Re: [OAUTH-WG] [Technical Errata Reported] RFC7636 (6179)

Hi Dmitry, Thanks for clarifying the motivation. I think it's shifted my stance a bit, to lean more towards classifying as "editorial" (in that the protocol in the RFC itself is not affected) with status of "Hold for document update". -Ben On Tue, Jun 02, 2020 at 12:32:48AM +, Dmitry Khlebni

Re: [OAUTH-WG] Downgrade attacks on PKCE

Definatly 2. To my mind if you get a challange and dont get a verifyer that must fail.  I guess the querstion is if there is a veriyer with no challange what to do.  We diden't specify that.   I would reject that as a config error or indication of a MIM in the front channel. I think that is the

Re: [OAUTH-WG] Downgrade attacks on PKCE

Like Filip and Neil and I believe Ryan, I prefer the dynamic option 2. It keeps existing clients working when possible, which should be a goal of OAuth 2.1. Thanks, -- Mike From: Dick

Re: [OAUTH-WG] Downgrade attacks on PKCE

Mike: what are your thoughts on the options? ᐧ On Sat, May 30, 2020 at 4:39 AM Neil Madden wrote: > We (ForgeRock) already support solution 1 as a configuration option, but I > prefer solution 2 and have raised a ticket for us to implement it. For us > at least it’s a trivial fix and seems more

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

Hi all, My apologies, if this was already discussed. In section *4*. Validating JWT Access Tokens it is stated; The resource server MUST handle errors as described in section 3.1 of [RFC6750]

Re: [OAUTH-WG] [Errata Verified] RFC7800 (6187)

> -Original Message- > From: iesg On Behalf Of Barry Leiba > Sent: 01 June 2020 14:24 > To: Rob Wilton (rwilton) > Cc: RFC Errata System ; m...@microsoft.com; > Benjamin Kaduk ; ve7...@ve7jtb.com; > hannes.tschofe...@gmx.net; oauth@ietf.org; Pete Resnick > ; i...@ietf.org > Subject: Re

Re: [OAUTH-WG] [Errata Verified] RFC7800 (6187)

Okay, so the distinction is already there. As the errata rules are written then I would have done the same as Pete suggested and marked this as HFDU under point (2) of https://www.ietf.org/about/groups/iesg/statements/processing-rfc-errata/. However, I also take Ben's point that it would be use

Re: [OAUTH-WG] [Errata Verified] RFC7800 (6187)

Further on this: In the "editorial" realm, there are two classes of "correct" errata reports: 1. Trivial and obvious typos, such as spelling "and" as "adn". 2. Others, such as a number with transposed digits, which could, indeed, be confusing. The guideline that we're discussing is meant to sep

Re: [OAUTH-WG] [Errata Verified] RFC7800 (6187)

That's what the "technical" vs "editorial" distinction is supposed to be for. Barry On Mon, Jun 1, 2020 at 8:27 AM Rob Wilton (rwilton) wrote: > > > > > -Original Message- > > From: iesg On Behalf Of Benjamin Kaduk > > Sent: 31 May 2020 05:09 > > To: Pete Resnick > > Cc: m...@microsoft

Re: [OAUTH-WG] [Errata Verified] RFC7800 (6187)

> -Original Message- > From: iesg On Behalf Of Benjamin Kaduk > Sent: 31 May 2020 05:09 > To: Pete Resnick > Cc: m...@microsoft.com; i...@ietf.org; ve7...@ve7jtb.com; > hannes.tschofe...@gmx.net; oauth@ietf.org; RFC Errata System edi...@rfc-editor.org> > Subject: Re: [Errata Verified]