Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-dpop-14: (with COMMENT)
Daniel Fett <mail@danielfett.de> Thu, 13 April 2023 09:57 UTC
Return-Path: <mail@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B65E4C15DD6A; Thu, 13 Apr 2023 02:57:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ruo-5mH2p1af; Thu, 13 Apr 2023 02:57:54 -0700 (PDT)
Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [IPv6:2001:67c:2050:0:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90118C15AE03; Thu, 13 Apr 2023 02:57:38 -0700 (PDT)
Received: from smtp102.mailbox.org (unknown [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4Pxw3x3JsTz9sd1; Thu, 13 Apr 2023 11:57:33 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=MBO0001; t=1681379853; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=WW88hve3Pavcz2/18fYwo2nb6oVM2fxdKXndHXlDBVs=; b=Deoex6wqVKZ3QtGkScjefCmfrSmgyJ3GtOI5LhlUaW/K0IRkyWSWX/+xEuWPCJKcp2V22Z DmZR5WdYz4nLcfJmBC/2mVOQqH1kdbd2bm9cWYYd0cfDuymPDbuNSgrgz5kw5zVRqtoFt7 hhAf9j7xDnc14RpdPsagdjGV3pF4rADRs5sUIHmpQG5Fl8etnmgt8HtBddvMrkUz6s8m5J 7qqnleGfLF4Kbb6VSTAui4DGIxsJq6M9akpqX5WQj/LKP+/r/p2j/978WNxhBlPet5xmKM 1oIyA1dItPADLVUqmyUitnPhyI25DZD7Njrk4/MpaPdr5/tCCPwrGPDeozwXAg==
Content-Type: multipart/alternative; boundary="------------Z6qT6Uv1ocsSb5ePAMAG6sCv"
Message-ID: <f986ca85-107c-e188-ab3e-8a598a15fff3@danielfett.de>
Date: Thu, 13 Apr 2023 11:57:32 +0200
MIME-Version: 1.0
Content-Language: de-DE
To: Murray Kucherawy <superuser@gmail.com>, The IESG <iesg@ietf.org>
Cc: draft-ietf-oauth-dpop@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org
References: <168136473925.47942.15916667064692286122@ietfa.amsl.com>
From: Daniel Fett <mail@danielfett.de>
In-Reply-To: <168136473925.47942.15916667064692286122@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/r6EBzuZbH0cwyCfuMePkyeWpG6o>
Subject: Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-dpop-14: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 09:57:59 -0000
Thanks for your comments, Murray! Replies below. Am 13.04.23 um 07:45 schrieb Murray Kucherawy via Datatracker: > Murray Kucherawy has entered the following ballot position for > draft-ietf-oauth-dpop-14: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer tohttps://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Most of the SHOULDs here seem unsupported to me, in the sense that I'm not > clear what interoperability breaks if I decide not to do what it says. Some > prose about that would be helpful to include. Looking at the draft again, we have only a few SHOULDs and for all of them I think it is clear what the consequences are of not doing it. For example, the first one reads "To reduce the likelihood of false negatives, servers SHOULD..." which implies that not following the SHOULD means risking false negatives. The other instances are concerned with providing information to clients in DPoP challenges. I think it is sufficiently clear that not providing this information may make it harder for the client to respond properly and to debug errors. At this time, we do not see the need for additional explanation for any of the SHOULDs. > > I know this isn't the first OAUTH document I've reviewed, but I still find it > strange that claim names are not quoted or in all-caps or something. In prose, > they just look like typos to me. As I wrote in the thread for Step-Up Authn: "Since the same comment was raised also for DPoP, my two cents on this: We discussed this very topic when finalizing RFC9207. Back then, we noticed that when using the correct markup in the XML (<tt>), the HTML renders fine (gray background, monospaced font) but depending on how the textual format is created, there may or may not be quotes around the parameter. Adding quotes manually in the XML source does not make too much sense as they'll needlessly show up in the HTML as well. IIRC there was some version of xml2rfc that added quotes around <tt> parts but that was removed again. So the consensus was that prioritizing proper HTML output makes sense and we did not add any quotes (with the blessing of the RFC editor)." -Daniel > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Murray Kucherawy's No Objection on dra… Murray Kucherawy via Datatracker
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Daniel Fett
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Murray S. Kucherawy