Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-03.txt

Filip Skokan <panva.ip@gmail.com> Fri, 09 April 2021 07:45 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 868333A1446 for <oauth@ietfa.amsl.com>; Fri, 9 Apr 2021 00:45:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGHVdE89Xn0S for <oauth@ietfa.amsl.com>; Fri, 9 Apr 2021 00:45:10 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70C0E3A1444 for <oauth@ietf.org>; Fri, 9 Apr 2021 00:45:10 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id l4so7116920ejc.10 for <oauth@ietf.org>; Fri, 09 Apr 2021 00:45:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=ox73i/+oR3UBxScYYFuwyTGtQ5d1GMVme+YLXzyqpEs=; b=XPyztbjJU40MlhFiDKWz34HY7ZBdC2ahV/dTuP3KXVHkbdqkgXyRWUGJQAYrqp6F13 NqePg541PxgV/7nLxoXWC3Uor5x+kSyi9Ffuhmx3mzgWEpQHT4HmC9+yjBG2JHKxeF/w Bn9s931nFgD09992KzLMu6PUGytByMyfzcRmynoc5lDPfWvQNxEGGKLKWtbVmajeNyty znpJhx+nEbG1leuUWYxf16HXSeiP9IyOATDD6Rrvb6ODBNOi6rTwz2huZCaWB9TRQuGC Od1VJugjQpRymtwQxVVqVR7IMbaSgpHiLAd3ffcsl6XwRWxovue2BQCngEmTUSpRnKYl BocQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=ox73i/+oR3UBxScYYFuwyTGtQ5d1GMVme+YLXzyqpEs=; b=HTej6hy1DeKjdAs2lYOy0t0gOIC+TsnRLaWk5prUAeXPlqm2FrvAPznTtXHUKb8juF H0RBie6WILezHiCVoyAMqv+lPr5m4w1ArvhsmddwIuDHBdolpdaYHjHDjAbJEYYDhIJn p9KhoaGIHDa+jeXjfn2wPKTNlJcQZyJHWjdj8nhb6excqCM7dnuBT7kPlyYFJbz6zVLe yJQi3XjWXv+mq8/8xaWqjjK5cbYqvBfL4fvKz3e+px4s+5dPqGbftdyph/KMmBb/Yuvl 0KUVd/BIWYCbZLAFrcSNZZLBt0KgsHXerPd7CaQqf43+9YsmKQv67mLee5ymRhSyQXQh iOYw==
X-Gm-Message-State: AOAM530EteUcsR08e15+cHvbn4AK0+hI1kOrT5Xo8QYjkT3kLa54P554 UwsVfF70EUtCKr200Q5xfsCjv9YHMqGW
X-Google-Smtp-Source: ABdhPJwmxGfR0y44UojA5fay7y+SDGeh4KmtvrrtgWUZ4x2b4ffWqmPdEzsM8f0JnJa3hO3S2EJOtw==
X-Received: by 2002:a17:907:2d9f:: with SMTP id gt31mr14943362ejc.463.1617954308305; Fri, 09 Apr 2021 00:45:08 -0700 (PDT)
Received: from [192.168.68.100] (173.c3.airnet.cz. [94.74.199.173]) by smtp.gmail.com with ESMTPSA id r19sm806068ejr.55.2021.04.09.00.45.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 09 Apr 2021 00:45:07 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-89A07A01-0313-4CA8-A135-115D3A62573A
Content-Transfer-Encoding: 7bit
From: Filip Skokan <panva.ip@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 9 Apr 2021 09:45:06 +0200
Message-Id: <F37BACD5-6D66-45DE-8B50-DC9265128376@gmail.com>
References: <MW2PR00MB0426A27B97B4C96D29604C6CF5739@MW2PR00MB0426.namprd00.prod.outlook.com>
Cc: bcampbell=40pingidentity.com@dmarc.ietf.org, oauth@ietf.org
In-Reply-To: <MW2PR00MB0426A27B97B4C96D29604C6CF5739@MW2PR00MB0426.namprd00.prod.outlook.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (18D70)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/znteIM6_oiGV6rVIrdf0eTCBmbk>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 07:45:14 -0000

I would support that too but only if the way it's calculated would get aligned as well. If it remains being a fixed sha256 of the whole token rather than what at_hash does, using a new claim makes sense. 

Odesláno z iPhonu

> 9. 4. 2021 v 5:38, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>rg>:
> 
> 
> I had expected that we would use the existing member name “at_hash” for the access token hash value, rather than the new name “ath”, since there’s already precedent for using it.  Could we change to the standard name for this when we publish the next version?
>  
>                                                           Thanks,
>                                                           -- Mike
>  
> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Brian Campbell
> Sent: Wednesday, April 7, 2021 1:30 PM
> To: oauth <oauth@ietf.org>
> Subject: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-03.txt
>  
> A new revision of DPoP has been published. The doc history snippet is copied below. The main change here is the addition of an access token hash claim.
> 
>    -03
> 
>    *  Add an access token hash ("ath") claim to the DPoP proof when used
>       in conjunction with the presentation of an access token for
>       protected resource access
> 
>    *  add Untrusted Code in the Client Context section to security
>       considerations
> 
>    *  Editorial updates and fixes
>  
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org>
> Date: Wed, Apr 7, 2021 at 2:16 PM
> Subject: New Version Notification for draft-ietf-oauth-dpop-03.txt
> 
> 
> A new version of I-D, draft-ietf-oauth-dpop-03.txt
> has been successfully submitted by Brian Campbell and posted to the
> IETF repository.
> 
> Name:           draft-ietf-oauth-dpop
> Revision:       03
> Title:          OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)
> Document date:  2021-04-07
> Group:          oauth
> Pages:          32
> URL:            https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-03.txt
> Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
> Html:           https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-03.html
> Htmlized:       https://tools.ietf.org/html/draft-ietf-oauth-dpop-03
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-03
> 
> Abstract:
>    This document describes a mechanism for sender-constraining OAuth 2.0
>    tokens via a proof-of-possession mechanism on the application level.
>    This mechanism allows for the detection of replay attacks with access
>    and refresh tokens.
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> The IETF Secretariat
> 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth