Re: [OAUTH-WG] WGLC on Pushed Authorization Requests draft
Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Wed, 19 August 2020 09:41 UTC
Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 964AC3A16DF for <oauth@ietfa.amsl.com>; Wed, 19 Aug 2020 02:41:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.847
X-Spam-Level:
X-Spam-Status: No, score=-2.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.949, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hackmanit-de.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rQ6CdSUALKUE for <oauth@ietfa.amsl.com>; Wed, 19 Aug 2020 02:41:25 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 902093A11C1 for <oauth@ietf.org>; Wed, 19 Aug 2020 02:41:25 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id c19so1278529wmd.1 for <oauth@ietf.org>; Wed, 19 Aug 2020 02:41:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit-de.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=j/JXyOL/TBFAty+0gA48nNRZc3S/e6z0NKy9EhXdFaw=; b=ThjeZATyDqY19wcfps1BNNn4v7ctQYSU+MdAGTu7X6nQG2GBr5z57h6HkA+iroTZ1j wySS0y4V+Kc3uS1OVzEmb3xguPdzGU7Awj2dl2jzWEpkkFE/JFQmRXuI1dL9czOSoc/B qdDKnHbvvsGlEERV2toH+M20UY9uNxkkkQOsPGsWZ0YWXZ80lp8rAeM9cCoIRtA9qrRP mXByw5/LQXIlWFyEYeJTgx8ZS0AHrS1lH/8dl3ubnhpdSTeK3rrtmWO3DXtnun3INncR MHdI4Wd311ofRnMq4jR+ZZDe2W5Uu7MgHNXXPpqOyddxg3AVkRgZqHtZ3cj7gd6UeesY VKBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:autocrypt:message-id :date:user-agent:mime-version:in-reply-to:content-language; bh=j/JXyOL/TBFAty+0gA48nNRZc3S/e6z0NKy9EhXdFaw=; b=uOKyRWyKY8dlELi9xEV4yo6RRM9+FFXiy/f7yMHH7jPPUHsxB12KkeglmWTuiITm3m DXQZCZHbCgyOyZCe+3p4mtYyCRLpbUFQtpkmcmu1bsid2aPzhxVwZLj1CTWIRDiSxyug y6cPtVHyQS8TyWYm3NZqOZNajhLbYXAw5cOXUTFm2Hmih38mmspDemVcUQCBi9iJNFZU DWCURkY718G++8p2PM9hr6XPGiznVRmYtiF7qbqIDrN2nNnjLmIjrV56h2/+mMRJVTYi CLkZzKvTBImPOeazn4KFbB1rYb/wIEpvfEy6/KGxK7sAxvRJMcyVFkIqpKtxog6Ks8PA SZpg==
X-Gm-Message-State: AOAM5311sy54URdKKVj83mGveUyRiOOMP3zTFYL752EobqL35foDVZV5 7jn8SGG6np+E3+pN6kS7cIeV8sRDpnta4Q==
X-Google-Smtp-Source: ABdhPJxLXni3x3w3US5TaBgwQ0N2FKzBnoKYFpeBmf7ciSUAcw13DTC3kzbjYKfQzzUAKPtRlFK73g==
X-Received: by 2002:a1c:cc0c:: with SMTP id h12mr3842282wmb.57.1597830083406; Wed, 19 Aug 2020 02:41:23 -0700 (PDT)
Received: from [192.168.178.22] (b2b-37-24-87-133.unitymedia.biz. [37.24.87.133]) by smtp.gmail.com with ESMTPSA id q5sm38452645wrp.60.2020.08.19.02.41.22 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 19 Aug 2020 02:41:22 -0700 (PDT)
To: oauth@ietf.org
References: <CADNypP8QkcjcMpfug-GnbTP1ODUu+LgrSx-MTjVeQztbivGbhA@mail.gmail.com>
