IETF Logo Mail Archive

Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-step-up-authn-challenge-14: (with COMMENT)

Vittorio Bertocci <vittorio@auth0.com> Thu, 13 April 2023 06:33 UTC

Return-Path: <vittorio.bertocci@okta.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC97CC15C286 for <oauth@ietfa.amsl.com>; Wed, 12 Apr 2023 23:33:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.544
X-Spam-Level:
X-Spam-Status: No, score=-2.544 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=okta.com header.b="qQVpaSWN"; dkim=pass (2048-bit key) header.d=auth0.com header.b="bzSteBEq"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wZ_6tIOvFrUt for <oauth@ietfa.amsl.com>; Wed, 12 Apr 2023 23:33:43 -0700 (PDT)
Received: from mx0a-00553301.pphosted.com (mx0a-00553301.pphosted.com [205.220.164.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EB80C14CE42 for <oauth@ietf.org>; Wed, 12 Apr 2023 23:33:43 -0700 (PDT)
Received: from pps.filterd (localhost6.localdomain6 [127.0.0.1]) by mx0b-00553301.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33D3oPIk032539 for <oauth@ietf.org>; Wed, 12 Apr 2023 23:14:03 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=proofpoint-2020; bh=SEfI+WFmCjL2YubA1AhIbHJk5X1MaxYEqXBVG2CJJ9A=; b=qQVpaSWNfnM8SL0+/T3Fly5c14nIyyY4zvIkoCz2KxCYPqX4yO6/CXEc7seewvyhukgB js8O8Uq8NnZQbEq63V0rQP0vOAHbJlcyUkFvNNKl3OY02Mk10wSRs1WoM3Dv9EikY6E6 iZ4IC3V1XnPNlPWp7nV53CwxxGQ/LViUCXak6MlUaAGDhKzQvODsmIZBShQk0bLKKOxY KYCfBL59aCwFz5VJpGnq/dkn2qVX6Dj/beXfQbYjqMQdJSVeRvyEEhCMBWJU/GT8wj+p wD7c59C5+9mKwSDPgB7SKBDUx+ylwYeEF8YRYJbFUl8ehd2rjVfK+YcBy0pNrku2K6/u Rg==
Received: from mail-io1-f72.google.com (mail-io1-f72.google.com [209.85.166.72]) by mx0b-00553301.pphosted.com (PPS) with ESMTPS id 3pu3wurrx5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <oauth@ietf.org>; Wed, 12 Apr 2023 23:14:03 -0700
Received: by mail-io1-f72.google.com with SMTP id 199-20020a6b14d0000000b00760ac8c52cdso1917893iou.18 for <oauth@ietf.org>; Wed, 12 Apr 2023 23:14:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=newauth0; t=1681366442; x=1683958442; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SEfI+WFmCjL2YubA1AhIbHJk5X1MaxYEqXBVG2CJJ9A=; b=bzSteBEqyYB7sMCwFa1Ozwfq3urhWod4kA1s2N6/FnrO0xwtfjUMp474qJv034rqJ+ 6tQHxssIS9+O0YgRE/TTuiku4B7TpR3WYkYkUKzxIloJvNMCQw9Q8Yr5ce1iqQ97v77j bFY1Qgs9zuZIqOEDHqzXi8u4eJjZw+qfxBIvU2BRKnKYoT0Oj444snWy2I08k9u7qgX0 HfOpysLb73ij0Pt5V59aAcgcvUZCONjpMQ9zfj2KAtAm8cNoZ4V6tP9bQjvX+xEM8Q3W jmXQALr+bWaTbLF3E6GADMdoZieFKjUadb0zrHvKL6TwlavW0gE1k8t8DGYf3UT2OTTE 333A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681366442; x=1683958442; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SEfI+WFmCjL2YubA1AhIbHJk5X1MaxYEqXBVG2CJJ9A=; b=NExyzFfgLmrDQDJW4+j+5Nu4Z8d2/ARuJrLbI4CACpGoLHcF8TX6Ytxj4WfFjcaf1j 93slbeN8bKN8Atbz9rB1pTRXQJTKLlmCIE+H1O0ulSO7Pjdx+bz/P5gEd4Ect2/F3q5E 07tOzeArNq7meWBDud/Pn6+W3m9ToTu5gcgjAjfhfr2/EMt9gMyUnipz/SLn3DYoysKE t1RIZHZPq5Uy1sOQ+n2PQcrhCD3R6ST7sQzbWcNGoh6naA0IDokcIFQvu1b5LeY4v9bC daVO2h5hAbj+O5ZTYpkFmBTVKcFZS+p2AXz5QTy1zlE1tsiHhVnjUMz6U63EaXXCsZvi 5jeA==
X-Gm-Message-State: AAQBX9fzISgGp7G3VcG9k9tWHRkA7rZnEd1ZUNRP2JoT+sicynsX60s6 OVrUldFkh71IzxBLf6f3un5oERW2RK34QHHDB5aDzMyUggQxvJJw028udMlP7fraR4gHWVkK6Ll FW9ynrfRU1h1k5q4Kf6JFyEtjHUNAIANgBg==
X-Received: by 2002:a6b:dc0a:0:b0:758:3c0e:f331 with SMTP id s10-20020a6bdc0a000000b007583c0ef331mr304973ioc.4.1681366442053; Wed, 12 Apr 2023 23:14:02 -0700 (PDT)
X-Google-Smtp-Source: AKy350aejOOYUNUQ/lvLadCu1KWw9IUaHQtkYuS/fSzrEJsrKcbaOZ3oUYS1j3L3SJPG2QAzBBy9IzGLOezaB07nAbQ=
X-Received: by 2002:a6b:dc0a:0:b0:758:3c0e:f331 with SMTP id s10-20020a6bdc0a000000b007583c0ef331mr304965ioc.4.1681366441725; Wed, 12 Apr 2023 23:14:01 -0700 (PDT)
MIME-Version: 1.0
References: <168136196076.46946.14361049726064538738@ietfa.amsl.com> <CAEFJvap5yO_52FABDw750w5CAqbcYQBCDnLdkCwsOYuLP6h36Q@mail.gmail.com>
In-Reply-To: <CAEFJvap5yO_52FABDw750w5CAqbcYQBCDnLdkCwsOYuLP6h36Q@mail.gmail.com>
From: Vittorio Bertocci <vittorio@auth0.com>
Date: Wed, 12 Apr 2023 23:13:51 -0700
Message-ID: <CAEFJvaoFWJtAhhF7o_HpC+5-boR=V56FLu9iLeTaE8niNNR9pw@mail.gmail.com>
To: Murray Kucherawy <superuser@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-step-up-authn-challenge@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rifaat.s.ietf@gmail.com
Content-Type: multipart/alternative; boundary="0000000000007f293b05f931a19c"
X-Gmail-Okta-Auth: Authenticated
X-Gm-Spam: 0
X-Gm-Phishy: 0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-13_02,2023-04-12_01,2023-02-09_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ldxeMX8LBsORiq8qh11VZwvwg5g>
Subject: Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-step-up-authn-challenge-14: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 06:33:47 -0000

