I've published a somewhat overdue -02 revision of DPoP. The changes in this revision, which aim to address feedback and discussion from the list and prior interim, are summarized below in text copied from the Document History.The changes are a bit difficult to summarize though because, while the document has gotten a bit of an overhaul, the actual protocol bits are mostly unchanged. I do hope and think, however, that this new revision will be easier to digest.
Note also that DPoP is the topic for the next interim meeting later this month https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth whre I plan to do a similarly poor job explaining the recent updates. Changes in -02: * Lots of editorial updates and additions including expanding on the objectives, better defining the key confirmation representations, example updates and additions, better describing mixed bearer/dpop token type deployments, clarify RT binding only being done for public clients and why, more clearly allow for a bound RT but with bearer AT, explain/justify the choice of SHA-256 for key binding, and more * Require that a protected resource supporting bearer and DPoP at the same time must reject an access token received as bearer, if that token is DPoP-bound * Remove the case-insensitive qualification on the "htm" claim check * Relax the jti tracking requirements a bit and qualify it by URI ---------- Forwarded message --------- From: <internet-dra...@ietf.org> Date: Wed, Nov 18, 2020 at 3:26 PM Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-02.txt To: <i-d-annou...@ietf.org> Cc: <oauth@ietf.org> A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) Authors : Daniel Fett Brian Campbell John Bradley Torsten Lodderstedt Michael Jones David Waite Filename : draft-ietf-oauth-dpop-02.txt Pages : 29 Date : 2020-11-18 Abstract: This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-02.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-02 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth