OAuth 2.0 Authorization Server Issuer Identification
draft-ietf-oauth-iss-auth-resp-05
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2024-01-26
|
05 | Gunter Van de Velde | Request closed, assignment withdrawn: Joel Jaeggli Last Call OPSDIR review |
2024-01-26
|
05 | Gunter Van de Velde | Closed request for Last Call review by OPSDIR with state 'Overtaken by Events': Cleaning up stale OPSDIR queue |
2022-03-18
|
05 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2022-02-24
|
05 | (System) | RFC Editor state changed to AUTH48 |
2022-01-27
|
05 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2022-01-27
|
05 | (System) | RFC Editor state changed to RFC-EDITOR from IANA |
2022-01-26
|
05 | (System) | IANA Action state changed to Waiting on RFC Editor from In Progress |
2022-01-26
|
05 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2022-01-26
|
05 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2022-01-26
|
05 | Amanda Baber | IANA Action state changed to In Progress from On Hold |
2022-01-26
|
05 | Amanda Baber | IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK |
2022-01-26
|
05 | Amanda Baber | IANA Experts State changed to Expert Reviews OK from Reviews assigned |
2022-01-26
|
05 | Amanda Baber | Both expert approvals received. |
2022-01-26
|
05 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2022-01-21
|
05 | (System) | RFC Editor state changed to IANA from EDIT |
2022-01-12
|
05 | (System) | RFC Editor state changed to EDIT from MISSREF |
2022-01-11
|
05 | Daniel Fett | New version available: draft-ietf-oauth-iss-auth-resp-05.txt |
2022-01-11
|
05 | (System) | New version approved |
2022-01-11
|
05 | (System) | Request for posting confirmation emailed to previous authors: Daniel Fett , Karsten zu Selhausen |
2022-01-11
|
05 | Daniel Fett | Uploaded new revision |
2022-01-07
|
04 | (System) | IANA Action state changed to On Hold from Waiting on Authors |
2022-01-06
|
04 | (System) | IANA Action state changed to Waiting on Authors from On Hold |
2022-01-06
|
04 | Amanda Baber | OAuth Authorization Server Metadata registration has been approved. Still waiting for OAuth Parameter approval. |
2022-01-06
|
04 | (System) | IANA Action state changed to On Hold from In Progress |
2022-01-05
|
04 | (System) | RFC Editor state changed to MISSREF |
2022-01-05
|
04 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2022-01-05
|
04 | (System) | Announcement was received by RFC Editor |
2022-01-05
|
04 | (System) | IANA Action state changed to In Progress |
2022-01-05
|
04 | Amy Vezza | IESG state changed to Approved-announcement sent from Approved-announcement to be sent |
2022-01-05
|
04 | Amy Vezza | IESG has approved the document |
2022-01-05
|
04 | Amy Vezza | Closed "Approve" ballot |
2022-01-05
|
04 | Amy Vezza | Ballot approval text was generated |
2022-01-05
|
04 | Roman Danyliw | IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::AD Followup |
2021-12-02
|
04 | Jean Mahoney | Closed request for Last Call review by GENART with state 'Overtaken by Events' |
2021-12-02
|
04 | Jean Mahoney | Assignment of request for Last Call review by GENART to Jouni Korhonen was marked no-response |
2021-12-02
|
04 | (System) | Removed all action holders (IESG state changed) |
2021-12-02
|
04 | Cindy Morgan | IESG state changed to Approved-announcement to be sent::AD Followup from IESG Evaluation |
2021-12-02
|
04 | Sabrina Tanamal | IANA Review state changed to IANA - Not OK from Version Changed - Review Needed |
2021-12-02
|
04 | Zaheduzzaman Sarker | [Ballot Position Update] New position, No Objection, has been recorded for Zaheduzzaman Sarker |
2021-12-02
|
04 | Francesca Palombini | [Ballot comment] Thank you for the work on this document, and for addressing my DISCUSS. Many thanks to Julian Reschke for the ART ART review: … [Ballot comment] Thank you for the work on this document, and for addressing my DISCUSS. Many thanks to Julian Reschke for the ART ART review: https://mailarchive.ietf.org/arch/msg/art/XfLbtK1eLb7s0Z6e_AqGgkoWny0/. Francesca |
2021-12-02
|
04 | Francesca Palombini | [Ballot Position Update] Position for Francesca Palombini has been changed to No Objection from Discuss |
2021-12-02
|
04 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA - Not OK |
2021-12-02
|
