[OAUTH-WG] PAR Shepherd Review
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 10 November 2020 09:44 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 471843A0E25 for <oauth@ietfa.amsl.com>; Tue, 10 Nov 2020 01:44:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=xucEqFen; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=xucEqFen
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QIkJeS29Oi1g for <oauth@ietfa.amsl.com>; Tue, 10 Nov 2020 01:44:24 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2074.outbound.protection.outlook.com [40.107.20.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFE963A0E6B for <oauth@ietf.org>; Tue, 10 Nov 2020 01:44:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UIx3nzp7OgdiIRln0llEBChzPbDk77zvRMt3/mipiws=; b=xucEqFensAxPg8VxyYjcY2hdCifcEae+pMMfKSDkxObzpznyWZf8vU4A3PyTyh2wDGn9nbkVVd0VwKUOr/WuR0LiLPsDcwgVLUtbn1yhcAir44AXO3w41wdL9i8xh0kxKc1d/Fyxat8vfFkXxpCFn7K6srqXKApBx/G0Z8ouvzY=
Received: from AM6P192CA0097.EURP192.PROD.OUTLOOK.COM (2603:10a6:209:8d::38) by AM6PR08MB3781.eurprd08.prod.outlook.com (2603:10a6:20b:8b::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.25; Tue, 10 Nov 2020 09:44:20 +0000
Received: from AM5EUR03FT008.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:8d:cafe::84) by AM6P192CA0097.outlook.office365.com (2603:10a6:209:8d::38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21 via Frontend Transport; Tue, 10 Nov 2020 09:44:20 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT008.mail.protection.outlook.com (10.152.16.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.17 via Frontend Transport; Tue, 10 Nov 2020 09:44:20 +0000
Received: ("Tessian outbound fcd5bc555ddc:v71"); Tue, 10 Nov 2020 09:44:19 +0000
X-CR-MTA-TID: 64aa7808
Received: from 2071969bf669.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 3DCACEF7-8FB5-402E-B196-16B3398D2567.1; Tue, 10 Nov 2020 09:44:14 +0000
Received: from EUR01-DB5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 2071969bf669.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 10 Nov 2020 09:44:14 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jouAE/DQHlZ+yr/x2XSc8mtW9JMbi0d7sywhODGrQC9vC67EuE6SKbAL2lIMqBvgn9o3itw4FoqpivS1/JxxttLGDq74z6Adi3EKFJNEA5dvrSGX5cfXvPVqUqEeoxda+b8OLoHwK6yEcH+ZfiSHHMY3m9V3qwCGLhI94AQ9HKBeq877DIlVO66znG9hxggtxnNxp1520QDYKDn/zTi7Y+0Dr0flF4www4p9Xht/Jw/EEcqxcrs8DWIOHHr/l9Z4eNn1ZLq+MwN44gys1hGghH8NIrSsQOQLijlux3wrwW0pyDsuo0kHqV40JOt2OWKLkjFWuqYsVhhwY50suCmCbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UIx3nzp7OgdiIRln0llEBChzPbDk77zvRMt3/mipiws=; b=EupJPfOb6CM+im7jb12tAHPek7yXqg5szbCbSFW4qDriDwaL7FTy5Wt+AWbAPeXEpEEzcaqrnwZpSOTLL8RuhpVGpeJHI5Czk8NLESrqDfZceFnHoIU/Seijpi0aGCyvuvUCbFeq7zH050+fyshyjSVLffMdE3jvcai9M68zWM+Th+JRs4tBCFgiQ1KFt9hS6KLV4wXRBdg2fduTosA4DoJQnrAykBmMXGXkhh/jQaXEEdnS6EDb+896mFb3tv4XSAeRfwPXgdCQW9sDzHKFTEQBRnH4emzLe5F7XhWkr42l2fOe7R/CpIDqHYbLNk4O1V7kpu41JjBHPde4X1MngQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UIx3nzp7OgdiIRln0llEBChzPbDk77zvRMt3/mipiws=; b=xucEqFensAxPg8VxyYjcY2hdCifcEae+pMMfKSDkxObzpznyWZf8vU4A3PyTyh2wDGn9nbkVVd0VwKUOr/WuR0LiLPsDcwgVLUtbn1yhcAir44AXO3w41wdL9i8xh0kxKc1d/Fyxat8vfFkXxpCFn7K6srqXKApBx/G0Z8ouvzY=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB5250.eurprd08.prod.outlook.com (2603:10a6:208:160::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21; Tue, 10 Nov 2020 09:44:11 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::a80c:38e:8da2:8b48]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::a80c:38e:8da2:8b48%7]) with mapi id 15.20.3541.025; Tue, 10 Nov 2020 09:44:10 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: PAR Shepherd Review
Thread-Index: Ada3PjLEiisVikQjQlmWgblyDvRIzA==
Date: Tue, 10 Nov 2020 09:44:10 +0000
Message-ID: <AM0PR08MB37165B2123C9848795F47477FAE90@AM0PR08MB3716.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 2FFCD49B80283D4595E5689A8C771414.0
x-checkrecipientchecked: true
Authentication-Results-Original: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [195.149.218.242]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: fbd1032e-d430-4ac5-cfae-08d8855d32df
x-ms-traffictypediagnostic: AM0PR08MB5250:|AM6PR08MB3781:
