Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Torsten Lodderstedt <> Fri, 22 November 2019 07:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 450A112011E for <>; Thu, 21 Nov 2019 23:53:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5767lAhCCifh for <>; Thu, 21 Nov 2019 23:53:52 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EC25E1200B5 for <>; Thu, 21 Nov 2019 23:53:51 -0800 (PST)
Received: by with SMTP id ep1so2711356pjb.7 for <>; Thu, 21 Nov 2019 23:53:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=P2Fw4Hf93wdDmE87X0PqRskW5huArnWa/3G/8ssqHMs=; b=Vt5FCpgUD6Ud6gUJqe/ePSlqv+KiosUxXxvRTNDV/ybVwvgaS1UwOsQ4dV5UkWTq+d 1QRVe5qfo5S8gx/pEX9oASXg+Nq85zo5lwnE1RPRYX5WzB/RmsAOoBqALoe8iIll1UUp w6qc3xHEhYTDZuTEoZsBxcSx6P5K5p5ZVhGyBadoMmEsXcv9bjtjldVm6oIxL1enKvrm +I3AOqTB/GKs3garayi39995vdHoQQNPRYwLj1LQvdn26ijX3BgdQl+SHGKuzL/nQX+9 UZz4NsRaLDdcB1Pp1w8EIXq4DDrOn8ue20GaSbYwNjGJkiFLDo3WqLkD/O2hafNkJqlV QgbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=P2Fw4Hf93wdDmE87X0PqRskW5huArnWa/3G/8ssqHMs=; b=g/jIOeKgz2pxxHNW9i92OwPGR8D89JNlmcp4X7O/iweuv8djs7t5g90qA23sMzhlth J+rksCztOGj/jMSQIVxcQ+vEUerCy5Ycavir+XpVNTx9PsAb7uU4Um5iVi9RyoqNpEGW 9NV/H+Ix5oCGv6zHjEde+EHExKpwbLYLsE1FGMGs/d6PAh4kViOWjKUf4FL6VJOk0u7n 5NGP/8v6aOebCva+mDv3vAMnfLz9Nu36UnSsBo5VQ6adzFvHskwa5FonB97nU46CnH+H s92wm/GM8a/um3rtAC0XV7QD94kEwd2JiGJo1BddLYVdvmuCupG5BlOSj4P0J1thDbnk v3VA==
X-Gm-Message-State: APjAAAUNPNS4X9TsfB0GFEXJRpnERM/yC/oSnnBZeRMoDUvHYdc2bz6q EPCJ8wP82/gxD8IQXq7k86aIBQ==
X-Google-Smtp-Source: APXvYqyBov1ZQxsc8Pf2NOc4cWyVA7/r/ERJvi1tNFMIsoAjPmMjIKX+br/v6Hd+8X+xJxCsov17Yg==
X-Received: by 2002:a17:902:aa0b:: with SMTP id be11mr13155594plb.258.1574409231251; Thu, 21 Nov 2019 23:53:51 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id r4sm6435030pfl.61.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Nov 2019 23:53:50 -0800 (PST)
From: Torsten Lodderstedt <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_6F9378CF-02D0-4963-A5BE-BC05C56A9C13"; protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
Date: Fri, 22 Nov 2019 15:53:43 +0800
In-Reply-To: <>
Cc: Dick Hardt <>, oauth <>
To: Justin Richer <>
References: <> <> <> <>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Nov 2019 07:53:54 -0000

> On 22. Nov 2019, at 15:24, Justin Richer <> wrote:
> I’m going to +1 Dick and Annabelle’s question about the scope here. That was the one major thing that struck me during the DPoP discussions in Singapore yesterday: we don’t seem to agree on what DPoP is for. Some (including the authors, it seems) see it as a quick point-solution to a specific use case. Others see it as a general PoP mechanism. 
> If it’s the former, then it should be explicitly tied to one specific set of things. If it’s the latter, then it needs to be expanded. 

as a co-author of the DPoP draft I state again what I said yesterday: DPoP is a mechanism for sender-constraining access tokens sent from SPAs only. The threat to be prevented is token replay.

The general mechanism for sender constrained access token should be TLS-based as recommended by the Security BCP (see

Why: that’s the easiest way from a client developer's perspective. 

Application level signatures, on the other hand, are inherently more fragile as illustrated by the OAuth 1 experience. They also require additional effort (and state) on the server side to implement replay detection. 

As kind of an entertaining read I added two posts/threads from 2010, when this WG discussed whether TLS/SSL should be the primary OAuth 2.0 security mechanism.

The decision to go with TLS only was, in my opinion, one of the key success factors that made OAuth 2 so incredibly successful.

To re-state: From my perspective, DPoP is intended to be used by SPA developers only for token replay detection (or better put to provide RSs with the pre-requisites to do so).  

Why? Because we unfortunately currently lack a TLS-based mechanism for sender-constraining.

Building it on asymmetrical crypto only makes it easier to implement and to handle than methods based on shared secrets.

I also think we must look for alternative methods to enable TLS-based methods in the browser. 

> I’ll repeat what I said at the mic line: My take is that we should explicitly narrow down DPoP so that it does exactly one thing and solves one narrow use case. And for a general solution? Let’s move that discussion into the next major revision of the protocol where we’ll have a bit more running room to figure things out.
>  — Justin
>> On Nov 22, 2019, at 3:13 PM, Dick Hardt <> wrote:
>> On Fri, Nov 22, 2019 at 3:08 PM Neil Madden <> wrote:
>> On 22 Nov 2019, at 01:42, Richard Backman, Annabelle <> wrote:
>>> There are key distribution challenges with that if you are doing validation at the RS, but validation at the RS using either approach means you’ve lost protection against replay by the RS. This brings us back to a core question: what threats are in scope for DPoP, and in what contexts?
>> Agreed, but validation at the RS is premature optimisation in many cases. And if you do need protection against that the client can even append a confirmation key as a caveat and retrospectively upgrade a bearer token to a pop token. They can even do transfer of ownership by creating copies of the original token bound to other certificates/public keys. 
>> While validation at the RS may be an optimization in many cases, it is still a requirement for deployments.
>> I echo Annabelle's last question: what threats are in scope (and out of scope) for DPoP?
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list