04 | Daniel Fett | New version available: draft-ietf-oauth-iss-auth-resp-04.txt |
2021-12-02
|
04 | (System) | New version approved |
2021-12-02
|
04 | (System) | Request for posting confirmation emailed to previous authors: Daniel Fett , Karsten zu Selhausen |
2021-12-02
|
04 | Daniel Fett | Uploaded new revision |
2021-12-01
|
03 | Murray Kucherawy | [Ballot comment] I support Francesca's DISCUSS. I also concur with Eric's observations about the shepherd writeup. Those important details are missing. Please quote "iss" wherever … [Ballot comment] I support Francesca's DISCUSS. I also concur with Eric's observations about the shepherd writeup. Those important details are missing. Please quote "iss" wherever you use it. Every time I ran into it, my first thought was that it's a typo and I had to re-parse it a couple of times. |
2021-12-01
|
03 | Murray Kucherawy | [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy |
2021-12-01
|
03 | Amanda Baber | IANA Review state changed to IANA - Not OK from Version Changed - Review Needed |
2021-12-01
|
04 | (System) | IANA Review state changed to IANA - Not OK from Version Changed - Review Needed |
2021-12-01
|
03 | John Scudder | [Ballot Position Update] New position, No Objection, has been recorded for John Scudder |
2021-12-01
|
03 | Francesca Palombini | [Ballot discuss] Thank you for the work on this document. Many thanks to Julian Reschke for the ART ART review: https://mailarchive.ietf.org/arch/msg/art/XfLbtK1eLb7s0Z6e_AqGgkoWny0/. I have one … [Ballot discuss] Thank you for the work on this document. Many thanks to Julian Reschke for the ART ART review: https://mailarchive.ietf.org/arch/msg/art/XfLbtK1eLb7s0Z6e_AqGgkoWny0/. I have one DISCUSS point that has to do with IANA considerations, and is hopefully easy to resolve. As noted in https://www.ietf.org/blog/handling-iesg-ballot-positions/, a DISCUSS ballot is a request to have a discussion; I really think that the document would be improved with a change here, but can be convinced otherwise. Francesca 1. ----- FP: I am sure the Designated Expert will bring this up, but "iss" is already defined as a OAuth Parameter, for authorization requests. I don't think it's a good idea to use the same parameter name, although in a different message of the exchange, for something different, as the registration defined in Section 5.2 seems to imply. I strongly recommend to change the name in this document. Or, if we can agree that the meaning is similar enough to the original "iss", merge the two IANA registrations (this would not be my preferred choice). |
2021-12-01
|
03 | Francesca Palombini | Ballot discuss text updated for Francesca Palombini |
2021-12-01
|
03 | Warren Kumari | [Ballot comment] Thank you for this document, and also writing it in a manner that even someone unfamiliar with OAuth can understand :-) -- I … [Ballot comment] Thank you for this document, and also writing it in a manner that even someone unfamiliar with OAuth can understand :-) -- I use it, but the internals are very much a black box to me... |
2021-12-01
|
03 | Warren Kumari | [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari |
2021-12-01
|
03 | Martin Vigoureux | [Ballot Position Update] New position, No Objection, has been recorded for Martin Vigoureux |
2021-11-30
|
03 | Erik Kline | [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline |
2021-11-30
|
03 | Benjamin Kaduk | [Ballot comment] Is the authorization endpoint the only one that would benefit from the added "iss" protection? Should we say anything about the utility of … [Ballot comment] Is the authorization endpoint the only one that would benefit from the added "iss" protection? Should we say anything about the utility of the "iss" parameter in other responses? Section 2 If the authorization server provides metadata as defined in [RFC8414], the value of the parameter iss MUST be identical to the authorization server metadata value issuer. Does it ever make sense to implement this document but not provide metadata as in RFC 8414? Should this document give any guidance (e.g., SHOULD or MUST) about also implementing RFC 8414 if this document is implemented? Section 2.1 Thank you for using a nice random code with 256 bits of entropy in the example :) Section 2.2 Should we use a different 'state' value for the example successful response and example