[OAUTH-WG] [IANA #1270468] expert review for draft-ietf-oauth-dpop (oauth-parameters)
Dear Justin, Hello. Have you had a chance to review these proposed registrations? The due date is Wednesday April 12th, 2023, as this document is on this week's IESG telechat agenda. Thank you very much for your time. Best regards, David Dong IANA Services Specialist On Thu Apr 06 15:22:17 2023, david.dong wrote: > Dear Justin (cc: oauth WG), > > As the designated expert for the OAuth Dynamic Client Registration > Metadata registry, can you review the proposed registration in draft- > ietf-oauth-dpop for us? Please see: > > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > The due date is Wednesday April 12th, 2023. This document is on next > week's IESG telechat agenda. > > - > Eleventh, in the OAuth Dynamic Client Registration Metadata also on > the OAuth Parameters registry page located at: > > https://www.iana.org/assignments/oauth-parameters/ > > a single, new parameter is to be registered as follows: > > Metadata Name: dpop_bound_access_tokens > Metadata Description: Boolean value specifying whether the client > always uses DPoP for token requests > Change Controller: IETF > Specification Document(s): [ RFC-to-be; Section 5.2 ] > > As this section of the draft also requests registrations in a > Specification Required (see RFC 8126) registry, the IESG-designated > experts for the OAuth Dynamic Client Registration Metadata registry > have asked that you send a review request to the mailing list > specified in RFC7591. This review must be completed before the > document's IANA state can be changed to "IANA OK." > - > > If this registration is OK, when the IESG approves the document for > publication, we'll make the registration at: > > https://www.iana.org/assignments/oauth-parameters/ > > With thanks, > > David Dong > IANA Services Specialist ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1270470] expert review for draft-ietf-oauth-dpop (jwt)
Dear John and Hannes, Hello. Have you had a chance to review these proposed registrations? The due date is Wednesday April 12th, 2023, as this document is on this week's IESG telechat agenda. Thank you very much for your time. Best regards, David Dong IANA Services Specialist On Thu Apr 06 15:32:08 2023, david.dong wrote: > Dear John and Hannes (cc: oauth WG), > > As the designated experts for the JWT Confirmation Methods registry, > can you review the proposed registration in draft-ietf-oauth-dpop for > us? Please see: > > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > The due date is Wednesday April 12th, 2023. This document is on next > week's IESG telechat agenda. > > - > Sixth, in the JWT Confirmation Methods registry on the JSON Web Token > (JWT) registry page located at: > > https://www.iana.org/assignments/jwt/ > > a single, new registration will be made as follows: > > Confirmation Method Value: jkt > Confirmation Method Description: JWK SHA-256 Thumbprint > Change Controller: IETF > Specification Document(s): [ RFC-to-be; Section 6 ] > > As this section of the draft also requests a registration in a > Specification Required (see RFC 8126) registry, the IESG-designated > experts for the JWT Confirmation Methods registry have asked that you > send a review request to the mailing list specified in RFC7800. This > review must be completed before the document's IANA state can be > changed to "IANA OK." > - > > If this registration is OK, when the IESG approves the document for > publication, we'll make the registration at: > > https://www.iana.org/assignments/jwt/ > > With thanks, > > David Dong > IANA Services Specialist ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1270467] expert review for draft-ietf-oauth-dpop (oauth-parameters)
Dear Hannes, Hello. Have you had a chance to review these proposed registrations? The due date is Wednesday April 12th, 2023, as this document is on this week's IESG telechat agenda. Thank you very much for your time. Best regards, David Dong IANA Services Specialist On Thu Apr 06 15:14:01 2023, david.dong wrote: > Dear Hannes, > > As the designated expert for the OAuth Access Token Types, OAuth > Extensions Error and OAuth Parameters registries, can you review the > proposed registration in draft-ietf-oauth-dpop for us? Please see: > > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > The due date is Wednesday April 12th, 2023. This document is on next > week's IESG telechat agenda. > > - > First, in the OAuth Access Token Types registry: > > Name: DPoP > Additional Token Endpoint Response Parameters: > HTTP Authentication Scheme(s): DPoP > Change controller: IETF > Specification document(s): [ RFC-to-be ] > > Second, in the OAuth Extensions Error registry: > > Name: invalid_dpop_proof > Usage Location: token error response, resource error response > Protocol Extension: Demonstrating Proof of Possession (DPoP) > Change controller: IETF > Specification document(s): [ RFC-to-be ] > > Name: use_dpop_nonce > Usage Location: token error response, resource error response > Protocol Extension: Demonstrating Proof of Possession (DPoP) > Change controller: IETF > Specification document(s): [ RFC-to-be ] > > Third, in the OAuth Parameters registry: > > Name: dpop_jkt > Parameter Usage Location: authorization request > Change Controller: IETF > Reference: [ RFC-to-be; Section 10 ] > - > > If this registration is OK, when the IESG approves the document for > publication, we'll make the registration at: > > https://www.iana.org/assignments/oauth-parameters/ > > With thanks, > > David Dong > IANA Services Specialist ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1270471] expert review for draft-ietf-oauth-dpop (jwt)
Dear John, Brian, Michael and Chuck (cc: oauth WG), As the designated experts for the JSON Web Token Claims registry, can you review the proposed registration in draft-ietf-oauth-dpop for us? Please see: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ The due date is Wednesday April 12th, 2023. This document is on next week's IESG telechat agenda. - Seventh, in the JSON Web Token Claims also on the JSON Web Token (JWT) registry page located at: https://www.iana.org/assignments/jwt/ three new web token claims will be registered as follows: Claim Name: htm Claim Description: The HTTP method of the request Change Controller: IETF Specification Document(s): [ RFC-to-be; Section 4.2 ] Claim Name: htu Claim Description: The HTTP URI of the request (without query and fragment parts) Change Controller: IETF Specification Document(s): [ RFC-to-be; Section 4.2 ] Claim Name: ath Claim Description: The base64url encoded SHA-256 hash of the ASCII encoding of the associated access token's value Change Controller: IETF Specification Document(s): [ RFC-to-be; Section 4.2 ] As this section of the draft also requests registrations in a Specification Required (see RFC 8126) registry, the IESG-designated experts for the JSON Web Token Claims registry have asked that you send a review request to the mailing list specified in RFC7519. This review must be completed before the document's IANA state can be changed to "IANA OK." - If this registration is OK, when the IESG approves the document for publication, we'll make the registration at: https://www.iana.org/assignments/jwt/ With thanks, David Dong IANA Services Specialist ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1270470] expert review for draft-ietf-oauth-dpop (jwt)
Dear John and Hannes (cc: oauth WG), As the designated experts for the JWT Confirmation Methods registry, can you review the proposed registration in draft-ietf-oauth-dpop for us? Please see: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ The due date is Wednesday April 12th, 2023. This document is on next week's IESG telechat agenda. - Sixth, in the JWT Confirmation Methods registry on the JSON Web Token (JWT) registry page located at: https://www.iana.org/assignments/jwt/ a single, new registration will be made as follows: Confirmation Method Value: jkt Confirmation Method Description: JWK SHA-256 Thumbprint Change Controller: IETF Specification Document(s): [ RFC-to-be; Section 6 ] As this section of the draft also requests a registration in a Specification Required (see RFC 8126) registry, the IESG-designated experts for the JWT Confirmation Methods registry have asked that you send a review request to the mailing list specified in RFC7800. This review must be completed before the document's IANA state can be changed to "IANA OK." - If this registration is OK, when the IESG approves the document for publication, we'll make the registration at: https://www.iana.org/assignments/jwt/ With thanks, David Dong IANA Services Specialist ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1270468] expert review for draft-ietf-oauth-dpop (oauth-parameters)
Dear Justin (cc: oauth WG), As the designated expert for the OAuth Dynamic Client Registration Metadata registry, can you review the proposed registration in draft-ietf-oauth-dpop for us? Please see: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ The due date is Wednesday April 12th, 2023. This document is on next week's IESG telechat agenda. - Eleventh, in the OAuth Dynamic Client Registration Metadata also on the OAuth Parameters registry page located at: https://www.iana.org/assignments/oauth-parameters/ a single, new parameter is to be registered as follows: Metadata Name: dpop_bound_access_tokens Metadata Description: Boolean value specifying whether the client always uses DPoP for token requests Change Controller: IETF Specification Document(s): [ RFC-to-be; Section 5.2 ] As this section of the draft also requests registrations in a Specification Required (see RFC 8126) registry, the IESG-designated experts for the OAuth Dynamic Client Registration Metadata registry have asked that you send a review request to the mailing list specified in RFC7591. This review must be completed before the document's IANA state can be changed to "IANA OK." - If this registration is OK, when the IESG approves the document for publication, we'll make the registration at: https://www.iana.org/assignments/oauth-parameters/ With thanks, David Dong IANA Services Specialist ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1270467] expert review for draft-ietf-oauth-dpop (oauth-parameters)
