Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-01.txt

Brian Campbell <bcampbell@pingidentity.com> Tue, 05 May 2020 21:15 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36BDE3A0B7E for <oauth@ietfa.amsl.com>; Tue, 5 May 2020 14:15:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Wec7yqhjT7V for <oauth@ietfa.amsl.com>; Tue, 5 May 2020 14:15:42 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAFB23A0B7D for <oauth@ietf.org>; Tue, 5 May 2020 14:15:41 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id t2so218964lfc.3 for <oauth@ietf.org>; Tue, 05 May 2020 14:15:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uXrdnhKnb9iNEuON+8OWr7At6fvUk3bba8EBaMYJj2s=; b=UX4MXoH/poRfBcSVtD74HgvldPqQX2lDxczTcRkgLSmETxr/nFIIjIeURW3kbCAEI7 qVYWZl2SIY29l0HlT8+wqLLedHG9hHbd5Bf7b/k+hsmSNXVp+GB/eb0xP6Nfo4uycGnj Y5OI1gTiYdZj5FggubnixlS9h7QDJTQess5xUw8gGEh8TrHjQQt+bW89j+CqLVpXiBqa br9mZ8Gt5S8pab9AmqEToc7i7oTbsD6RJAuDP2nUT+G2XhzpvxS/0Y9P9jOb4TDFe87R x7izO7oSsCidT3ep7UE4QdScjr96xqYWHKW+qE+j2vFNlo9GNYtRIfYTJHE2S55NLWqt wTkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uXrdnhKnb9iNEuON+8OWr7At6fvUk3bba8EBaMYJj2s=; b=e07n7d9EH1G3+Tpwb7EJDKvcozThUrmhy/nsrnV0H9xe6HMLiDVDnZgU3gYUSYN5ek WIXxoMwtCpRCxaYa9nHiTlT5l95pjtsFWmxBYGpRFEE7G+oFEuXLxHglE4YVS+Fy4Zg0 C4FrRDdtjU/qXGQhuJyFfu7xZgi6mSXdLSOfJ8E3APYD8rFgdq4E4q8tV2fm1BiiNFRK 4RLwuLnuEG9yemk1Xj7mxHHdLU/vbQBllAR+gHsAYRZ2VoHbzfCGij0iXRVNy8fYkFzv 1+NyOxKrNmZmAxiz/QSTo6z9c70MesVjeJM1sJ9EgejiblUZzdPlZ5Xgk6XF5ht6AF4r x2fQ==
X-Gm-Message-State: AGi0PuYPZin4JBe1qSmssA37bUj08qF+qzxGnRLxof8zIy/K9Ad6B8+k aJBSv2SruM19+ZWtnAlcLWaUaHksG4z4tBb7srkS+ERHZxAfroDHL2z4ZGnt73mxELCaE0+UQWF BlIe6iBrYiTKLbg==
X-Google-Smtp-Source: APiQypJtRcgUojR0edrZSS+SJPCbEOHfFgIFox5cFGHp+4ubQfU6EZzA7iUsMI7ORJt4XI6O2XWqK7RKxS0d7wFK+Dw=
X-Received: by 2002:a05:6512:308c:: with SMTP id z12mr2795489lfd.195.1588713339736; Tue, 05 May 2020 14:15:39 -0700 (PDT)
MIME-Version: 1.0
References: <158835743733.12112.7484502726888997082@ietfa.amsl.com> <CA+k3eCQTVqX8wv6-4vX9=0LQZ8wQO+43kiESAM4ChriM=eHUVA@mail.gmail.com> <02cb01d62311$8ce1e900$a6a5bb00$@aueb.gr>
In-Reply-To: <02cb01d62311$8ce1e900$a6a5bb00$@aueb.gr>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 5 May 2020 15:15:13 -0600
Message-ID: <CA+k3eCQjdWQ+=706FbTKb5_oO9KpVK-0xQGwgfNRjLWrW+N=Uw@mail.gmail.com>
To: Nikos Fotiou <fotiou@aueb.gr>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000043f0e905a4ed2661"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/s6TtrN412iWG2PUHGiRC76eQDss>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 21:15:48 -0000

Yes, it potentially could. But I think we *really* want to avoid
adding a challenge/response
round trip to every call. So it wouldn't be a nonce exactly and there'd
need to some guidance or something on what it is and how long it could be
used. And that could introduce new server side state. Also the challenge
doesn't exist for the token endpoint.

On Tue, May 5, 2020 at 1:15 PM Nikos Fotiou <fotiou@aueb.gr> wrote:

> Hi all,
>
> There was some discussion about adding “server contribution” in the DPoP
> proof. I was wondering if the “challenge” server response described in
> section 6 can include such a contribution (e.g., a server generated nonce).
>
>
>
> Best,
>
> Nikos
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Brian Campbell
> *Sent:* Friday, May 1, 2020 10:03 PM
> *To:* oauth <oauth@ietf.org>
> *Subject:* [OAUTH-WG] Fwd: New Version Notification for
> draft-ietf-oauth-dpop-01.txt
>
>
>
> I've pushed out a -01 revision of DPoP hopefully allowing folks enough
> time to read it before the interim meeting on Monday (apologies that it
> wasn't sooner but the edits took longer than expected or hoped). For ease
> of reference the changes in this revision are summarized below. There are,
> of course, still outstanding issues and discussion points that I hope to
> make some progress on during the interim meeting on Monday.
>
>
>
>    -01
>
>
>    *  Editorial updates
>    *  Attempt to more formally define the DPoP Authorization header
>       scheme
>    *  Define the 401/WWW-Authenticate challenge
>    *  Added "invalid_dpop_proof" error code for DPoP errors in token
>       request
>    *  Fixed up and added to the IANA section
>    *  Added "dpop_signing_alg_values_supported" authorization server
>       metadata
>    *  Moved the Acknowledgements into an Appendix and added a bunch of
>       names (best effort)
>
>
>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf..org <internet-drafts@ietf.org>>
> Date: Fri, May 1, 2020 at 12:24 PM
> Subject: New Version Notification for draft-ietf-oauth-dpop-01.txt
> To: Torsten Lodderstedt <torsten@lodderstedt.net>et>, David Waite <
> david@alkaline-solutions.com>gt;, John Bradley <ve7jtb@ve7jtb.com>om>, Brian
> Campbell <bcampbell@pingidentity.com>om>, Daniel Fett <mail@danielfett.de>de>,
> Michael Jones <mbj@microsoft.com>
>
>
>
>
> A new version of I-D, draft-ietf-oauth-dpop-01.txt
> has been successfully submitted by Brian Campbell and posted to the
> IETF repository.
>
> Name:           draft-ietf-oauth-dpop
> Revision:       01
> Title:          OAuth 2.0 Demonstration of Proof-of-Possession at the
> Application Layer (DPoP)
> Document date:  2020-05-01
> Group:          oauth
> Pages:          22
> URL:
> https://www.ietf.org/internet-drafts/draft-ietf-oauth-dpop-01.txt
> Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
> Htmlized:       https://tools.ietf.org/html/draft-ietf-oauth-dpop-01
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-01
>
> Abstract:
>    This document describes a mechanism for sender-constraining OAuth 2.0
>    tokens via a proof-of-possession mechanism on the application level.
>    This mechanism allows for the detection of replay attacks with access
>    and refresh tokens.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._