Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-01.txt

Nikos Fotiou <> Tue, 05 May 2020 19:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 16FB53A07BB for <>; Tue, 5 May 2020 12:15:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id egsegh7JSnw5 for <>; Tue, 5 May 2020 12:15:38 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id ED3783A07BA for <>; Tue, 5 May 2020 12:15:37 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A1E1B7EA for <>; Tue, 5 May 2020 22:15:35 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=201901; t=1588706135; bh=VpU76MSjxME6f/GnpEMj0B01Uu0CQo1H+Hki9SGSuQY=; h=From:To:References:In-Reply-To:Subject:Date:From; b=dIN1UecpbcB3lKhi2gMKVJjquyd+e5U+IusZwr1x8jTvUZjbMC8QxSdCE1oege2OH kizX2ddoY+K9snW+orLBJ++PqkBZ8OtjohOtKqalY82hsWrIEjdHXdeA9kpHkrm3xI WkpCh+6cIohTLLApcZhULlezqjyU/3AiL+DXygvDUIJ4fV7hS7mvRSwVRdzgPw2VWU dDVqlSi/j1HTVhXWSzczWN73+GfUl9CfanvFyM4Eq/AKHdCOHJwdpv8HD6vIBHDXjK Nkv0CD0W2nlE6NcyFGWKv/u9vKkXMJRaPga/UdsNmsYKLX0lP+CcZTXgbvg6SFj7ss +SHeQJOeiuf4w==
Received: from DESKTOP7VDSLBL ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: fotiou) by (Postfix) with ESMTPSA id 81BADB5B for <>; Tue, 5 May 2020 22:15:35 +0300 (EEST)
From: "Nikos Fotiou" <>
To: "'oauth'" <>
References: <> <>
In-Reply-To: <>
Date: Tue, 5 May 2020 22:15:33 +0300
Message-ID: <02cb01d62311$8ce1e900$a6a5bb00$>
X-Mailer: Microsoft Outlook 16.0
Content-Language: el
MIME-Version: 1.0
Thread-Index: AQJoP+p0lhF/AEoO/uEYyKFfTlmrcwIAWYuCp2WfHjA=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_02C4_01D6232A.B1BF9650"; micalg=2.16.840.
Archived-At: <>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-01.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 May 2020 19:15:41 -0000

Hi all,

There was some discussion about adding “server contribution” in the DPoP proof. I was wondering if the “challenge” server response described in section 6 can include such a contribution (e.g., a server generated nonce).





From: OAuth <> On Behalf Of Brian Campbell
Sent: Friday, May 1, 2020 10:03 PM
To: oauth <>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-01.txt


I've pushed out a -01 revision of DPoP hopefully allowing folks enough time to read it before the interim meeting on Monday (apologies that it wasn't sooner but the edits took longer than expected or hoped). For ease of reference the changes in this revision are summarized below. There are, of course, still outstanding issues and discussion points that I hope to make some progress on during the interim meeting on Monday.



   *  Editorial updates
   *  Attempt to more formally define the DPoP Authorization header
   *  Define the 401/WWW-Authenticate challenge
   *  Added "invalid_dpop_proof" error code for DPoP errors in token
   *  Fixed up and added to the IANA section
   *  Added "dpop_signing_alg_values_supported" authorization server
   *  Moved the Acknowledgements into an Appendix and added a bunch of
      names (best effort)


---------- Forwarded message ---------
From: < <> >
Date: Fri, May 1, 2020 at 12:24 PM
Subject: New Version Notification for draft-ietf-oauth-dpop-01.txt
To: Torsten Lodderstedt < <> >, David Waite < <> >, John Bradley < <> >, Brian Campbell < <> >, Daniel Fett < <> >, Michael Jones < <> >

A new version of I-D, draft-ietf-oauth-dpop-01.txt
has been successfully submitted by Brian Campbell and posted to the
IETF repository.

Name:           draft-ietf-oauth-dpop
Revision:       01
Title:          OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)
Document date:  2020-05-01
Group:          oauth
Pages:          22

   This document describes a mechanism for sender-constraining OAuth 2.0
   tokens via a proof-of-possession mechanism on the application level.
   This mechanism allows for the detection of replay attacks with access
   and refresh tokens.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at <> .

The IETF Secretariat

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.