Dear Hannes, As the designated expert for the OAuth Access Token Types, OAuth Extensions Error and OAuth Parameters registries, can you review the proposed registration in draft-ietf-oauth-dpop for us? Please see: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ The due date is Wednesday April 12th, 2023. This document is on next week's IESG telechat agenda. - First, in the OAuth Access Token Types registry: Name: DPoP Additional Token Endpoint Response Parameters: HTTP Authentication Scheme(s): DPoP Change controller: IETF Specification document(s): [ RFC-to-be ] Second, in the OAuth Extensions Error registry: Name: invalid_dpop_proof Usage Location: token error response, resource error response Protocol Extension: Demonstrating Proof of Possession (DPoP) Change controller: IETF Specification document(s): [ RFC-to-be ] Name: use_dpop_nonce Usage Location: token error response, resource error response Protocol Extension: Demonstrating Proof of Possession (DPoP) Change controller: IETF Specification document(s): [ RFC-to-be ] Third, in the OAuth Parameters registry: Name: dpop_jkt Parameter Usage Location: authorization request Change Controller: IETF Reference: [ RFC-to-be; Section 10 ] - If this registration is OK, when the IESG approves the document for publication, we'll make the registration at: https://www.iana.org/assignments/oauth-parameters/ With thanks, David Dong IANA Services Specialist ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1270370] Request to register OAuth Authorization Server Metadata: dpop_signing_alg_values_supported
Dear Michael, Nat, John and Dick (cc: oauth WG / review mailing list), As the designated experts for the OAuth Authorization Server Metadata registry, can you review the proposed registration in draft-ietf-oauth-dpop for us? Please see: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ - Tenth, in the OAuth Authorization Server Metadata also on the OAuth Parameters registry page located at: https://www.iana.org/assignments/oauth-parameters/ a single, new parameter is to be registered as follows: Metadata Name: dpop_signing_alg_values_supported Metadata Description: JSON array containing a list of the JWS algorithms supported for DPoP proof JWTs Change Controller: IETF Specification Document(s): [ RFC-to-be; Section 5.1 ] - The due date is Wednesday April 12th, 2023. This document is on next week's IESG telechat agenda. If this registration is OK, when the IESG approves the document for publication, we'll make the registration at: https://www.iana.org/assignments/oauth-parameters/ Unless you ask us to wait for the other reviewers, we’ll act on the first response we receive. With thanks, David Dong IANA Services Specialist ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1267318] expert review for draft-ietf-oauth-step-up-authn-challenge (oauth-parameters)
Dear Hannes, Following-up on this review again; could you let us know if this registration is okay to proceed? Thank you. Best regards, David Dong IANA Services Specialist On Wed Mar 22 20:44:22 2023, david.dong wrote: > Dear Hannes, > > Following-up on this review; could you let us know if this > registration is okay to proceed? > > Thank you. > > Best regards, > > David Dong > IANA Services Specialist > > On Mon Feb 27 23:07:32 2023, david.dong wrote: > > Dear Hannes (cc: oauth wg), > > > > As the designated expert for the OAuth Extensions Error Registry > > registry, can you review the proposed registration in draft-ietf- > > oauth-step-up-authn-challenge for us? Please see > > > > https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn- > > challenge/ > > > > The due date is March 13 2023. > > > > If this is OK, when the IESG approves the document for publication, > > we'll make the registration at > > > > https://www.iana.org/assignments/oauth-parameters/ > > > > With thanks, > > > > David Dong > > IANA Services Specialist > > > > On Mon Feb 27 22:57:06 2023, david.dong wrote: > > > First, in the OAuth Extensions Error Registry on the OAuth > > > Parameters > > > registry page located at: > > > > > > https://www.iana.org/assignments/oauth-parameters/ > > > > > > a single, registration is to be made as follows: > > > > > > Name: insufficient_user_authentication > > > Usage Location: resource access error response > > > Protocol Extension: OAuth 2.0 Step-up Authentication Challenge > > > Protocol > > > Change Controller: IETF > > > Reference: [ RFC-to-be; Section 3 ] > > > > > > As this document requests registrations in an Expert Review or > > > Specification Required (see RFC 8126) registry, we will initiate > > > the > > > required Expert Review via a separate request. This review must be > > > completed before the document's IANA state can be changed to "IANA > > > OK." > > > > > > Second, in the OAuth Token Introspection Response registry also on > > > the > > > OAuth Parameters registry page located at: > > > > > > https://www.iana.org/assignments/oauth-parameters/ ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1267318] expert review for draft-ietf-oauth-step-up-authn-challenge (oauth-parameters)