error response? Section 2.3 * The issuer identifier included in the server's metadata value issuer MUST be identical to the iss parameter's value. I think we attempted to impose this requirement using the BCP 14 MUST keyword up in toplevel section 2 as well. Generally my advice is to only use the normative keywords in one place for any given requirement, to avoid any risk of conflicting guidance that could lead to different implementation behaviors. (In this case, putting the MUST here seems to make more sense, since it's an explicit listing of "the following rules apply".) NITS Section 2.4 If clients interact with both authorization servers supporting this specification and authorization servers not supporting this specification, clients MUST store the information which authorization server supports the iss parameter. Clients MUST reject authorization I think there's a missing word here, for "the information about" or even a broader rewording to "MUST retain state about whether each authorization server supports the iss parameter". support in their metadata. Local policy or configuration can determine whether to accept such responses and specific guidance is out of scope for this specification. I'd suggest s/whether/when/, since we already do give default guidance ("SHOULD discard") earlier. |
2021-11-30
|
03 | Benjamin Kaduk | [Ballot Position Update] New position, Yes, has been recorded for Benjamin Kaduk |
2021-11-30
|
03 | Robert Wilton | [Ballot comment] Hi, Thanks for this document, just one comment on a couple of sentences in the security section that I found unclear in this … [Ballot comment] Hi, Thanks for this document, just one comment on a couple of sentences in the security section that I found unclear in this paragraph: There are also alternative countermeasures to mix-up attacks. When an authorization response already includes an authorization server's issuer identifier by other means, and this identifier is checked as laid out in Section 2.4, the use and verification of the iss parameter is not necessary and MAY be omitted. This is the case when OpenID Connect response types that return an ID token from the authorization endpoint (e.g., response_type=code id_token) or JARM response mode are used, for example. However, if a client receives an authorization response that contains multiple issuer identifiers, the client MUST reject the response if these issuer identifiers do not match. The details of alternative countermeasures are outside of the scope of this specification. I'm probably missing something but this seems to suggest both: - the use and verification of the iss parameter is not necessary and MAY be omitted. - if a client receives an authorization response that contains multiple issuer identifiers, the client MUST reject the response if these issuer identifiers do not match. These seems to conflict to me, but perhaps I'm misunderstanding their intent? Regards, Rob |
2021-11-30
|
03 | Robert Wilton | [Ballot Position Update] New position, No Objection, has been recorded for Robert Wilton |
2021-11-29
|
03 | Francesca Palombini | [Ballot discuss] Thank you for the work on this document. Many thanks to Julian Reschke for the ART ART review: https://mailarchive.ietf.org/arch/msg/art/XfLbtK1eLb7s0Z6e_AqGgkoWny0/. I have one … [Ballot discuss] Thank you for the work on this document. Many thanks to Julian Reschke for the ART ART review: https://mailarchive.ietf.org/arch/msg/art/XfLbtK1eLb7s0Z6e_AqGgkoWny0/. I have one DISCUSS point that has to do with IANA considerations, and is hopefully easy to resolve. Francesca 1. ----- FP: I am sure the Designated Expert will bring this up, but "iss" is already defined as a OAuth Parameter, for authorization requests. I don't think it's a good idea to use the same parameter name, although in a different message of the exchange, for something different, as the registration defined in Section 5.2 seems to imply. I strongly recommend to change the name in this document. Or, if we can agree that the meaning is similar enough to the original "iss", merge the two IANA registrations (this would not be my preferred choice). |
2021-11-29
|
03 | Francesca Palombini | [Ballot Position Update] New position, Discuss, has been recorded for Francesca Palombini |
2021-11-29
|
