
>>> (d) When Authorization Server is providing an endpoint that provides a
>>> Request Object URI in exchange for a Request Object,
>>> the Authorization Server MUST perform Client
>>> Authentication to accept the Request Object and bind the Client
>>> Identifier to the Request Object URI it is providing. Since
>>> Request Object URI can be replayed, the lifetime of the Request
>>> Object URI MUST be short and preferably one-time use. The
>>> entropy of the Request Object URI MUST be sufficiently large.
>>> The adequate shortness of the validity and the entropy of the
>>> Request Object URI depends on the risk calculation based on the
>>> value of the resource being protected. A general guidance for
>>> the validity time would be less than a minute and the Request
>>> Object URI is to include a cryptographic random value of 128bit
>>> or more at the time of the writing of this specification.
>>>
>>> >
>>> >    (e)  A third party, such as a Trust Framework Provider, provides an
>>> >         endpoint that provides a Request Object URI in exchange for a
>>> >         Request Object.  The same requirements as (b) above apply.  In
>>> >         addition, the Authorization Server MUST know out-of-band that
>>> >         the Client utilizes the Trust Framework Operator.
>>> >
>>> > The Authorization Server also has to trust the third-party provider to
>>> > actually do its job and not misbehave, right?
>>>
>>> Yes. I will add wording around it.
>>>
>>> >
>>> > Section 10.3
>>> >
>>> > I'm not entirely sure what "[t]he endpoints that come into question in
>>> > this specification" is supposed to mean -- is it just "the OAuth 2.0
>>> > endpoints presently defined in Standards-Track RFCs"?
>>>
>>> Yes. RFC6749, RFC6750, and RFC8414.
>>>
>>> >
>>> >    In [RFC6749], while Redirection URI is included, others are not
>>> >    included in the Authorization Request.  As the result, the same
>>> >    applies to Authorization Request Object.
>>> >
>>> > nit: included in what?
>>>
>>> In the Authorization request.
>>> I thought it would be too onerous to state
>>>
>>> In [RFC6749], while Redirection URI is included in the Authorization
>>>> Request,
>>>> others are not included in the Authorization Request.  As the result,
>>>> the same
>>>> applies to Authorization Request Object.
>>>
>>>
>>> Would you like to add "in the Authorization Request" as above?
>>>
>>> >
>>> > Section 10.4
>>> >
>>> > It's probably also worth citing the generic URI security considerations
>>> > from RFC 3986, here.
>>>
>>> I will do so. Thanks.
>>>
>>> >
>>> > Section 10.4.1
>>> >
>>> >    "request_uri", and (d) do not perform recursive GET on the
>>> >    "request_uri".
>>> >
>>> > nit: remove the "do" in order to make the construction parallel.
>>>
>>> Thanks. I will do so.
>>>
>>> >
>>> > Section 12.1
>>> >
>>> >    It is often hard for the user to find out if the personal data asked
>>> >    for is strictly necessary.  A Trust Framework Provider can help the
>>> >    user by examining the Client request and comparing to the proposed
>>> >    processing by the Client and certifying the request.  After the
>>> >    certification, the Client, when making an Authorization Request, can
>>> >    submit Authorization Request to the Trust Framework Provider to
>>> >    obtain the Request Object URI.
>>> >
>>> > side note: In my head the act of certification was the act of making
>>> the
>>> > translation to a Request Object URI, so I'm kind of curious where my
>>> > vision differs from reality.
>>>
>>> So, I should probably expand the text.
>>> The process is two steps:
>>>
>>> 1. (Certification Process) The TFP examines the business process of the
>>> client and determines what claims they needs: This is the certification
>>> process. Once the client is certified, then they are issued a client
>>> credential to authenticate against to push request objects to the TFP to
>>> get the request_uri.
>>>
>>> 2. (Translation Process) The client uses the client credential that it
>>> got to push the request object to the TFP to get the request_uri.
>>>
>>> >
>>> > The third paragraph seems to mostly just be describing the procedure of
>>> > how this flow works, which would not necessarily be specific to the
>>> > privacy considerations section.
>>>
>>> The third paragraph is also important from the privacy point of view.
>>> In a trust framework that has a policy to only allow TFP vetted request
>>> object,
>>> then the Authorization Server must make sure that it was.
>>> One way to do it is to check the authority section.
>>>
>>> >
>>> > Section 12.2.2
>>> >
>>> >    Even if the protected resource does not include a personally
>>> >    identifiable information, it is sometimes possible to identify the
>>> >    user through the Request Object URI if persistent per-user Request
>>> >    Object URI is used.  A third party may observe it through browser
>>> >
>>> > nit: need an article for "persistent per-user Request Object URI" (or
>>> > make it plural, as "URIs are used").
>>>
>>> Thanks. I will fix it.
>>>
>>> >
>>> >    Therefore, per-user Request Object URI should be avoided.
>>> >
>>> > nit: I think this is better as "static per-user Requeste Object URIs".
>>>
>>> Thanks. I will fix it.
>>>
>>> >
>>> > Section 13
>>> >
>>> > Are there two different paragraphs for "contributions from the OAuth WG
>>> > members"?  Are they reflecting different types of contribution?
>>>
>>> Thanks. I have merged them.
>>>
>>>
>>> > _______________________________________________
>>> > OAuth mailing list
>>> > OAuth@ietf..org <OAuth@ietf.org>;
>>> > https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>> --
>>> Nat Sakimura (=nat)
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/
>>> @_nat_en
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._