Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
Brian Campbell <bcampbell@pingidentity.com> Wed, 27 November 2019 19:59 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BC8A1209F3 for <oauth@ietfa.amsl.com>; Wed, 27 Nov 2019 11:59:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SJ2zbLkxTrwC for <oauth@ietfa.amsl.com>; Wed, 27 Nov 2019 11:59:37 -0800 (PST)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A982812097A for <oauth@ietf.org>; Wed, 27 Nov 2019 11:59:36 -0800 (PST)
Received: by mail-lj1-x22f.google.com with SMTP id e28so1635547ljo.9 for <oauth@ietf.org>; Wed, 27 Nov 2019 11:59:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OfwjhDdqcisltI1cbeFj3sXIu4Psw9ioY9euZQpFlc4=; b=F20cQPeBcXkFwnKZcVmRsihqm2srz2PaN9MCk38/07mpkhIZwuZRb2ZQzx1j00TRDU VJAOiuhdMEb2JZ/0eubOtJ/+ZgsBZTAsjvrHrr/2UpjzNKWVD/XfWNh+fdoyNm7S7Fsi DaINpqkwyV4aL3W1pnJOWBindPBqoyDSQDzB2pP3sXap9+g7AuIfPpYdbvpP5ELkl2Ia UZYyHqymRkpGknbRYsiJpygLe9BWSrTLNbgJ2gWjU+aJCGCgnDsbPzwdoTn6xFmaRBrG uXrnpDoaUUSYDKXkyFnpMzAcu5xCnRdR8RAVl7GhWW82NBD153A85fwDXLXC6ZEXvu0i qJWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OfwjhDdqcisltI1cbeFj3sXIu4Psw9ioY9euZQpFlc4=; b=Ya5PgMeAI63yEnCd6UW1Gv24bl2JY5BNuETO1Bnev8GcLfZKfnLVD6DWsg4WAPVUUw 9VG1DUEx9bnsFlyXG0/9qj2In7xeXCrVdvbwD267Jx6RRpeOzoOHr8NnICDCC+Yzfuh3 pQtQkod0bus5qfQx5OhrN/5zc5P7znyeZxVdk4x0BbTn5WqPwrqfCAoa44M0btvxI0yb Sj+ywraQVaMPRyTcxDSSteCYRzxfLsaVHZKjeocmmOD7tSj16Tp5xEYBJ/XmM1k9oW7T dG23IW5YDa2ARawYTL3t8Jwi+ylLwh6G9z+JFrGmN7fPljabQmoK4HwtWJXKFeAWSHbX tNaQ==
X-Gm-Message-State: APjAAAXsS3Bx6idRYeZHxjSGFm3t13lSrZFU95dUhXrtW/oTz94UOvMP X8ih0dMyPWLXte3O3/R0QU2OD5rTIEJDHWmxu5R1VUpYWSEEutVRRYpsU6CcPDd8wHafW1Fgf3+ bEnRSw5PEt2uFPA==
X-Google-Smtp-Source: APXvYqyKMbGJqS0qwdSZYMypM1uf9KmVLO5j6zOZ6MZVUv73CHpedgpMwTrwcWvs+lwyAnR3KAVdiopgmkHKJRfN6nQ=
X-Received: by 2002:a2e:8885:: with SMTP id k5mr15616257lji.98.1574884775033; Wed, 27 Nov 2019 11:59:35 -0800 (PST)
MIME-Version: 1.0
References: <7C33E17D-0E0B-49EC-8756-C4353D70EF27@amazon.com> <B147B292-925E-4B04-83E6-C66433D54F49@forgerock.com> <3D5C611E-4B03-4A46-A22B-D8AC9FE0AC51@amazon.com>
In-Reply-To: <3D5C611E-4B03-4A46-A22B-D8AC9FE0AC51@amazon.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 27 Nov 2019 12:59:07 -0700
Message-ID: <CA+k3eCTSpT+o9A+irDesoCij9fEoYS5u6N+EaJ=kcZDiersn1Q@mail.gmail.com>
To: "Richard Backman, Annabelle" <richanna@amazon.com>
Cc: Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000095633c0598596f5d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lUckUSAtVyCzkDIY4gZhPmBWSLs>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 19:59:39 -0000
On Tue, Nov 26, 2019 at 6:26 PM Richard Backman, Annabelle < richanna@amazon.com> wrote: > > That’s not directly attached to the access token. This means that every > RS has to know about DPoP. > > True, but you could avoid that by embedding the access token in the DPoP > proof (similar to draft-ietf-oauth-signed-http-request) and sending that as > the sole token. Technically, that’s no longer a bearer token so sending it > as “Authorization: bearer <token>” would be wrong, but DPoP already commits > that sin. > To clairy FWIW the current DPoP draft doesn't commit that sin. It uses “Authorization: dpop <access-token>” and "DPoP: <DPoP-proof-JWT>" headers. There were some examples attempting to illustrate how all the pieces of the proposal worked, including this particular part, in the slides I had for Singapore. But unfortunately I never made it past slide #6. On the other hand the OAuth MTLS draft does commit said sin. But it was intentional with the aim of easing adoption/migration to it. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Fwd: New Version Notification for draf… Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Denis
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Paul Querna
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… David Waite
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Dick Hardt
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Rob Otto
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] New Version Notification for draft… Filip Skokan
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Rob Otto
- Re: [OAUTH-WG] New Version Notification for draft… Filip Skokan
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Dick Hardt
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Aaron Parecki
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Petteri Stenius
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Jim Manico
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Dave Tonge
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Jared Jennings
- Re: [OAUTH-WG] New Version Notification for draft… Aaron Parecki
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: New Versio… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: New Versio… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Rifaat Shekh-Yusef