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Autocrypt: addr=karsten.meyerzuselhausen@hackmanit.de; keydata= mQINBFh1IBMBEADV73c10lB7zeFy6/ezLFzOBp8z6Zy1zUyIrf6RoBk1GQWREcGEGeaL90Pj F5plZeASVJdsEYnYXdgcIPE0tlBq6al6OYoWtH/VbFPWEPLVhA3rL1iXVJveD3J40OzSYP8N G7bla3zQ2+TXOB3iDPPsHZUdHCLASkIIWQK6+fE1C2epAdPtnsLsb++1d080jfXXwgyUUh4y bimcy9Jg5oZ4QMwnSq3Y+x38PNb+nTgjDi1X/89/WsNd7Bdh4Zvw3CAuc/W58CFaDjb7liUD YRoAp6ysnjPKEUSnAnMpgaiXJc1gFoL+ahdKJ3D9XTn28NTjUrvOkVidsuKbyxnXP9I6BO6i 2jzjrH6TEAfIYMjZlYTyPZTt271SW5iAHYwvPZWlqQTBT2P/d4gHl0To5b4e+UXxjQgxqUyi QIcxh3Ris21Kx4lKQKDXYWiwNTZzx8AdqrcxCWfK+MRpFyk0B+4uDMm7Apm5ZWwDKN/JnVsJ yokkkrrHs/elRCUGtN9NyhJQf3VnE87862Pej8PVvQJr3uVnoNX2yieTvJZftIOBG1b9ta6Z BcYyn3un1rSn7lBPg+RSnPemposVorQpjGwT+Dhg13Bpv5q0JfSc//js/nB6A4iq5YssdtQ7 35QBWLLaF1oCxalvrQVDD4Sh06eAUQsga9xeE0yv7sxqdsozdwARAQABtEJLYXJzdGVuIE1l eWVyIHp1IFNlbGhhdXNlbiA8a2Fyc3Rlbi5tZXllcnp1c2VsaGF1c2VuQGhhY2ttYW5pdC5k ZT6JAj8EEwEIACkFAlh1IBMCGyMFCQlmAYAHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK CRBFNcDn2xbxSK7sEAC5hk0VQHo2+fMV3b4TgSt4qSPLz6EnWwoqcEzUGYHErQXy7tCENpqS rsZsFphpgvWo1tcQdpyQTFm0dry4ASJD78lEiYC/8Hedp0fIaJTGwxrSLpRxV/Wb+iqkbgz8 /Qydl3QyupSqznSHQMd0uhvzHLxoYvHAIKy52gCK0T9gmxcCIh7UEjDfm+kqHp+oU4sbNe+2 ZEtJLuCKW+amNyqnHXr7ehAIaYmTdKOEcUb2UM7Yzp9g4kSkg1GbPlAn6yjyAqJ96sobKFXX S3rkXksRTxkGKW278Nrs4UBO+OIu32kIXCM2m3fKaUK777jAQu1e8sdj2nL0sPWQvMikZRx6 0dy+wVuH8gGHZsd7rW201Sv5pAhSAK4l58GS3xSLId6smXCend9Vu+tcYA+Bb+45943LmoPA PrdIUeI+zC9pjGwm+x+jFiCxbChqAiJF7RyYv9crziEYnTQ70gHGNOTOTIS5t0ufc9D4wD4O IkkrPQYg3KcAqP2Kyj1uHcqdk7XEhV1fdTXdeEt1e7auWPh0d3Fo+BTtiGXfNMuORArE0El6 ky8eUOqZEJ8rYpEGDLt0JFkJM5AhX4PrQWekjaMhQ5yl/+M+Ss0V0JkImagSgWdvUn1+eAs0 zEuVxTc6ON69mIyMalQ5d4ofvPnKr3GNVmEiXAVDMGUZHoeabfgSBbkCDQRYdSATARAAsp2V mr3N7iNND8+M/OyA/OwcDQ6utZh+m4TnKsOVdiNLGpu2U3/2Qg3yrbjic2dWx1CsS6VH2/oO 1e/a4FlxA93wFv/OZjiUjHtEvdIJeHWlCvWOUlMsqyGDc3Q75fNjFw6DGKkiOu9lZaBs6naS BmkvAMGjV5bNKLyIL5j7Im1pCdZ2lCjD7eVwR3RQQKobTmu916htX8g1cB9yFmquu37X+ZBl A4GLJi63Kw0L2r8i8iO1NqDLOfT8IeNkOroEm3SDAuEApGAubKLSPBJ1khQ7kDhpdfzSYKUF tiIHpGWVOImDjqf4JIcF7OIdRPQfFPlwoPnsyBAS8znQJvmqbbMowgFZe3UMLAN78CETZHGM OLBPB873oWyZ07Ar4v/SL5/aD+FRj2VnYEcGwt0HMmMyaN6ed8Udj4OTNZ7ceZA1Tw8/lZuI KCamj0XfJIK6376RCGnqjsEfS65P1KWZXfWphCKWp2c7uWKtau1q8pgiVRoBSAmjvfXRrIvK LhhQyNOiCUDKrvEWpoeq9y5GTrY27ncLov8nSR/SUPOw5HwJmzdFjhOF9XAOtiND/QRH886O IohdlnUu668mwLCmL2ROe7XWcTkFQWLDg+5b0bC9dgfL+HHpWGUdQPG3CCyPG5LfDmnmuXkE eU1kSD27kFe1kM6pfqpCydJW66DuwoMAEQEAAYkCJQQYAQgADwUCWHUgEwIbDAUJCWYBgAAK CRBFNcDn2xbxSAAbEACeIsfrsq2tlyigZv+bwkiVP1oKtWfXN1e3K3lDOBqPJaPXWFOopq/1 9osk58PFtVEaDlYPlN/NP6Jq5nTTC8QyLG3swAdo4ZJXWEg1NTRu8ddYUvZWuRHWRghaq7qh eW5lVPqilCndSG7bkDPU/Vyd93nPKnKTKKs/Nd7ePneWA0JQohEg5gO/GU0v5SN3YfTxG1LV Cxu3HHHFodDLK4KITSYmt1+g0WCADeclwm5+L5lIvgKQvcIpjpMGNK1wj2E3exsLlgo/ZEyS AslOPXyQw2yfYLrcfGpvWa3e+AvU7eLVBgihskpibJg53yw31B0CXAJBbjg7AsxR8UE5pl6h 2gTjN2t++GvqefGtw/bPvx2RzFsorh1/RYaFgcaFyefghmpi55iiIhgEOiSIct0LoYl3cmH8 DGYKhSskpSDgfE41Esk/P2odeax9SmJuv4mnqkiGFPpTwCfUka2k0mCpBDpfTdECWUFhreGS qFbrvJDZRBiyaVyCjOvOc0v6Z0/iIRgHWTjITpqaQh69kqAtt9GQWV6i3THnpHFlIC2ecvdc YCagneZdoLEHCS8Nois/uDbp5qZwZcF5zKMI+T7u6Qf8EGdvxCB1fp0Sdlmeto0c6/gnFUix 4J/tozBwSXSg7JCxTrUdnJtcQAJzosOUZTVO/ZZR/n0+904kud6o3w==
