Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP

Denis <denis.ietf@free.fr> Mon, 30 November 2020 15:45 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DD803A0E03 for <oauth@ietfa.amsl.com>; Mon, 30 Nov 2020 07:45:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B6sjN6Pr8T05 for <oauth@ietfa.amsl.com>; Mon, 30 Nov 2020 07:45:21 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp05.smtpout.orange.fr [80.12.242.127]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EBC53A0DFC for <oauth@ietf.org>; Mon, 30 Nov 2020 07:45:21 -0800 (PST)
Received: from [192.168.1.11] ([90.91.135.71]) by mwinf5d62 with ME id yflG2300M1Ybo4i03flHfV; Mon, 30 Nov 2020 16:45:17 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 30 Nov 2020 16:45:17 +0100
X-ME-IP: 90.91.135.71
To: oauth <oauth@ietf.org>
References: <CADNypP-ef3z6WJ1DDOBhmh0CN4kRK_VACkzFaCLVxA3zCoEx0A@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <1b584adf-14f9-ba2e-657d-f22b57d87675@free.fr>
Date: Mon, 30 Nov 2020 16:45:20 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <CADNypP-ef3z6WJ1DDOBhmh0CN4kRK_VACkzFaCLVxA3zCoEx0A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------4F16CC642ECEB2D669A0A5A0"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wkJKGMKQwCSbG0FlxGAum9mZRQs>
Subject: Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2020 15:45:24 -0000

One comment on slide 5 about the /time window/.

At the bottom, on the left, it is written: "Only valid for a limited 
/time window/ relative to creation time".

While the creation time is defined by "iat", the /time window/ is 
currently left at the discretion of each RS.

It would be preferable to mandate the inclusion in the JWT of the exp 
(Expiration Time) Claim.
In this way, the /time window /would be defined by the AS using both the 
"iat" and the "exp" claims.

This would have the following advantages:

  * The client will know whether a token is still usable and is unlikely
    to get a rejection of the token
    because of an unknown time window defined by a RS.

  * The RS is able to manage better the "jti" claim values, because it
    will be able to discard "jti" claim values
    as soon as they are outside the time window defined by the AS in a JWT.

Denis


> All,
>
> This is a reminder that we have an Interim meeting this Monday, Nov 
> 30th @ 12:00pm ET, to discuss the latest with the *DPoP *document:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ 
> <https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/>
>
> You can find the details of the meeting and the slides here:
> https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth 
> <https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth>
>
> Regards,
>  Rifaat & Hannes
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth