[Openid-specs-fapi] [External Sender] Issue #496: clock sync and FAPI2 baseline (openid/fapi)

Thu May 5 12:33:55 UTC 2022

Do we need to relax the spec? or maybe add some non-normative guidance on
how clients and servers can deal with clock skew? There are a couple of
options...

1. Client posts its timestamp to a server endpoint and the server responds
with an offset the client should apply to its time values to avoid clock
sync issues.
2. Server returns a timestamp as part of an initial request and the client
calculates an offset.
3. Others???

Thanks,
George

On Thu, May 5, 2022 at 3:03 AM dgtonge via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> New issue 496: clock sync and FAPI2 baseline
>
> https://urldefense.com/v3/__https://bitbucket.org/openid/fapi/issues/496/clock-sync-and-fapi2-baseline__;!!FrPt2g6CO4Wadw!Ih1Z3VPFyc6kowRJLyeMUUWdjAEz7grBbamDjReW9EM65ml3hHF1Q8gighyiakhcH5EJzBYHmnoO5SZ0Vnp7bYghAY9bSC3BMsiTgYTN$
>
> Dave Tonge:
>
> We have agreed to leave the DPoP nonce in the spec, partly because of
> clock sync issues.
>
> However do we need to consider other parts of the spec, for example:
>
> 1. private\_key\_jwt - `exp` is required and `iat` is optional. A naive
> implementation of a client would probably set the `exp` as the current
> system time \+ 30 seconds. If the clock was set in the past this would
> cause a failure. If the clock was set in the future and `iat` was in the
> assertion then there would be a failure
> 2. TLS certificates - there could be failures if an out of sync system
> clock was set past the expiry date of a valid certificate
>
> I don’t think there is much we can do about TLS certificates, but
> private\_key\_jwt may be an issue.
>
> Looking at [
> https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc7523.html*(https:/*www.rfc-editor.org/rfc/rfc7523.html)__;XS8!!FrPt2g6CO4Wadw!Ih1Z3VPFyc6kowRJLyeMUUWdjAEz7grBbamDjReW9EM65ml3hHF1Q8gighyiakhcH5EJzBYHmnoO5SZ0Vnp7bYghAY9bSC3BMl43MJ6G$
> the relevant clauses are:
>
> ```
> The JWT MUST contain an "exp" (expiration time) claim that
> limits the time window during which the JWT can be used.  The
> authorization server MUST reject any JWT with an expiration time
> that has passed, subject to allowable clock skew between
> systems.  Note that the authorization server may reject JWTs
> with an "exp" claim value that is unreasonably far in the
> future.
> ```
>
> ```
> The JWT MAY contain an "nbf" (not before) claim that identifies
> the time before which the token MUST NOT be accepted for
> processing.
> ```
>
> ```
> The JWT MAY contain an "iat" (issued at) claim that identifies
> the time at which the JWT was issued.  Note that the
> authorization server may reject JWTs with an "iat" claim value
> that is unreasonably far in the past.
> ```
>
> Do we need some clause in FAPI that relaxes those processing rules if
> private\_key\_jwt is used in conjunction with DPoP and server nonces?
>
> ‌
>
> ‌
>
> ‌
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
>
> https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-fapi__;!!FrPt2g6CO4Wadw!Ih1Z3VPFyc6kowRJLyeMUUWdjAEz7grBbamDjReW9EM65ml3hHF1Q8gighyiakhcH5EJzBYHmnoO5SZ0Vnp7bYghAY9bSC3BMljCUD3D$
>

______________________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20220505/a4f16a8b/attachment.html>