X-Microsoft-Antispam-PRVS: <AM6PR08MB3781F98A57EF36785AFFA735FAE90@AM6PR08MB3781.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: JW4BSiBML4HKCdeVPSU+GfZGi+OkZQpinGhu9QugbpR807DXOY0Jp+3pgizqFGxKJFIp32DzWdZ5LyaW5R/cv+jO3JDUQ2Eu8Pd5uVc1TbaYd7OMQls3o1uaWyCzjQM136p3EoXDS9MWaQ3RjPETRd92bd6mRShlDvHYxMJb3+NvsoynoP17lTB0TzhJtKsHOSB2cG6Pow4qFf4IegS23KwD+UffzuSvWmSMcPCIndU4X/ZGrzpLtyi/tx/ggXgzcYF3wM9xqwyokaUbNK/Xg+PxACb05Qi6WMTyODfXtjjcKp8C0MGMhnMlbTkfcNDOJM9jd4FWBisFBQfa+eMOrw==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(396003)(136003)(39860400002)(346002)(376002)(71200400001)(478600001)(83380400001)(55016002)(66446008)(3480700007)(64756008)(76116006)(66946007)(33656002)(66556008)(66476007)(5660300002)(52536014)(86362001)(8936002)(316002)(8676002)(6916009)(9686003)(7116003)(2906002)(186003)(7696005)(26005)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: SEQIsX81+0nknT2x3KkGwIJNfQb212dclVo9pCmH3rg3juldCCmrbTdwBVuU6PpMLuHWJq8oqnilHXY8aZ0kTR24C372CqwGrht1bOMqhRk2zHw39eev3L50GiJh2NXUGbHvbCHCYwcPDCZfNuuzRyndJ7LUQVLcl9XfASdgG96h1LGnvcA2rk9CK5R1HUY/aWWqQ/B62Afw8slhf5ALZkmMiGy4suHAtFey/C+wWr4cp1HP4Jnko3x/Eydxn9M0sW7Q71BWA+hZ1eFrXa28Ux08Fq0yY5q3Afx0Zat52b4USjYw8D6f/sOmOh1rzDQaooTvgtSfnL2fFSMKfaKvY9HSeCjzGcj/79In50ogGfj7IaDYAEGC/jS11BvR7KPquldAlTEiqchud2GO/MLcMdJOyNRNItbVqpY+FZU63O4Aa2480FyQJ9kXWGWQK40FPtQPwmLAqPjFmnIatA3Q1dSlOGt/ZDZCtlGXJzIfwrcv9pgv8O5GDCTKxRVl+vy3Z9kLLECfxE7LPeCiKUswlOIHbsu1+DHoou73WX8Jfd07wPRM3T3pEIl7wsmskM/4sG5p99vASzkZx50c7iMLBMGVMTe6jwsALoV+Ss5Ha3SNA0dntA56v7UYT9dYzJ1EjFTuwsC7BPo3HRjlRc4rUA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR08MB37165B2123C9848795F47477FAE90AM0PR08MB3716eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB5250
Original-Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT008.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: b7cdf867-d330-428d-60b1-08d8855d2d0b
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: TjWggMyv7QOsrbH66ho+ZNyKFkm2JA9pmZ0GbBOQOPxu2NY3qx2v/BYp+H4pINHinDbVuol8dxQ79nyAbm00ucaOMVJRQ3YO7HXpCGoY/ZKfpp8tb4YGY7Z8uqGOCiR48NotEnlcgZCobKXof7kCk/WoYYW+d5V7q/DJo8foyADw6BhyiCes2HLrJu9DLzLPco/sYDzqU1EpR43YqHxMEtnj7LBaptK6zrhrrOhHdRKdR5JnFsEeQVFiyNO7oVISOzNh9k6jXSri5xP3F+vYrvaZku2MLQUVHtj3GzLpgEX42CYxTue7TQaFlBZLT5hRvXeVcx3Js19WKsnb8hUxRfw3yK823l5sP8pWzM52ILlxK+UhkBCcT0mRjgJ3eBEAgEKl9YU8S+OQua9QAjEz+g==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(346002)(136003)(396003)(376002)(39860400002)(46966005)(8676002)(8936002)(6916009)(55016002)(70206006)(9686003)(336012)(356005)(81166007)(82740400003)(47076004)(3480700007)(83380400001)(2906002)(86362001)(82310400003)(7116003)(186003)(478600001)(26005)(36906005)(33656002)(316002)(7696005)(52536014)(5660300002)(6506007)(70586007); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Nov 2020 09:44:20.4356 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: fbd1032e-d430-4ac5-cfae-08d8855d32df
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT008.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3781
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6Y0GRvcJV_aqci0oTGkp_4RgN6o>
Subject: [OAUTH-WG] PAR Shepherd Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2020 09:44:28 -0000
Hi all, I am in the process of writing my shepherd write-up for the PAR document and wanted to make sure that I properly understand the document. The introduction says: " This document [PAR] complements JAR by providing an interoperable way to push the payload of an authorization request directly to the authorization server in exchange for a "request_uri" value usable at the authorization server in a subsequent authorization request. " JAR provides the ability to send Authorization Request parameters in a JWT format protected with JWS and optionally JWE. It allows the JAR to be conveyed by value and by reference but does not define how the client would upload the JAR and how to obtain the reference. PAR defines how the client uploads the request object and how to obtain the reference. It relies primarily on TLS to protect the communication but mentions that it is possible to also use the JWT-based approach suggested by JAR. Both drafts claim to have solved the security issues of protecting the communication through the user agent. Is this a correct summary? Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [OAUTH-WG] PAR Shepherd Review Hannes Tschofenig
- Re: [OAUTH-WG] PAR Shepherd Review Brian Campbell