Sorry, my email client ate the first line of my reply, which was

*Thanks Murray for the comments!*

On Wed, Apr 12, 2023 at 11:11 PM Vittorio Bertocci <vittorio@auth0.com>
wrote:

> On the SHOULD on top of S4. There are pretty common situations in which
> failing to get a response from an API is an acceptable outcome, and
> presenting an interactive prompt isn't. A classic example is a background
> update that the client can use to proactively fetch fresh data, that isn't
> critical for the application function and wasn't initiated by the user. As
> such, an interactive prompt could disrupt the user experience by requiring
> an action without clear context and not in pursuit of a goal the user
> expressed. A MUST would force a complying client to act on the challenge,
> making those scenarios hard to handle.
>
> On the SHOULD on top of S5. There we are just describing what the OIDC
> specification mandates for ID tokens, hence not providing any new normative
> guidance.We echo what OIDC mandates for ID tokens there because we want to
> apply the same logic for access tokens, as we later describe in the same
> section. In that description we don't introduce a more restrictive MUST
> because that would make it hard for the (many) existing authorization
> server+OIDC implementations to comply, limiting adoption and for a
> relatively small return.
>
> On the quotes: Brian has more experience in RFC authoring than I do, but
> it's night on his part of the world hence I cannot consult him :) However
> in the only other spec I authored (rfc9068) I did use quotes for every
> claim occurrence in the text, hence I am confident we can do the same here.
> Thanks for the catch!
>
> On Wed, Apr 12, 2023 at 9:59 PM Murray Kucherawy via Datatracker <
> noreply@ietf.org> wrote:
>
>>
>>   This message originated outside your organization.
>>
>>
>> Murray Kucherawy has entered the following ballot position for
>> draft-ietf-oauth-step-up-authn-challenge-14: No Objection
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to
>> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
>> for more information about how to handle DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/
>>
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> Thanks to Robert Sparks for the ARTART reviews and Mark Nottingham for the
>> HTTPDIR review.  Please make sure the former was fully addressed before
>> proceeding.
>>
>> The SHOULD at the top of Section 4 is bare.  What happens if I don't do
>> that?
>> Or should this really be a MUST?
>>
>> Same question for the first SHOULD in Section 5.  Is there ever a
>> legitimate
>> reason not to do what it says?
>>
>> I feel that claim names such as "acr" should be quoted.  They look like
>> misspelled words otherwise.
>>
>>
>>
>>

v2.23.0 | Report a Bug | By Email