IETF Logo Mail Archive

Re: [regext] [EXTERNAL] I-D Action: draft-ietf-regext-rdap-openid-15.txt

Rick Wilhelm <Rwilhelm@PIR.org> Thu, 23 June 2022 20:07 UTC

Return-Path: <Rwilhelm@PIR.org>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B94EC159496 for <regext@ietfa.amsl.com>; Thu, 23 Jun 2022 13:07:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.809
X-Spam-Level:
X-Spam-Status: No, score=-6.809 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pirorg.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mz2ccb_8h8Pz for <regext@ietfa.amsl.com>; Thu, 23 Jun 2022 13:07:11 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2175.outbound.protection.outlook.com [104.47.59.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69F53C15948A for <regext@ietf.org>; Thu, 23 Jun 2022 13:07:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FxQVRgnRbjXCci/HDXrnbD+l2/witpTjMBLQIciOCJeOJv+nALl5KFcXIuG21rE4Tw6pboKRDP9BwFEGwP9wybNs0WHtLsrgtvrEg13vA7rkDpKtsbs4e//DxLBrU4oMZ6cjrdp4akNlBGDBCfYEkFcXI1ssB8Y6lilUAtlhlK+y+Jo+ZZgqc6QM6d119livLvMkrBjd7q5v/zKy2W1gwBjqVQVsKSGw0yk1XpuaLSA9KgGnJ/3Xunbe+2LNd1vVi5XFu3EEXmUS5shcWPAwdylhrRcOmGT8wkA2HKFU7Um/YJASSC4rexhcPozDc5x6nexN2ADKST0k4Meudd8ayA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BDVROPgF+E7k7/YFL5qdgiaAJ/J+sDzNq3tVqMQq3wk=; b=k9XD+vbHvsAGqunrieYJKljKpSRV0NPjk0VxhfnpS3kV3cmx4c+LnvWeekM9Zm9ivyODHWmH4vdzqgFKsD1JVke9zSFuDF2LU4Rpo0ZthYO4ZaRedL14N38g6OHCVy94LLjwEOD24PSgIMPyfxzZts91ORFczFLQ3QuvNBGsUIQ0XWd2LMa5jmkzNegNxg1xH3hQFkJK5WpTaO/ZHOBMkLBo8lrMazhQpySrZAPVMjUcC/p30K55ZyV1EuNilMPZP74qzo9VOMWEZXZRbGnJXeqAqHbUf4vJFN8rUsyX8q2rHhZMX4Bju7fwY1R5MYm34x+ap7kIdba3dJIvlSHMxg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=pir.org; dmarc=pass action=none header.from=pir.org; dkim=pass header.d=pir.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pirorg.onmicrosoft.com; s=selector2-pirorg-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BDVROPgF+E7k7/YFL5qdgiaAJ/J+sDzNq3tVqMQq3wk=; b=R3IhZmvSAu+BFWpy71k3X0hKsM4UA6taEl0Pd/YeFUhtu+3CITEpg6F2NNop8AuJ/WlcOClbmy5YA7wk2rKwuOKm6r3yC8tCns8T+/RzPbKF58d5/sPORTQp8PbwZlSpwerIVYEPExdK1nC12L26vtddVnZPUxWp3TR3MgbiNPc=
Received: from BY5PR10MB4179.namprd10.prod.outlook.com (2603:10b6:a03:206::8) by MN2PR10MB4334.namprd10.prod.outlook.com (2603:10b6:208:1d9::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5373.15; Thu, 23 Jun 2022 20:07:05 +0000
Received: from BY5PR10MB4179.namprd10.prod.outlook.com ([fe80::840a:d0d9:d57:9f5f]) by BY5PR10MB4179.namprd10.prod.outlook.com ([fe80::840a:d0d9:d57:9f5f%7]) with mapi id 15.20.5373.015; Thu, 23 Jun 2022 20:07:05 +0000
From: Rick Wilhelm <Rwilhelm@PIR.org>
To: "regext@ietf.org" <regext@ietf.org>, "Hollenbeck, Scott" <shollenbeck@verisign.com>
Thread-Topic: [EXTERNAL] [regext] I-D Action: draft-ietf-regext-rdap-openid-15.txt
Thread-Index: AQHYgahQ3qITqkk8sUi1QaJ5gvDQJq1dBYmw
Date: Thu, 23 Jun 2022 20:07:05 +0000
Message-ID: <BY5PR10MB4179B2C81239396CEA5C0FEDC9B59@BY5PR10MB4179.namprd10.prod.outlook.com>
References: <165540128008.60709.5285260183313271799@ietfa.amsl.com>
In-Reply-To: <165540128008.60709.5285260183313271799@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=PIR.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 804a155a-991b-46c0-3b89-08da5553f20a
x-ms-traffictypediagnostic: MN2PR10MB4334:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RL8KASLAES23NUj7pfHa3iuvTZQLkUd6IFpzx66zyF72p8M52dATu9J7MOQKX9um5XYfSRcgzrHgTfIHzKASN+FX1pobyd9bxUa6oo32yamw6MGsgriG6NhQZYBMEG4uLeNK6UNKvHisNL0UEJPZZnfacAy+y0j8hyKv0nDd76dbgPnXe+YKGzHoJdvWHmmBwWgnQbDbwQ90SWeqPc40Plk6jZvB1xA46hnzfyI6XXE2yZguTQw16fuaO1AIYdfow5iaOv9MBYD6vEVGyVp6N9HsGBd5Em/6keT6krFKCPXxsHCG1n2ZhG6iJyrHmL19pGBbTrZPjLxXuEU6qiQXRYUy7aqn32i90u0fKEEEXlpa14j8kVv8JH4WooSwM8bHsZifWP9Nma7C0YpT5pgjR+Fkfq4UX32lV0OxV34Hofpy2wDCuI7zXsOsIweMdv2tdHY7lj30KrO1rJjUp1aB6l+Z8AL8CwHB7sutPhb1sc81oiEHjToW9SMGUxm3G49BupnrZVOf0BgcTuzFPeJKdBSpOGli/9hEGdT15xsyf9Rz5mGXHYnH8UgYvseAZih4cBcV9bHSqJMNn7DaNfh/HzGtQW24WgFmv3LdEIODxlesQ4jAZQsFAZTIMtKo6l4Lr1st0NQZewqhn4GrABPXpcbsX8aQWOvrF1umTyE5B52znstzflprNmGUi564yHQHr8zkp0p331ZURT1+BSv6YD+07qld4HY0gufqrNqUMaCVbiMyxUwuh083dixS5UZMHrkDVvkles17CBD7125HJ1k3TSt0b6z91aOL+61BC2kIJdL6pAekmz4k2Km+mcslNxO7rqZD6wpb3S5mSWMLxFyJqwcqDZcvH4xa99WxvRM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR10MB4179.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(39840400004)(136003)(366004)(376002)(346002)(396003)(316002)(66946007)(66446008)(66556008)(64756008)(966005)(66476007)(91956017)(76116006)(26005)(8676002)(478600001)(71200400001)(30864003)(55016003)(52536014)(8936002)(2906002)(5660300002)(110136005)(38100700002)(86362001)(38070700005)(122000001)(33656002)(6506007)(53546011)(9686003)(7696005)(41300700001)(166002)(186003)(66574015)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: QxzAK1IjDW6BOTsywhMC3Ei4tRdUV2SaB32mHIdgfYlQHDLVE96ClmvTvbTdqzgPNcsOVakxZsEtBEWG6yki56pddfI6iP5MeWtYE1Jza5mvKOsfWGVeiAcsnYivnFPU1afwz5gBLSkuGYgFpoIZQZFieH4EIS00QHlLWqCkksX9ZyGjZ5qHN4aFQV4JDSRPKSxgqcKKj02l3E9numZkwWEQrF0l7DCVCZaWybdXCzhB7P+xV8jBZn8aZTqQsx8ib+sHNE5mN9wy4VA7cQqQbaxx6C8FbL2XL5TN3cvh6Z4xfwzvy75Gfdo5RB1OV/hb5oCTe1hwqzUteLNPNfPLEF7YcWUvh2/pMxceQGMXkcaxKGsreC1VanCgl3WIDLAJjUsaYl+6UEgMpqDKjdqjBTQ8pJBK4fhAkeSEFl+fc8kqGxmrvS8C1FaYVhDZmWiKYEFT+dBQ8fC56LKuaOAqos9tgc/2cH74ayoUM4QnHOJ6ePka+wcwQWBLnAqzS9liq6v92r4euyhcj6haObC1ruwgPTFhV50K/V7m9Fxyg5CK21YJy8E9OEUz0Dglq0OyYpPOm3A0UlRy9UViu26sY9Cff1ELsQb62xbfT+i9SUPmIXcQcU8RBlO0hzP5uFltfk04Eyb0U1+qb0O+j0QOBNw5hpNgVrHsG2hwUQoSRHz0itrnoqYZ717JOxXQrLO8VCI0tHbp5OLQ5pvqxhBokH6NPZO749dzvzfAR1aOObCIiA71tGjPdqEI59ZtGYywXnjzsXCNlW5uN2MJHOGElHAuPe+PlXBhY64JwXk/Gs27jCZng5Y2drKSSNQx3AzVhii6kTwaa+HeZDOFeGjkC8rAW9M7IBufR0Tm4OTGEj7NWaWBMWpzkVtyuyRin9cB5uogxP2n3Cute8cDnAlHuH3n17jQpIoGcXBQLMSFvgM0fN1zmk02jbDoHMmgiEHqrQ5IWDlUJMwofaEKqYcxj1TO2/vxUF5TKdYX5LZvWEme+sSLte7WlJ5x3e5KY03WCY/VDxKi9cOUW6513vvio0qalNoe0K+JS+KHS+h/6XeHqs/CIh/D22qswOGxvbq8aDfvl+hFSngXD2NMgs4xIGh99PL03TfcZ8855zMN5PC3qHGbwcIDwrTrXTfgeZx+Uks+RQNxDZbeYdE2GNNcGR8qQRRPXeCwLeEA3H++BphL+HkOI0TQg3UhfQsNoHiaAKY7uTLVB5e9siLhKjBbl4iK8LdOJL+KGY9TCwkD6zTG822MkEZydznhu2PF/jbR3vDWVY2paoNMrYFlnakHPU1LZhSH9wGN5XleV7q+yVGWLtKBGBijmngTA8//9BXyshUdyIHjpcPcOfgyLv+m8CUwY9E0S5ToruuMylDFeUZsFHuxocbjbHboi9I0iS/VlRUC5rC1G3fPvJAhCJslu3U3goXpert7VKhrja7aaNgHhsg4CKHu1ds1Na3inSir1Rtn+kd9u207Ev1DXSWxbgvIwnMUyV8/sclj1wlfHY8Ar8Pq68am8aPNq4wLyEat41r1WKlAyBO85vBfVBkDZyjZ7YWkafR2Y3N2jV6ltheKUO9M8z3IN52FW0CDzaEC4vg30zm8jsKZVpdxstBiOQ==
Content-Type: multipart/alternative; boundary="_000_BY5PR10MB4179B2C81239396CEA5C0FEDC9B59BY5PR10MB4179namp_"
MIME-Version: 1.0
X-OriginatorOrg: pir.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR10MB4179.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 804a155a-991b-46c0-3b89-08da5553f20a
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jun 2022 20:07:05.7281 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6c8ced78-b98f-4fa4-b6df-38beaa0d935d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YqLuEj33XoKpf26ZdNJlB53QFeVA7vX75jv/vg6iiKKuXPuSybR+u+ydnWexNwiD32nQ4h6cGP8XtBY3ulnOew==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR10MB4334
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/fTLuf4pnB8J6ubHgXWGLqGL6XdA>
Subject: Re: [regext] [EXTERNAL] I-D Action: draft-ietf-regext-rdap-openid-15.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2022 20:07:18 -0000

Scott,

Thanks for your ongoing work on rdap-openid.  I am, by no measure, an expert in OpenID, so some (all?) of this feedback may miss the mark.  But perhaps some will be helpful.

I don’t think that any of the below is new to the -15 version.  (The second item is from -14).  But I’m hoping that this feedback helps to move this draft forward, as I think that it’s an important step for RDAP.

These are in the order provided in the doc, not in any order of importance.

First some more macro things:

Section 3.1.1:  Terminology

For this section, which currently focuses on RDAP terminology, I think that it would be helpful echo something like the terminology section of RFC 8414 (an Informative Reference from 12.2).    Pasting a snippet…

   This specification uses the terms "Access Token", "Authorization
   Code", "Authorization Endpoint", "Authorization Grant",
   "Authorization Server", "Client", "Client Authentication", "Client
   Identifier", "Client Secret", "Grant Type", "Protected Resource",
   "Redirection URI", "Refresh Token", "Resource Owner", "Resource
   Server", "Response Type", and "Token Endpoint" defined by OAuth 2.0
   [RFC6749]; the terms "Claim Name", "Claim Value", and "JSON Web Token
   (JWT)" defined by JSON Web Token (JWT) [JWT];

(I’ll offer that JWT := RFC 7519, already a Normative Reference.)  The actual text would need a careful edit, I just pasted this.


Section 4.5:

Regarding the text:

   Alternatively, an RDAP server MAY implicitly attempt to refresh an
   access token upon receipt of a query if the access token associated
   with an existing session has expired and the corresponding OP
   supports token refresh.  The default RDAP server behavior is
   described in the "implicitTokenRefreshSupported" value that's include
   in the "roidc1_openidcConfiguration" data structure (see
   Section 4.1.3).  If the value of "implicitTokenRefreshSupported" is
   "true", the client MAY either explicitly attempt to refresh the
   session using the "roidc1_session/refresh" query, or it MAY depend on
   the RDAP server to implicitly attempt to refresh the session as
   necessary when an RDAP query is received by the server.  If the value
   of "implicitTokenRefreshSupported" is "false", the client MUST
   explicitly attempt to refresh the session using the "roidc1_session/
   refresh" query to extend an existing session.  If a session cannot be
   extended for any reason, the client MUST establish a new session to
   continue authenticated query processing by submitting a
   "roidc1_session/login" query.  If the OP does not support token
   refresh, the client MUST submit a new "roidc1_session/login" request
   to establish a new session once an access token has expired.

If the server has “true” for “implicitTokenRefreshSupported”, there doesn’t seem to be a MUST requirement on the server to actually attempt a refresh.   Is that on purpose?

In the last sentence: Is the client required to wait until the access token has expired before submitting the new login request?  Or can it send logout and login back-to-back?  (Or even just a login command while currently logged in?)

Nit:  This block might be easier to parse if broken into multiple paragraphs.

Section 10.  Security Considerations:

This section defers the security considerations for OIDCC to that specification.  Section 3.1.2 contains the statement:  “Communication with the Authorization Endpoint MUST use TLS.” Section 5.3 makes a similar statement related to the UserInfo Endpoint However, due to its publication date (2014) the document does not appear to have a prohibition on older versions of TLS.  Perhaps there should be some mention of BCP 195 (RFC 8996) in this draft?