Dear Hannes, Following-up on this review; could you let us know if this registration is okay to proceed? Thank you. Best regards, David Dong IANA Services Specialist On Mon Feb 27 23:07:32 2023, david.dong wrote: > Dear Hannes (cc: oauth wg), > > As the designated expert for the OAuth Extensions Error Registry > registry, can you review the proposed registration in draft-ietf- > oauth-step-up-authn-challenge for us? Please see > > https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn- > challenge/ > > The due date is March 13 2023. > > If this is OK, when the IESG approves the document for publication, > we'll make the registration at > > https://www.iana.org/assignments/oauth-parameters/ > > With thanks, > > David Dong > IANA Services Specialist > > On Mon Feb 27 22:57:06 2023, david.dong wrote: > > First, in the OAuth Extensions Error Registry on the OAuth Parameters > > registry page located at: > > > > https://www.iana.org/assignments/oauth-parameters/ > > > > a single, registration is to be made as follows: > > > > Name: insufficient_user_authentication > > Usage Location: resource access error response > > Protocol Extension: OAuth 2.0 Step-up Authentication Challenge > > Protocol > > Change Controller: IETF > > Reference: [ RFC-to-be; Section 3 ] > > > > As this document requests registrations in an Expert Review or > > Specification Required (see RFC 8126) registry, we will initiate the > > required Expert Review via a separate request. This review must be > > completed before the document's IANA state can be changed to "IANA > > OK." > > > > Second, in the OAuth Token Introspection Response registry also on > > the > > OAuth Parameters registry page located at: > > > > https://www.iana.org/assignments/oauth-parameters/ ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1267319] expert review for draft-ietf-oauth-step-up-authn-challenge (oauth-parameters)
Dear Justin (cc: oauth wg), As the designated expert for the OAuth Token Introspection Response registry, can you review the proposed registration in draft-ietf-oauth-step-up-authn-challenge for us? Please see https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ The due date is March 13 2023. If this is OK, when the IESG approves the document for publication, we'll make the registration at https://www.iana.org/assignments/oauth-parameters/ With thanks, David Dong IANA Services Specialist ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1267318] expert review for draft-ietf-oauth-step-up-authn-challenge (oauth-parameters)
Dear Hannes (cc: oauth wg), As the designated expert for the OAuth Extensions Error Registry registry, can you review the proposed registration in draft-ietf-oauth-step-up-authn-challenge for us? Please see https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ The due date is March 13 2023. If this is OK, when the IESG approves the document for publication, we'll make the registration at https://www.iana.org/assignments/oauth-parameters/ With thanks, David Dong IANA Services Specialist On Mon Feb 27 22:57:06 2023, david.dong wrote: > First, in the OAuth Extensions Error Registry on the OAuth Parameters > registry page located at: > > https://www.iana.org/assignments/oauth-parameters/ > > a single, registration is to be made as follows: > > Name: insufficient_user_authentication > Usage Location: resource access error response > Protocol Extension: OAuth 2.0 Step-up Authentication Challenge > Protocol > Change Controller: IETF > Reference: [ RFC-to-be; Section 3 ] > > As this document requests registrations in an Expert Review or > Specification Required (see RFC 8126) registry, we will initiate the > required Expert Review via a separate request. This review must be > completed before the document's IANA state can be changed to "IANA > OK." > > Second, in the OAuth Token Introspection Response registry also on the > OAuth Parameters registry page located at: > > https://www.iana.org/assignments/oauth-parameters/ ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1264432] expert review for draft-ietf-oauth-dpop (http-fields)
