Hello Brian,
The text was not mentioning explicitly draft-ietf-oauth-dpop-01. While
re-reading the text, it only appears in a link.
I am NOT arguing that collaborationattacks are something that DPoP is
expected to address.
I am arguing that DPoP should mention in its Security Considerations
section that collaborationattacks are something that DPoP does not address.
At the moment, section 9 (Security Considerations) of
draft-ietf-oauth-dpop-01 is not conformant to RFC 3552 (Guidelines for
Writing RFC Text
on Security Considerations), since section 5 from RFC 3552 states:
Authors MUST describe
1. which attacks are out of scope (and why!)
2. which attacks are in-scope
2.1 and the protocol is susceptible to
2.2 and the protocol protects against
Denis
Hello Denis,
The most recent version of the DPoP draft is not
draft-fett-oauth-dpop-04 but rather draft-ietf-oauth-dpop-01, which
doesn't expire until November. I realize that the naming and
versioning conventions of IETF documents are a bit esoteric and can
lend themselves to such mistakes. But someone who insists on making
unhelpful criticism of said documents should probably be more mindful
of such details.
This WG (and it's not the only WG where this has happened) has
repeatedly confirmed the rough consensus that these so-called
collaborationattacks are not something that DPoP, or any of the other
documents you've said the same about, is expected to address. Nor that
there is even reason enough to think that readers need to be told so.
Your personal enthusiasm for the topic does not change that and
doesn't change the fundamental nature of how OAuth works.
I am sorry to hear that you felt the podcast was too long. I can
certainly empathize with feeling like one's time has been wasted.
On Wed, Sep 23, 2020 at 3:38 AM Denis <denis.i...@free.fr
<mailto:denis.i...@free.fr>> wrote:
Hello Brian and Vittorio,
I have two observations:
* draft-fett-oauth-dpop-04 which is the last version expired on
5 September 2020,
* the podcast as well as draft-fett-oauth-dpop-04 omit to
mention the client/user collaborative attack against which
draft-fett-oauth-dpop-04 is ineffective.
Denis
PS. The podcast is a nice effort but is far too long (29:37).
The mTLS vs DPoP was good in articulating how the two specs are
alike, how they differ and which particular type of app they are
meant to serve.
I'm saying this as a person who is generally allergic to
technical podcasts :)
Maybe every RFC that comes out of this WG should have a podcast
link at the top, where the authors discuss it in simple, honest
and non-speccy terms, because that's often how people are best
able to perceive the spirit and subtleties of some technical or
spec work.
Vladimir
On 21/09/2020 09:40, Vittorio Bertocci wrote:
Dear all,
This is an informal mail to inform you that there’s a new
podcast <http://identityunlocked.com/>, identityunlocked.com
<http://identityunlocked.com/>, dedicated to inform and explain
new identity specs developments for developers.
You can find a more detailed explanation of the podcast’s goals
in
https://auth0.com/blog/identity-unlocked-a-podcast-for-developers/,
but the TL;DR is that the spec themselves aren’t all that easy
to read for the non-initiated, and a lot of useful info emerges
during the discussions leading to the spec but rarely surface in
a usable form to the people who don’t participate in discussions.
The first episode
<https://auth0.com/blog/identity-unlocked-explained-episode-1/>,
featuring Brian Campbell discussing MTLS & DPoP, should give you
an idea of what season 1 of the show will look like.
The full list of the first run is available here
<https://auth0.com/blog/auth0-launches-identity-unlocked-the-identity-podcast-for-developers/>.
Of 6 episodes, 3 of them are about specifications coming out of
this WG- and all guests are actively involved in the IETF.
My main goals sharing this info here are
* *Letting you know that the podcast exists*, so that you can
make use of it if you so choose (e.g. referring people to it
if they need to better understand something covered in an
episode)
* *Soliciting proposals for new episodes*: topics you believe
are currently underserved, topics you are often asked about,
topics you would like to be interviewed about on the show
* *Growing the show’s subscriber base*. I was able to get
backing from my company to produce a podcast that has
exactly ZERO product pitches and is purely about identity
specs promotion, on the gamble that the topic does have an
audience finding it useful. So far the reception has been
great, and we need to keep it up if we want to have a season 2.
I hope you’ll find the initiative useful!
Cheers,
V.
/CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged material for the sole use of the intended recipient(s). Any
review, use, distribution or disclosure by others is strictly
prohibited. If you have received this communication in error, please
notify the sender immediately by e-mail and delete the message and any
file attachments from your computer. Thank you./
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
