[OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Rifaat Shekh-Yusef
All, This is a call for adoption for the following AS Issuer Identifier in Authorization Response as a WG document: https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/ Please, provide your feedback on the mailing list by Dec 22nd. Regards, Rifaat & Hannes __

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Neil Madden
I support adoption of this draft. > On 8 Dec 2020, at 12:50, Rifaat Shekh-Yusef wrote: > > All, > > This is a call for adoption for the following AS Issuer Identifier in > Authorization Response as a WG document: > https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/ >

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Torsten Lodderstedt
I support the WG adoption of this draft. > Am 08.12.2020 um 13:50 schrieb Rifaat Shekh-Yusef : > > All, > > This is a call for adoption for the following AS Issuer Identifier in > Authorization Response as a WG document: > https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Daniel Fett
Obviously, +1. Am 08.12.20 um 13:50 schrieb Rifaat Shekh-Yusef: > All, > > This is a call for adoption for the following AS Issuer Identifier in > Authorization Response as a WG document: > https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/ > > Please, provide your feedba

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Takahiko Kawasaki
+1. I've implemented the specification. I think that the current draft is already good enough for implementers. Thank you, authors. Taka On Tue, Dec 8, 2020 at 9:50 PM Rifaat Shekh-Yusef wrote: > All, > > This is a call for adoption for the following AS Issuer Identifier in > Authorization Resp

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Karsten Meyer zu Selhausen
+1 On 08.12.2020 13:50, Rifaat Shekh-Yusef wrote: All, This is a call for adoption for the following AS Issuer Identifier in Authorization Response as a WG document: https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Brian Campbell
support adoption On Tue, Dec 8, 2020 at 5:51 AM Rifaat Shekh-Yusef wrote: > All, > > This is a call for adoption for the following AS Issuer Identifier in > Authorization Response as a WG document: > > https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/ > > Please, provi

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Dave Tonge
I support adoption On Tue, 8 Dec 2020 at 13:51, Rifaat Shekh-Yusef wrote: > All, > > This is a call for adoption for the following AS Issuer Identifier in > Authorization Response as a WG document: > > https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/ > > Please, provi

Re: [OAUTH-WG] [EXT] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Michael A Peck
I support working group adoption of this draft. From: OAuth on behalf of Rifaat Shekh-Yusef Date: Tuesday, December 8, 2020 at 7:52 AM To: "oauth@ietf.org" Subject: [EXT] [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response All, This is a call for adoption for the f

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Vladimir Dzhuvinov
Support with both hands! Vladimir On 08/12/2020 14:50, Rifaat Shekh-Yusef wrote: > All, > > This is a call for adoption for the following AS Issuer Identifier in > Authorization Response as a WG document: > https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/ > > Please, p

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Dick Hardt
+1 ᐧ On Tue, Dec 8, 2020 at 4:51 AM Rifaat Shekh-Yusef wrote: > All, > > This is a call for adoption for the following AS Issuer Identifier in > Authorization Response as a WG document: > > https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/ > > Please, provide your feed

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Warren Parad
As an implementer on both sides of the issue I'm struggling to understand how this problem would occur. I'm finding issues with the proposed problems: 1. Honest AS is compromised, assuming this does happen details on why adding iss to the AS response would prevent attacks is necessary for me

Re: [OAUTH-WG] Proposed changes to draft-ietf-oauth-dpop-02

2020-12-08 Thread Brian Campbell
attempts at replies are inline On Wed, Dec 2, 2020 at 8:42 AM Denis wrote: > I have reviewed the whole draft and you will find comments below starting > with five editorials comments. Every other comment is numbered. > Let us start with five typos where there is a duplication of the word > "the"

Re: [OAUTH-WG] DPoP followup I: freshness and coverage of signature

2020-12-08 Thread Brian Campbell
Danial recently added some text to the working copy of the draft with https://github.com/danielfett/draft-dpop/commit/f4b42058 that I think aims to better convey the "nutshell: XSS = Game over" sentiment and maybe dissuade folks from looking to DPoP as a cure-all for browser based applications. Adm

[OAUTH-WG] Detailed review of OAuth2.1

2020-12-08 Thread vittorio . bertocci=40auth0 . com
Dear authors, It took ages but I finally managed to go thru a full review of the current OAuth2.1 draft. Apologies for the delay. Metacomments: * The VAST majority of the comments are suggestions for improving clarity, mostly on historical language coming from 2.0 that I found myself ha

Re: [OAUTH-WG] Detailed review of OAuth2.1

2020-12-08 Thread Dick Hardt
Thank you very much for your detailed feedback Vittorio! ᐧ On Tue, Dec 8, 2020 at 3:22 PM wrote: > Dear authors, > > It took ages but I finally managed to go thru a full review of the current > OAuth2.1 draft. Apologies for the delay. > > Metacomments: > >- The VAST majority of the comments

Re: [OAUTH-WG] DPoP followup I: freshness and coverage of signature

2020-12-08 Thread Philippe De Ryck
Yeah, browser-based apps are pure fun, aren’t they? :) The reason I covered a couple of (pessimistic) XSS scenarios is that the discussion started with an assumption that the attacker already successfully exploited an XSS vulnerability. I pointed out how, at that point, finetuning DPoP proof co

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

2020-12-08 Thread Daniel Fett
Hi Warren, Am 08.12.20 um 20:15 schrieb Warren Parad: > As an implementer on both sides of the issue I'm struggling to > understand how this problem would occur. I'm finding issues with the > proposed problems: > > 1. Honest AS is compromised, assuming this does happen details on why > adding