On Fri, May 31, 2024 at 02:38:29AM -0700, internet-dra...@ietf.org wrote: > Internet-Draft draft-ietf-oauth-attestation-based-client-auth-03.txt is now > available. It is a work item of the Web Authorization Protocol (OAUTH) WG of > the IETF. > > Title: OAuth 2.0 Attestation-Based Client Authentication > Authors: Tobias Looker > Paul Bastian > Name: draft-ietf-oauth-attestation-based-client-auth-03.txt > Pages: 16 > Dates: 2024-05-31 > > Abstract: > > This specification defines an extension to the OAuth 2 protocol as > defined in [RFC6749] which enables a Client Instance to include a > key-bound attestation in interactions with an Authorization Server or > a Resource Server. This new method enables Client Instances involved > in a client deployment that is traditionally viewed as a public > client, to be able to utilize this key-bound attestation to > authenticate. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/
Just reading the draft for the first time (so, not a comment on the diff), it seems like the privacy considerations section should discuss what exposure there is from the client instance to the client backend. If I'm reading correctly, the client attestation JWT is just authorizing the PoP key that's used in the client attestation PoP JWT, and does not include any audience or other information that would be specific to the resource at which the client instance wishes to present the JWT. So that would make the client backend only able to see what level of activity the client instance has but not where exactly that activity is going to. And if the attestation JWT is valid for a long time, even that would mask a lot of potential activity. Which in turn makes me wonder if we want to give some guidance on how long of a lifetime both JWTs could/should have. Even if we don't want to give specific advice for a good lifetime, we could still analyze the tradeoffs in doing a longer vs shorter lifetime. -Ben _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