Now on to nits/semi-nits:

Section 3.1.3.1:  para 3:

Regarding:
An RDAP server MUST support at least one of these
   methods of OP discovery.

I think that would be more clear as:
An RDAP server/RP MUST support at least one of these
   methods of OP discovery.
(which would be consistent with para 1 in this section).  The main point is that we don’t want to imply that all RDAP servers need to support this.  You might choose to clarify by just switching to “RP”?


Section 3.1.3.3:

I think that for clarity, it would be helpful to use the word “consent” somewhere in the first sentence of this section.  This makes for stronger linkage with 3.1.2 Step 6 and the heading in OIDCC 3.1.2.4.


Section 3.1.3.4:

Regarding:
   After the End-User is authenticated, the OP will send a response to
   the RP that describes the result of the authorization process in the
   form of an Authorization Grant.

The beginning of the sentence seems to focus on authentication (not authorization) and only on the successful path.  It also uses the term “Authorization Grant”, which is inconsistent with 3.1.2 Step 7 and my reading of OIDCC 3.1.1.  Suggest clarifying with:

   After obtaining an authorization result, the OP will send a response to
  the RP that provides the result of the authorization process using an
  Authorization Code.


Section 3.1.3.5:

Regarding:

The RP MUST validate the Token
   Response.  This process is described in Section 3.1.3 of the OpenID
   Connect Core protocol [OIDCC].

I think that the reference could be more specific and point to OIDC 3.1.3.5


Section 3.1.3.6:

Regarding:

   The set of claims can be retrieved by sending a request to a UserInfo
   Endpoint using the Access Token.  The claims MAY be returned in the
   ID Token.

I think that the structure of the second sentence and the use of the capitalized “MAY” doesn’t quite capture the intent.  My read of OIDCC 5.3 indicates that the UserInfo Endpoint is not required to return UserInfo Claims (for various reasons), but if they are going to be returned, they are going to be returned in the ID Token.

Perhaps replace the second sentence with:
   The server provides returned claims in the ID Token.


Section 3.1.4:

Regarding:

   OpenID Connect claims are pieces of information used to make
   assertions about an entity.  Section 5 of the OpenID Connect Core
   protocol [OIDCC] describes a set of standard claims that can be used
   to identify a person.

My read of OIDCC Section 5 didn’t indicate anything about a person.  Suggest the following edit:

   OpenID Connect claims are pieces of information used to make
   assertions about an entity.  Section 5 of the OpenID Connect Core
   protocol [OIDCC] describes a set of standard claims.

(Which also happens to align with OIDCC 5.1, almost verbatim.)


Section 3.1.4.1:

Regarding:

   There are communities of RDAP users and operators who wish to make
   and validate claims about a user's "need to know" when it comes to
   requesting access to a resource.  For example, a law enforcement
   agent or a trademark attorney may wish to be able to assert that they
   have a legal right to access a protected resource, and a server
   operator will need to be able to receive and validate that claim.

Suggest minor edits to avoid needing to support certain statements.  As in:

   Communities of RDAP users and operators may wish to make
   and validate claims about a user's "need to know" when it comes to
   requesting access to a resource.  For example, a law enforcement
   agent or a trademark attorney may wish to be able to assert that they
   have a legal right to access a protected resource, and a server
   operator may need to be able to receive and validate that claim.


Section 3.1.4.2:

Regarding:

   There are also communities of RDAP users and operators who wish to
   make and validate claims about a user's wish to not have their
   queries logged, tracked, or recorded.  For example, a law enforcement
   agent may wish to be able to assert that their queries are part of a
   criminal investigation and should not be tracked due to a risk of
   query exposure compromising the investigation, and a server operator
   will need to be able to receive and validate that claim.

As above, suggest minor edits to avoid needing to support certain statements.  As in:

   Communities of RDAP users and operators may wish to
   make and validate claims about a user's wish to not have their
   queries logged, tracked, or recorded.  For example, a law enforcement
   agent may wish to be able to assert that their queries are part of a
   criminal investigation and should not be tracked due to a risk of
   query exposure compromising the investigation, and a server operator
   may need to be able to receive and validate that claim.


