Hello Denis,

The most recent version of the DPoP draft is not draft-fett-oauth-dpop-04
but rather draft-ietf-oauth-dpop-01, which doesn't expire until November. I
realize that the naming and versioning conventions of IETF documents are a
bit esoteric and can lend themselves to such mistakes. But someone who
insists on making unhelpful criticism of said documents should probably be
more mindful of such details.

This WG (and it's not the only WG where this has happened) has repeatedly
confirmed the rough consensus that these so-called collaboration attacks
are not something that DPoP, or any of the other documents you've said the
same about, is expected to address. Nor that there is even reason enough to
think that readers need to be told so. Your personal enthusiasm for the
topic does not change that and doesn't change the fundamental nature of how
OAuth works.

I am sorry to hear that you felt the podcast was too long. I can certainly
empathize with feeling like one's time has been wasted.




On Wed, Sep 23, 2020 at 3:38 AM Denis <denis.i...@free.fr> wrote:

> Hello Brian and Vittorio,
> I have two observations:
>
>    - draft-fett-oauth-dpop-04 which is the last version expired on 5
>    September 2020,
>    - the podcast as well as draft-fett-oauth-dpop-04 omit to mention the
>    client/user collaborative attack against which draft-fett-oauth-dpop-04 is
>    ineffective.
>
>
> Denis
>
> PS. The podcast is a nice effort but is far too long (29:37).
>
> The mTLS vs DPoP was good in articulating how the two specs are alike, how
> they differ and which particular type of app they are meant to serve.
>
> I'm saying this as a person who is generally allergic to technical
> podcasts :)
>
> Maybe every RFC that comes out of this WG should have a podcast link at
> the top, where the authors discuss it in simple, honest and non-speccy
> terms, because that's often how people are best able to perceive the spirit
> and subtleties of some technical or spec work.
>
> Vladimir
> On 21/09/2020 09:40, Vittorio Bertocci wrote:
>
> Dear all,
>
> This is an informal mail to inform you that there’s a new podcast
> <http://identityunlocked.com/>, identityunlocked.com, dedicated to inform
> and explain new identity specs developments for developers.
>
> You can find a more detailed explanation of the podcast’s goals in
> https://auth0.com/blog/identity-unlocked-a-podcast-for-developers/, but
> the TL;DR is that the spec themselves aren’t all that easy to read for the
> non-initiated, and a lot of useful info emerges during the discussions
> leading to the spec but rarely surface in a usable form to the people who
> don’t participate in discussions.
>
> The first episode
> <https://auth0.com/blog/identity-unlocked-explained-episode-1/>,
> featuring Brian Campbell discussing MTLS & DPoP, should give you an idea of
> what season 1 of the show will look like.
>
> The full list of the first run is available here
> <https://auth0.com/blog/auth0-launches-identity-unlocked-the-identity-podcast-for-developers/>.
> Of 6 episodes, 3 of them are about specifications coming out of this WG-
> and all guests are actively involved in the IETF.
>
> My main goals sharing this info here are
>
>    - *Letting you know that the podcast exists*, so that you can make use
>    of it if you so choose (e.g. referring people to it if they need to better
>    understand something covered in an episode)
>    - *Soliciting proposals for new episodes*: topics you believe are
>    currently underserved, topics you are often asked about, topics you would
>    like to be interviewed about on the show
>    - *Growing the show’s subscriber base*. I was able to get backing from
>    my company to produce a podcast that has exactly ZERO product pitches and
>    is purely about identity specs promotion, on the gamble that the topic does
>    have an audience finding it useful. So far the reception has been great,
>    and we need to keep it up if we want to have a season 2.
>
>
>
> I hope you’ll find the initiative useful!
>
> Cheers,
>
> V.
>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to