Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-step-up-authn-challenge-14: (with COMMENT)
Vittorio Bertocci <vittorio@auth0.com> Thu, 13 April 2023 06:33 UTC
Return-Path: <vittorio.bertocci@okta.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC97CC15C286 for <oauth@ietfa.amsl.com>; Wed, 12 Apr 2023 23:33:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.544
X-Spam-Level:
X-Spam-Status: No, score=-2.544 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=okta.com header.b="qQVpaSWN"; dkim=pass (2048-bit key) header.d=auth0.com header.b="bzSteBEq"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wZ_6tIOvFrUt for <oauth@ietfa.amsl.com>; Wed, 12 Apr 2023 23:33:43 -0700 (PDT)
Received: from mx0a-00553301.pphosted.com (mx0a-00553301.pphosted.com [205.220.164.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EB80C14CE42 for <oauth@ietf.org>; Wed, 12 Apr 2023 23:33:43 -0700 (PDT)
Received: from pps.filterd (localhost6.localdomain6 [127.0.0.1]) by mx0b-00553301.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33D3oPIk032539 for <oauth@ietf.org>; Wed, 12 Apr 2023 23:14:03 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=proofpoint-2020; bh=SEfI+WFmCjL2YubA1AhIbHJk5X1MaxYEqXBVG2CJJ9A=; b=qQVpaSWNfnM8SL0+/T3Fly5c14nIyyY4zvIkoCz2KxCYPqX4yO6/CXEc7seewvyhukgB js8O8Uq8NnZQbEq63V0rQP0vOAHbJlcyUkFvNNKl3OY02Mk10wSRs1WoM3Dv9EikY6E6 iZ4IC3V1XnPNlPWp7nV53CwxxGQ/LViUCXak6MlUaAGDhKzQvODsmIZBShQk0bLKKOxY KYCfBL59aCwFz5VJpGnq/dkn2qVX6Dj/beXfQbYjqMQdJSVeRvyEEhCMBWJU/GT8wj+p wD7c59C5+9mKwSDPgB7SKBDUx+ylwYeEF8YRYJbFUl8ehd2rjVfK+YcBy0pNrku2K6/u Rg==
Received: from mail-io1-f72.google.com (mail-io1-f72.google.com [209.85.166.72]) by mx0b-00553301.pphosted.com (PPS) with ESMTPS id 3pu3wurrx5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <oauth@ietf.org>; Wed, 12 Apr 2023 23:14:03 -0700
Received: by mail-io1-f72.google.com with SMTP id 199-20020a6b14d0000000b00760ac8c52cdso1917893iou.18 for <oauth@ietf.org>; Wed, 12 Apr 2023 23:14:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=newauth0; t=1681366442; x=1683958442; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SEfI+WFmCjL2YubA1AhIbHJk5X1MaxYEqXBVG2CJJ9A=; b=bzSteBEqyYB7sMCwFa1Ozwfq3urhWod4kA1s2N6/FnrO0xwtfjUMp474qJv034rqJ+ 6tQHxssIS9+O0YgRE/TTuiku4B7TpR3WYkYkUKzxIloJvNMCQw9Q8Yr5ce1iqQ97v77j bFY1Qgs9zuZIqOEDHqzXi8u4eJjZw+qfxBIvU2BRKnKYoT0Oj444snWy2I08k9u7qgX0 HfOpysLb73ij0Pt5V59aAcgcvUZCONjpMQ9zfj2KAtAm8cNoZ4V6tP9bQjvX+xEM8Q3W jmXQALr+bWaTbLF3E6GADMdoZieFKjUadb0zrHvKL6TwlavW0gE1k8t8DGYf3UT2OTTE 333A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681366442; x=1683958442; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SEfI+WFmCjL2YubA1AhIbHJk5X1MaxYEqXBVG2CJJ9A=; b=NExyzFfgLmrDQDJW4+j+5Nu4Z8d2/ARuJrLbI4CACpGoLHcF8TX6Ytxj4WfFjcaf1j 93slbeN8bKN8Atbz9rB1pTRXQJTKLlmCIE+H1O0ulSO7Pjdx+bz/P5gEd4Ect2/F3q5E 07tOzeArNq7meWBDud/Pn6+W3m9ToTu5gcgjAjfhfr2/EMt9gMyUnipz/SLn3DYoysKE t1RIZHZPq5Uy1sOQ+n2PQcrhCD3R6ST7sQzbWcNGoh6naA0IDokcIFQvu1b5LeY4v9bC daVO2h5hAbj+O5ZTYpkFmBTVKcFZS+p2AXz5QTy1zlE1tsiHhVnjUMz6U63EaXXCsZvi 5jeA==
X-Gm-Message-State: AAQBX9fzISgGp7G3VcG9k9tWHRkA7rZnEd1ZUNRP2JoT+sicynsX60s6 OVrUldFkh71IzxBLf6f3un5oERW2RK34QHHDB5aDzMyUggQxvJJw028udMlP7fraR4gHWVkK6Ll FW9ynrfRU1h1k5q4Kf6JFyEtjHUNAIANgBg==
X-Received: by 2002:a6b:dc0a:0:b0:758:3c0e:f331 with SMTP id s10-20020a6bdc0a000000b007583c0ef331mr304973ioc.4.1681366442053; Wed, 12 Apr 2023 23:14:02 -0700 (PDT)
X-Google-Smtp-Source: AKy350aejOOYUNUQ/lvLadCu1KWw9IUaHQtkYuS/fSzrEJsrKcbaOZ3oUYS1j3L3SJPG2QAzBBy9IzGLOezaB07nAbQ=
X-Received: by 2002:a6b:dc0a:0:b0:758:3c0e:f331 with SMTP id s10-20020a6bdc0a000000b007583c0ef331mr304965ioc.4.1681366441725; Wed, 12 Apr 2023 23:14:01 -0700 (PDT)
MIME-Version: 1.0
References: <168136196076.46946.14361049726064538738@ietfa.amsl.com> <CAEFJvap5yO_52FABDw750w5CAqbcYQBCDnLdkCwsOYuLP6h36Q@mail.gmail.com>
In-Reply-To: <CAEFJvap5yO_52FABDw750w5CAqbcYQBCDnLdkCwsOYuLP6h36Q@mail.gmail.com>