> > Right. It really depends on how advanced deployment of this is; if > there's only modest production use, it may still be reasonable to make > such a change (especially keeping in mind that people who adopt drafts > need to bear the consequences of doing so). > > > > - Neither header has interoperable parsing or serialisation > > specified; divergent error handling may cause interoperability > > problems. Adopting Structured Fields would address this. > > > > Both are composed of a narrow set of printable ASCII with parsing, > > validation, usage, and error handling specified at the application > > layer. I'm not going to claim that it's perfect by any means. But > > those interoperability problems seem conjectural and it's not obvious > > that adopting Structured Fields would add value in the context of > > this draft. > > To be concrete -- what should an implementation do when it receives > two DPoP header fields, both with valid values? When it receives one > with two comma-separated values? > > > > - See RFC9110 s 16.3.2 for things that should be considered when > > defining new HTTP fields. I suspect that the document needs to be > > more explicit about at least some of these items. Adopting Structured > > Fields would address some (but not all) of these questions. > > > > The authors (on-behalf-of and with the help of the WG) have > > endeavored to touch on all the considerations needed to ensure > > interoperability of the protocol overall as well as HTTP related > > (e.g. caching, applicability to request/response, prohibiting > > multiple occurrences, scope of applicability). However, the group > > clearly does not have your depth of HTTP expertise so may well have > > missed something. If that's the case, it would be very helpful for > > specifics to be raised. > > > > - See also <https://httpwg.org/admin/editors/style-guide#header-and- > > trailer-fields> for the preferred editorial style when defining new > > HTTP fields. > > > > - The long line-wrapped example in Section 4.1 would benefit from > > RFC8792 encoding. In HTTP, a line-wrapped field like the one shown > > has whitespace inserted between each line, which is problematic here. > > > > This is a bit of a stylistic preference thing. That example and > > others in the draft are intentionally similar (with a note about line > > breaks and extra space being for display purposes) to closely related > > and referenced documents like RFC7515, RFC7519, and RFC6749. The > > examples from these RFCs seem to have worked well for > > readers/implementers in practice, and so we'd prefer to keep the > > formatting conventions in this draft the same as in those. > > Consistency between documents that specify HTTP protocol elements is > important, so I'd ask you to reconsider; while the community that has > been developing and implementing the specification may already be > familiar with it, aligning with other documents makes it easier for a > broader audience. See, for example, the Signatures specification: > https://httpwg.org/http-extensions/draft-ietf-httpbis-message- > signatures.html#name-request-response-signature- > > Cheers, > > > > > > Cheers, > > > > > > > > > >> On 19 Jan 2023, at 5:30 am, David Dong via RT >> comm...@iana.org> wrote: > >> > >> Dear Mark Nottingham and Roy Fielding (cc: oauth WG), > >> > >> As the designated experts for the http-fields registry, can you > >> review the proposed registration in draft-ietf-oauth-dpop for us? > >> Please see: > >> > >> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > >> > >> The due date is February 1st, 2023. > >> > >> If this is OK, when the IESG approves the document for publication, > >> we'll make the registration at > >> > >> https://www.iana.org/assignments/http-fields/http-fields.xhtml > >> > >> We'll wait for both reviewers to respond unless you tell us > >> otherwise. > >> > >> With thanks, > >> > >> David Dong > >> IANA Services Specialist > > > > -- > > Mark Nottingham https://www.mnot.net/ > > > > ___ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and > > privileged material for the sole use of the intended recipient(s). > > Any review, use, distribution or disclosure by others is strictly > > prohibited. If you have received this communication in error, please > > notify the sender immediately by e-mail and delete the message and > > any file attachments from your computer. Thank you. > > > -- > Mark Nottingham https://www.mnot.net/ > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [IANA #1264432] expert review for draft-ietf-oauth-dpop (http-fields)
Dear Mark Nottingham and Roy Fielding (cc: oauth WG), As the designated experts for the http-fields registry, can you review the proposed registration in draft-ietf-oauth-dpop for us? Please see: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ The due date is February 1st, 2023. If this is OK, when the IESG approves the document for publication, we'll make the registration at https://www.iana.org/assignments/http-fields/http-fields.xhtml We'll wait for both reviewers to respond unless you tell us otherwise. With thanks, David Dong IANA Services Specialist ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