Section 4.3.1:

Regarding:

If this parameter is not present, the server
   MUST proces the query and make an acces control decision based on any
   other information known to the server about the End-User and the
   information they are requesting.

Suggested minor edit to remove the ambiguity of “this parameter” (and fix two typos)

If the “roidc1_qp” parameter is not present, the server
   MUST process the query and make an access control decision based on any
   other information known to the server about the End-User and the
   information they are requesting.


Section 4.6:

Regarding:

   The server should also take appropriate steps to ensure that the
   tokens associated with the terminated session cannot be reused.

Suggest an edit to move this “should” to “SHOULD”


Section 4.7:

Regarding:

Servers MUST reject queries
   that include identification information that is not associated with a
   supported OP by returning an HTTP 501 (Not Implemented) response.

For clarity, suggest adding “RDAP” before “Servers”… as in:

RDAP servers MUST reject queries
   that include identification information that is not associated with a
   supported OP by returning an HTTP 501 (Not Implemented) response.

(Or if this doesn’t refer to the RDAP Server, then something else to disambiguate.)


Section 5:

Regarding:

   ID tokens include an audience parameter that contains the OAuth 2.0
   client_id of the RP as an audience value.

>From my read of OIDCC Section 2 (“ID Token”), it appears that this “audience parameter” refers to an item that is described as a “claim” in that document.

However, later in Section 5, there is a reference to RFC 8693, which in Section 2.1 describes an “audience parameter”.

So, I’m not sure which is correct… perhaps something to direct the reader.  (Or maybe they are largely equivalent and my ignorance is on full display!)


Hope these help…

Thanks,

Rick


From: regext <regext-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org>
Date: Thursday, June 16, 2022 at 1:41 PM
To: i-d-announce@ietf.org <i-d-announce@ietf.org>
Cc: regext@ietf.org <regext@ietf.org>
Subject: [EXTERNAL] [regext] I-D Action: draft-ietf-regext-rdap-openid-15.txt
CAUTION: This email came from outside your organization. Don’t trust emails, links, or attachments from senders that seem suspicious or you are not expecting.


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Registration Protocols Extensions WG of the IETF.

Title : Federated Authentication for the Registration Data Access Protocol (RDAP) using OpenID Connect
Author : Scott Hollenbeck
Filename : draft-ietf-regext-rdap-openid-15.txt
Pages : 37
Date : 2022-06-16

Abstract:
The Registration Data Access Protocol (RDAP) provides "RESTful" web
services to retrieve registration metadata from domain name and
regional internet registries. RDAP allows a server to make access
control decisions based on client identity, and as such it includes
support for client identification features provided by the Hypertext
Transfer Protocol (HTTP). Identification methods that require
clients to obtain and manage credentials from every RDAP server
operator present management challenges for both clients and servers,
whereas a federated authentication system would make it easier to
operate and use RDAP without the need to maintain server-specific
client credentials. This document describes a federated
authentication system for RDAP based on OpenID Connect.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-openid/<https://protect-us.mimecast.com/s/fqYQCkRNY7iOjx3cJlmc4?domain=datatracker.ietf.org>

There is also an htmlized version available at:
https://datatracker.ietf.org/doc/html/draft-ietf-regext-rdap-openid-15<https://protect-us.mimecast.com/s/V_LhClYNZ7C28QqcYKKGM?domain=datatracker.ietf.org>

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-regext-rdap-openid-15<https://protect-us.mimecast.com/s/13YACmZg1yCj3OLTNrSJW?domain=ietf.org>


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext<https://protect-us.mimecast.com/s/X69aCn5j2Of728pu0aMQ7?domain=ietf.org>

v2.23.0 | Report a Bug | By Email