From: Vittorio Bertocci <vittorio@auth0.com>
Date: Wed, 12 Apr 2023 23:13:51 -0700
Message-ID: <CAEFJvaoFWJtAhhF7o_HpC+5-boR=V56FLu9iLeTaE8niNNR9pw@mail.gmail.com>
To: Murray Kucherawy <superuser@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-step-up-authn-challenge@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rifaat.s.ietf@gmail.com
Content-Type: multipart/alternative; boundary="0000000000007f293b05f931a19c"
X-Gmail-Okta-Auth: Authenticated
X-Gm-Spam: 0
X-Gm-Phishy: 0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-13_02,2023-04-12_01,2023-02-09_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ldxeMX8LBsORiq8qh11VZwvwg5g>
Subject: Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-step-up-authn-challenge-14: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 06:33:47 -0000
Sorry, my email client ate the first line of my reply, which was *Thanks Murray for the comments!* On Wed, Apr 12, 2023 at 11:11 PM Vittorio Bertocci <vittorio@auth0.com> wrote: > On the SHOULD on top of S4. There are pretty common situations in which > failing to get a response from an API is an acceptable outcome, and > presenting an interactive prompt isn't. A classic example is a background > update that the client can use to proactively fetch fresh data, that isn't > critical for the application function and wasn't initiated by the user. As > such, an interactive prompt could disrupt the user experience by requiring > an action without clear context and not in pursuit of a goal the user > expressed. A MUST would force a complying client to act on the challenge, > making those scenarios hard to handle. > > On the SHOULD on top of S5. There we are just describing what the OIDC > specification mandates for ID tokens, hence not providing any new normative > guidance.We echo what OIDC mandates for ID tokens there because we want to > apply the same logic for access tokens, as we later describe in the same > section. In that description we don't introduce a more restrictive MUST > because that would make it hard for the (many) existing authorization > server+OIDC implementations to comply, limiting adoption and for a > relatively small return. > > On the quotes: Brian has more experience in RFC authoring than I do, but > it's night on his part of the world hence I cannot consult him :) However > in the only other spec I authored (rfc9068) I did use quotes for every > claim occurrence in the text, hence I am confident we can do the same here. > Thanks for the catch! > > On Wed, Apr 12, 2023 at 9:59 PM Murray Kucherawy via Datatracker < > noreply@ietf.org> wrote: > >> >> This message originated outside your organization. >> >> >> Murray Kucherawy has entered the following ballot position for >> draft-ietf-oauth-step-up-authn-challenge-14: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to >> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ >> for more information about how to handle DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Thanks to Robert Sparks for the ARTART reviews and Mark Nottingham for the >> HTTPDIR review. Please make sure the former was fully addressed before >> proceeding. >> >> The SHOULD at the top of Section 4 is bare. What happens if I don't do >> that? >> Or should this really be a MUST? >> >> Same question for the first SHOULD in Section 5. Is there ever a >> legitimate >> reason not to do what it says? >> >> I feel that claim names such as "acr" should be quoted. They look like >> misspelled words otherwise. >> >> >> >>
- [OAUTH-WG] Murray Kucherawy's No Objection on dra… Murray Kucherawy via Datatracker
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Murray S. Kucherawy
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Vittorio Bertocci
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Vittorio Bertocci
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Daniel Fett
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Brian Campbell