[OAUTH-WG] PAR error for redirect URI?

2020-12-02 Thread Brian Campbell
During the course of a recent OIDF FAPI WG discussion (the FAPI profiles use PAR for authz requests) on this issue it was noted that there's no specific error code for problems with the redirect_uri (the

[OAUTH-WG] draft-ietf-oauth-dpop-02: The size of the "jti" is currently mandated to 96 bits minimum

2020-12-02 Thread Denis
Hi Brian, I changed the title of this thread from "Reminder - Interim Meeting to discuss DPoP" to "draft-ietf-oauth-dpop-02: The size of the "jti" is currently mandated to 96 bits minimum". Thank you for the link. I read it but I am still not convinced that using a minimum of 96 bits is

[OAUTH-WG] Proposed text for a Privacy considerations section in draft-ietf-oauth-dpop-02

2020-12-02 Thread Denis
This is the development of the 18 th comment from my previous email. Proposed text: 9. Privacy considerations The document does not specify how the public key used to compute the signature of the DPoP proof JWT is generated or comes from. Different scenarios are possible. They are addressed

[OAUTH-WG] Proposed changes to draft-ietf-oauth-dpop-02

2020-12-02 Thread Denis
I have reviewed the whole draft and you will find comments below starting with five editorials comments. Every other comment is numbered. Let us start with five typos where there is a duplication of the word "the": Page 4: XXS vulnerabilities also allow an attacker to execute code in the

Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP

2020-12-02 Thread Brian Campbell
The conversation at https://github.com/danielfett/draft-dpop/pull/51#discussion_r332377311 has a bit more of the rational behind the choice of 96 bit minimum. On Wed, Dec 2, 2020 at 7:07 AM Denis wrote: > Hi Daniel, > > All your arguments make sense. I agree. > > A minor point however. The size

Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP

2020-12-02 Thread Denis
Hi Daniel, All your arguments make sense. I agree. A minor point however. The size of the jti" is currently mandated to 96 bits minimum. This is unnecessarily long for a time window of a few minutes. The jti" does not need to be a unique identifier valid for ever. It can simply be an