Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-03.txt
Brian Campbell <bcampbell@pingidentity.com> Tue, 11 August 2020 21:55 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 384BC3A0D3E for <oauth@ietfa.amsl.com>; Tue, 11 Aug 2020 14:55:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uu1AxLw5YNe3 for <oauth@ietfa.amsl.com>; Tue, 11 Aug 2020 14:55:34 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0139C3A0BCF for <oauth@ietf.org>; Tue, 11 Aug 2020 14:55:33 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id w14so15240640ljj.4 for <oauth@ietf.org>; Tue, 11 Aug 2020 14:55:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uqkekHKEwvK+nMiW2wYWljockfxGIZlMBY61B4YWWCY=; b=BUR8ebmi2+45x7lcqUN6YG5EDxaBiPUN/icC6H3AkpgCyau6Qc36BYOnSa1Dv4L5L8 lUcKXkDKE/bIhN2/56znYJGLa4FlowWVNhUbR1muLRLiQM0k8tJNwElicDAIFqSDO0km oqyTFOgvvLZJJ3kEUXHd0lUBXGNpttNy+HZAO5a7TeT3ltkexw/ObGvVQgnamIG7UdaD +PeEt3HMCiEzjW9UTrcISZYg9NYanbj2EQ93qtw5ZMZYHbp4SCbGBenMNZnJeoU/N+aN DWu9ajBHGAs4VQ6bTQQyW6w3afn66c4cfDB1QYDwzNUTL32zZBY0lhfALbkzuXPY4tcX Y6/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uqkekHKEwvK+nMiW2wYWljockfxGIZlMBY61B4YWWCY=; b=oKCwNotX8pAdFOqvNFYdDjSeIgT3zBNZA4gyjcG+3gAMJY5U1Mhb2Ys0L4oLUPuES7 OdGgyuL9DhNk+UJpBAKhhUFH3ozylVMG6dAH0jmr9zuydcVFTAAAKC+d2BCz27gnrPUV 1A6YRNcXrYLGMrCxWt6cF0yS/sunKhhAUamXvmZ9zbCOQ9bm6CfG2tY58u83TMi06LZh j/DAfrhwbGNPzTZXCbksVgMUPBaJGmvO6kPrRlnhKme/NrQ8iVrA4/Rmin89nlpsqgge cU4g0R1IlamcQyz3D1v1MM0N0j7p+K7HdRqQDCqNve8Zl6slT0iatmJsviNFh/AeD5jd bC1g==
X-Gm-Message-State: AOAM5334TXE0qJpW7uVZStItJlSZOP1O1MCiqmnas/rim862dSBpFqrn D7XhTbZsm1ZItg86FItd0IuXHtpVWFDol0mZrnfls9UhRXI7KkZu4yAGe8IYV7vb/p0LRU9bx6d /tQkurp7S/xYaDQ==
X-Google-Smtp-Source: ABdhPJyZhuSiaX44ZCp5NR/qd/OVb7mLoEpNUUxeV+8tQimNbde8va0ms9eE+7+2xaPNZ9I3uIpdpDieVlZ0pZuYbOE=
X-Received: by 2002:a2e:d1a:: with SMTP id 26mr3781242ljn.422.1597182930975; Tue, 11 Aug 2020 14:55:30 -0700 (PDT)
MIME-Version: 1.0
References: <159620115034.32558.6249632084531225541@ietfa.amsl.com> <CAOW4vyO5v_b5_3QOKfhXupwbTk19GrpCitKfbGnff_NwYAs_+A@mail.gmail.com>
In-Reply-To: <CAOW4vyO5v_b5_3QOKfhXupwbTk19GrpCitKfbGnff_NwYAs_+A@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 11 Aug 2020 15:55:04 -0600
Message-ID: <CA+k3eCQ1z575uRwi3TJmjbcZotaq8Gkp=qBH-n9JbNtjhv4jNg@mail.gmail.com>
To: Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org>
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003e1fc705aca12105"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/iD33QbZTj92LJ6M9wNUq9s3nLpA>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 21:55:37 -0000
Hi Francis, My apologies for the tardy response to this - I was away for some time on holiday. But thank you for the review and feedback on the draft. I've tried to respond inline below. On Fri, Jul 31, 2020 at 5:01 PM Francis Pouatcha <fpo= 40adorsys.de@dmarc.ietf.org> wrote: > Bellow is the only remark I found from reviewing the draft draft: > > 2.1. Request: > > requires the parameters "code_challenge" and "code_challenge_method" but > > https://openid.net/specs/openid-financial-api-part-2-ID2.html#confidential-client mentions > that RFC7636 is not required for confidential clients. I guess those two > parameters have to be taken off the mandatory list and pushed to the list > below. > The list of parameters in Section 2.1 is qualified with a "basic parameter set will typically include" and is definitely not intended to convey a set of required parameters. It's just a list of parameters that make up a hypothetical typical request. Perhaps some text in the section or even the formatting needs to be adjusted so as to (hopefully) avoid any confusion like this that the list somehow conveys normative requirements? > - Using jwsreq, non repudiation is provided as request is signed (jws). > This section also mentions that the request can be sent as form url > encoded (x-www-form-urlencoded). In this case, there is no way to provide > non repudiation unless we mention that request can be signed by client > using signature methods declared by the AS (AS metadata). > I am not aware of any signature methods or means of an AS declaring support for a signature method in metadata that are sufficiently standardized to be mentioned in the context of this draft. The "request" parameter https://tools.ietf.org/html/draft-ietf-oauth-par-03#section-3 can be sent to the PAR endpoint and should provide the same notation of non-repudiation as does jwsreq. I think that's sufficient treatment of non-repudiation for the PAR draft. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] I-D Action: draft-ietf-oauth-par-03.txt internet-drafts
- [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-par-… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-0… Francis Pouatcha
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-0… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-0… Francis Pouatcha
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-0… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-0… Francis Pouatcha
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-0… Torsten Lodderstedt