03 | Lars Eggert | [Ballot comment] All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as … [Ballot comment] All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. Section 2.3. , paragraph 2, nit: > s by any other mechanism which is outside of the scope of this specification. > ^^^^^^^^^^ This phrase is redundant. Consider using "outside". Section 4. , paragraph 4, nit: > f alternative countermeasures are outside of the scope of this specification. > ^^^^^^^^^^ This phrase is redundant. Consider using "outside". These URLs in the document can probably be converted to HTTPS: * http://arxiv.org/abs/1508.04324 * http://www.iana.org/assignments/oauth-parameters * http://openid.net/specs/openid-connect-core-1_0.html |
2021-11-29
|
03 | Lars Eggert | [Ballot Position Update] New position, No Objection, has been recorded for Lars Eggert |
2021-11-29
|
03 | Éric Vyncke | [Ballot comment] Thank you for the work put into this document. Special thanks to Rifaat Shekh-Yusef for the shepherd's write-up, but alas it does not … [Ballot comment] Thank you for the work put into this document. Special thanks to Rifaat Shekh-Yusef for the shepherd's write-up, but alas it does not include ANY comments about the WG consensus and this it the most important point in the write-up. I am trusting the responsible AD and the WG chairs about the consensus. I have no special comments to add: it looks Regards, -éric |
2021-11-29
|
03 | Éric Vyncke | [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke |
2021-11-18
|
03 | Martin Duke | [Ballot Position Update] New position, No Objection, has been recorded for Martin Duke |
2021-11-18
|
03 | Cindy Morgan | Placed on agenda for telechat - 2021-12-02 |
2021-11-18
|
03 | Roman Danyliw | Ballot has been issued |
2021-11-18
|
03 | Roman Danyliw | [Ballot Position Update] New position, Yes, has been recorded for Roman Danyliw |
2021-11-18
|
03 | Roman Danyliw | Created "Approve" ballot |
2021-11-18
|
03 | Roman Danyliw | IESG state changed to IESG Evaluation from Waiting for Writeup::AD Followup |
2021-11-18
|
03 | Roman Danyliw | Ballot writeup was changed |
2021-11-18
|
03 | (System) | Changed action holders to Roman Danyliw (IESG state changed) |
2021-11-18
|
03 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2021-11-18
|
03 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA - Not OK |
2021-11-18
|
03 | Karsten zu Selhausen | New version available: draft-ietf-oauth-iss-auth-resp-03.txt |
2021-11-18
|
03 | (System) | New version approved |
2021-11-18
|
03 | (System) | Request for posting confirmation emailed to previous authors: Daniel Fett , Karsten zu Selhausen |
2021-11-18
|
03 | Karsten zu Selhausen | Uploaded new revision |
2021-11-17
|
02 | Roman Danyliw | Please publish an update to address the ARTDIR and SECDIR reviews (as already discussed in the associated threads) |
2021-11-17
|
02 | (System) | Changed action holders to Roman Danyliw, Daniel Fett, Karsten zu Selhausen (IESG state changed) |
2021-11-17
|
02 | Roman Danyliw | IESG state changed to Waiting for Writeup::Revised I-D Needed from Waiting for Writeup |
2021-11-17
|
02 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2021-11-16
|
02 | Michelle Cotton | IANA Experts State changed to Reviews assigned |
2021-11-16
|
02 | (System) | IANA Review state changed to IANA - Not OK from IANA - Review Needed |
2021-11-16
|
02 | Michelle Cotton | (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: The IANA Functions Operator has completed its review of draft-ietf-oauth-iss-auth-resp-02.txt. If any part of this review is inaccurate, please let … (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: The IANA Functions Operator has completed its review of draft-ietf-oauth-iss-auth-resp-02.txt. If any part of this review is inaccurate, please let us know. The IANA Functions Operator understands that, upon approval of this document, there are two actions which we must complete. First, in the OAuth Authorization Server Metadata registry on the OAuth Parameters registry page located at: https://www.iana.org/assignments/oauth-parameters/ a single, new registration is to be made as follows: Metadata Name: authorization_response_iss_parameter_supported Metadata Description: Boolean value indicating whether the authorization server provides the iss parameter in the authorization response. Change Controller: IESG Reference: [ RFC-to-be; Section 3 ] As this section requests registrations in a Specification Required (see RFC 8126) registry, the IESG-designated experts for the OAuth Authorization Server Metadata registry have asked that a review request be sent to the mailing list described in [RFC8414]. If this request had not yet been submitted, we will initiate it. This review must be completed before the document's IANA state can be changed to "IANA OK." Second, in the OAuth Parameters registry also on the OAuth Parameters registry page located at: https://www.iana.org/assignments/oauth-parameters/ a single, new registration is to be made as follows: Name: iss Parameter Usage Location: authorization response Change Controller: IESG Reference: [ RFC-to-be; Section 2 ] As this section requests registrations in a Specification Required (see RFC 8126) registry, the IESG-designated experts for the OAuth Authorization Server Metadata registry have asked that a review request be sent to the mailing list described in [RFC6749]. If this request had not yet been submitted, we will initiate it. This review must be completed before the document's IANA state can be changed to "IANA OK." The IANA Functions Operator understands that these are the only actions required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed. Thank you, Michelle Cotton IANA Services |
2021-11-06
|
02 | Yoav Nir | Request for Last Call review by SECDIR Completed: Ready. Reviewer: Yoav Nir. Sent review to list. |
2021-11-03
|
02 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Joel Jaeggli |
2021-11-03
|
02 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Joel Jaeggli |
2021-11-01
|
02 | Julian Reschke | Request for Last Call review by ARTART Partially Completed: Almost Ready. Reviewer: Julian Reschke. Sent review to list. |
2021-10-29
|
02 | Jean Mahoney | Request for Last Call review by GENART is assigned to Jouni Korhonen |
2021-10-29
|
02 | Jean Mahoney | Request for Last Call review by GENART is assigned to Jouni Korhonen |
2021-10-28
|
02 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Yoav Nir |
2021-10-28
|
02 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Yoav Nir |
2021-10-28
|
02 | Barry Leiba | Request for Last Call review by ARTART is assigned to Julian Reschke |
2021-10-28
|
02 | Barry Leiba | Request for Last Call review by ARTART is assigned to Julian Reschke |
2021-10-27
|
02 | Cindy Morgan | IANA Review state changed to IANA - Review Needed |
2021-10-27
|
02 | Cindy Morgan | The following Last Call announcement was sent out (ends 2021-11-17): From: The IESG To: IETF-Announce CC: draft-ietf-oauth-iss-auth-resp@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rifaat.s.ietf@gmail.com … The following Last Call announcement was sent out (ends 2021-11-17): From: The IESG To: IETF-Announce CC: draft-ietf-oauth-iss-auth-resp@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rifaat.s.ietf@gmail.com Reply-To: last-call@ietf.org Sender: Subject: Last Call: (OAuth 2.0 Authorization Server Issuer Identification) to Proposed Standard The IESG has received a request from the Web Authorization Protocol WG (oauth) to consider the following document: - 'OAuth 2.0 Authorization Server Issuer Identification' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-call@ietf.org mailing lists by 2021-11-17. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies a new parameter iss that is used to explicitly include the issuer identifier of the authorization server in the authorization response of an OAuth authorization flow. The iss parameter serves as an effective countermeasure to "mix-up attacks". The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/ No IPR declarations have been submitted directly on this I-D. |
2021-10-27
|
02 | Cindy Morgan | IESG state changed to In Last Call from Last Call Requested |
2021-10-27
|
02 | Cindy Morgan | Last call announcement was changed |
2021-10-27
|
02 | Roman Danyliw | Last call was requested |
2021-10-27
|
02 | Roman Danyliw | Last call announcement was generated |
2021-10-27
|
02 | Roman Danyliw | Ballot approval text was generated |
2021-10-27
|
02 | Roman Danyliw | Ballot writeup was generated |
2021-10-27
|
02 | (System) | Changed action holders to Roman Danyliw (IESG state changed) |
2021-10-27
|
02 | Roman Danyliw | IESG state changed to Last Call Requested from Publication Requested |
2021-10-27
|
02 | Roman Danyliw | AD Review: https://mailarchive.ietf.org/arch/msg/oauth/HlzumKBfuimwEbt6FtVuYXTdTKI/ |
2021-10-13
|
02 | Rifaat Shekh-Yusef | (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? … (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? The request is for a Proposed Standard type for the draft-ietf-oauth-iss-auth-resp document since the document defines a new parameter that is used as a countermeasure to mix-up attacks. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: This document specifies a new parameter "iss" that is used to explicitly include the issuer identifier of the authorization server in the authorization response of an OAuth authorization flow. The "iss" parameter serves as an effective countermeasure to "mix-up attacks". Working Group Summary: This work is useful to address a specific attack when an OAuth Client interacts with multiple authorization servers. Document Quality: A number of people reviewed the document over several rounds of reviews and provided feedback during meetings and on the mailing list, with no blocking comments. Implementations: Duende Software https://duendesoftware.com/products/identityserver Authlete https://www.authlete.com/developers/relnotes/2.2.2/#oauth-2-0-authorization-server-issuer-identifier-in-authorization-response Authress https://authress.io/ Personnel: The document shepherd is Rifaat Shekh-Yusef. The responsible Area Director is Roman Danyliw. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document shepherd has reviewed this document and the authors addressed all my concerns. I feel the document is ready. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? The document shepherd has no concerns with the level of reviews, as the document was discussed and reviewed by many participants. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. Security review is always appreciated. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The document shepherd has no such concerns. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? Karsten https://mailarchive.ietf.org/arch/msg/oauth/kqnONSCJNfvnL80VD_hatGSOKe0/ Daniel https://mailarchive.ietf.org/arch/msg/oauth/y_JcCq9sGRlKX3yPame_-25WAR0/ (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No such IPR disclosures. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? There was a solid WG consensus that included feedback and support from multiple parties. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No such threat or discontent. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. None (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. No such reviews are necessary. (13) Have all references within this document been identified as either normative or informative? Yes (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? No (15) Are there downward normative references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. No (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. No. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). The document registers new values with existing registries. The document does not introduce any new registry. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. None. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. None is needed. |
2021-10-13
|
02 | Rifaat Shekh-Yusef | Responsible AD changed to Roman Danyliw |
2021-10-13
|
02 | Rifaat Shekh-Yusef | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2021-10-13
|
02 | Rifaat Shekh-Yusef | IESG state changed to Publication Requested from I-D Exists |
2021-10-13
|
02 | Rifaat Shekh-Yusef | IESG process started in state Publication Requested |
2021-10-13
|
02 | Rifaat Shekh-Yusef | Changed consensus to Yes from Unknown |
2021-10-13
|
02 | Rifaat Shekh-Yusef | Intended Status changed to Proposed Standard from None |
2021-10-11
|
02 | Rifaat Shekh-Yusef | IETF WG state changed to WG Consensus: Waiting for Write-Up from WG Document |
2021-10-08
|