Message-ID: <efc8e833-c3e0-eacb-7d6a-de37df17aa0c@hackmanit.de>
Date: Wed, 19 Aug 2020 11:41:21 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <CADNypP8QkcjcMpfug-GnbTP1ODUu+LgrSx-MTjVeQztbivGbhA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------4C75E3DA72F393417BDDC041"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oij0yU-9kvd2gbd2viZizpfsKak>
Subject: Re: [OAUTH-WG] WGLC on Pushed Authorization Requests draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2020 09:41:28 -0000
Hi all,
I have two very small suggestions which I also raised as issues on Github:
1. There are no hints in front of example requests/responses if extra
line breaks are used for display purposes. I think hints such as
"(with extra line breaks for display purposes only)" should be added
to the examples. (#64
<https://github.com/oauthstuff/draft-oauth-par/issues/64>)
2. In section 3 there is a typo in step 2. I think it should be
"*Validate *the request object signature as specified in JAR
[I-D.ietf-oauth-jwsreq], section 6.2." instead of "*Validates *the
...". The imperative is used in step 1, as well. (#65
<https://github.com/oauthstuff/draft-oauth-par/issues/65>)
Best regards;
Karsten
On 12.08.2020 00:07, Rifaat Shekh-Yusef wrote:
> All,
>
> This is a WGLC on the *Pushed Authorization Requests *document:
> https://www.ietf.org/id/draft-ietf-oauth-par-03.html
>
> Please, take a look and provide feedback on the list by *August 25th.*
>
> Regards,
> Rifaat & Hannes
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
--
Karsten Meyer zu Selhausen
IT Security Consultant
Phone: +49 (0)234 / 54456499
Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
Unsere nächste Live Online-Schulung zur Sicherheit von OAuth und OpenID Connect am 24.09 + 25.09:
https://hackmanit.de/de/schulungen/109-live-online-schulung-single-sign-on-sicherheit-oauth-openid-connect-am-24-und-25-09-2020
Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum
Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
- [OAUTH-WG] WGLC on Pushed Authorization Requests … Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC on Pushed Authorization Reque… Joseph Heenan
- Re: [OAUTH-WG] WGLC on Pushed Authorization Reque… Brian Campbell
- Re: [OAUTH-WG] WGLC on Pushed Authorization Reque… Brian Campbell
- Re: [OAUTH-WG] WGLC on Pushed Authorization Reque… Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] WGLC on Pushed Authorization Reque… Brian Campbell
- Re: [OAUTH-WG] WGLC on Pushed Authorization Reque… Denis