02 | Rifaat Shekh-Yusef | (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? … (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? The request is for a Proposed Standard type for the draft-ietf-oauth-iss-auth-resp document since the document defines a new parameter that is used as a countermeasure to mix-up attacks. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: This document specifies a new parameter "iss" that is used to explicitly include the issuer identifier of the authorization server in the authorization response of an OAuth authorization flow. The "iss" parameter serves as an effective countermeasure to "mix-up attacks". Working Group Summary: This work is useful to address a specific attack when an OAuth Client interacts with multiple authorization servers. Document Quality: A number of people reviewed the document over several rounds of reviews and provided feedback during meetings and on the mailing list, with no blocking comments. Implementations: Duende Software https://duendesoftware.com/products/identityserver Authlete https://www.authlete.com/developers/relnotes/2.2.2/#oauth-2-0-authorization-server-issuer-identifier-in-authorization-response Authress https://authress.io/ Personnel: The document shepherd is Rifaat Shekh-Yusef. The responsible Area Director is Roman Danyliw. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document shepherd has reviewed this document and the authors addressed all my concerns. I feel the document is ready. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? The document shepherd has no concerns with the level of reviews, as the document was discussed and reviewed by many participants. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. Security review is always appreciated. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The document shepherd has no such concerns. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? Karsten https://mailarchive.ietf.org/arch/msg/oauth/kqnONSCJNfvnL80VD_hatGSOKe0/ Daniel https://mailarchive.ietf.org/arch/msg/oauth/y_JcCq9sGRlKX3yPame_-25WAR0/ (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No such IPR disclosures. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? There was a solid WG consensus that included feedback and support from multiple parties. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No such threat or discontent. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. None (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. No such reviews are necessary. (13) Have all references within this document been identified as either normative or informative? Yes (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? No (15) Are there downward normative references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. No (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. No. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). The document registers new values with existing registries. The document does not introduce any new registry. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. None. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. None is needed. |
2021-10-06
|
02 | Karsten zu Selhausen | New version available: draft-ietf-oauth-iss-auth-resp-02.txt |
2021-10-06
|
02 | (System) | New version approved |
2021-10-06
|
02 | (System) | Request for posting confirmation emailed to previous authors: Daniel Fett , Karsten zu Selhausen |
2021-10-06
|
02 | Karsten zu Selhausen | Uploaded new revision |
2021-06-08
|
01 | Karsten zu Selhausen | New version available: draft-ietf-oauth-iss-auth-resp-01.txt |
2021-06-08
|
01 | (System) | New version approved |
2021-06-08
|
01 | (System) | Request for posting confirmation emailed to previous authors: Daniel Fett , Karsten zu Selhausen |
2021-06-08
|
01 | Karsten zu Selhausen | Uploaded new revision |
2021-06-04
|
00 | Rifaat Shekh-Yusef | Notification list changed to rifaat.s.ietf@gmail.com because the document shepherd was set |
2021-06-04
|
00 | Rifaat Shekh-Yusef | Document shepherd changed to Rifaat Shekh-Yusef |
2021-01-06
|
00 | Rifaat Shekh-Yusef | This document now replaces draft-meyerzuselhausen-oauth-iss-auth-resp instead of None |
2021-01-06
|
00 | Karsten zu Selhausen | New version available: draft-ietf-oauth-iss-auth-resp-00.txt |
2021-01-06
|
00 | (System) | WG -00 approved |
2021-01-06
|
00 | Karsten zu Selhausen | Set submitter to "Karsten Meyer zu Selhausen ", replaces to draft-meyerzuselhausen-oauth-iss-auth-resp and sent approval email to group chairs: oauth-chairs@ietf.org |
2021-01-06
|
00 | Karsten zu Selhausen | Uploaded new revision |