<div dir="ltr">Thanks so much!<div><br></div><div>Yes, we should be able to go over them tomorrow. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">2022年7月6日(水) 0:43 Brian Campbell <<a href="mailto:bcampbell@pingidentity.com">bcampbell@pingidentity.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I've tried to reiterate some of the comments in the tickets where appropriate. It's a bit chaotic to try and follow it all, to be honest. I'm hopeful we can go through the new issues on the call tomorrow and sort things out. <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 5, 2022 at 4:48 AM Nat Sakimura <nat@nat.consulting> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks, Brian for the comment. I will eventually record them to the issue tickets I have created. <div>(Or, you could add them yourself, :-)</div><div><br></div><div>Regarding </div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="auto"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* The verification process by the client does not use normative language. <br>The <a href="https://openid.bitbucket.io/fapi/openid-fapi-jarm.html#name-processing-rules" target="_blank">processing rules for the client</a> does indeed have normative language, so I honestly do not understand this comment.</blockquote></div></div></blockquote><div>I did not write clearly enough from my mobile, but it is somewhat better explained in issue #511. </div><div><br></div><div>The current sentence structure is such that</div><div><br></div><div>The client is obliged to process the JWT secured response as follows: (<< non-normative language)</div><div>#. ==Some check description using non normative language==. If the check fails, ==action in Normative language==. <br></div></div><div><br></div><div>Thus, the relevant normative sections are all conditional. What I meant was that each "check" has to be normatively required. </div><div><br></div><div>This can be achieved by replacing "is obliged to" in the second paragraph of 2.4 with a "MUST". </div><div><br></div><div>Best, </div><div><br></div><div>Nat</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">2022年7月4日(月) 7:56 Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div dir="ltr"><br></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jul 2, 2022 at 1:54 AM Nat Sakimura via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Gee. Was that May? <div dir="auto"><br></div><div dir="auto">So, there are a few points that need to be fixed or at least I would like to discuss and verify. <div dir="auto"><br></div><div dir="auto">* JARM appears to only define behavior for response type code and token, but the treatment of ID Token comes up later saying it needs to be encrypted. Perhaps the reference can be removed. </div></div></div></blockquote><div><br></div><div>JARM defines behavior for any response type as the last part of <a href="https://openid.bitbucket.io/fapi/openid-fapi-jarm.html#section-1-1" target="_blank">the introduction</a> says, "The JWT authorization response mode can be used in conjunction with any response type" while the <a href="https://openid.bitbucket.io/fapi/openid-fapi-jarm.html#section-2.1-3" target="_blank">middle section of The JWT Response Document </a>reiterates that it "is applicable to all response types including those defined in <span>[<a href="https://openid.bitbucket.io/fapi/openid-fapi-jarm.html#OIDM" target="_blank">OIDM</a>]." That paragraph goes on to say "The following subsections illustrate the pattern with the response types `code` and `token`", which is not limiting to those but just illustrative of a couple response types. <br></span></div><div><span><br></span></div><div><span>This is how Torsten structured the document originally, so it's always been like that, and I believe that the actual text makes it pretty clear that it applies to any response type. But I have heard this misconception from at least one other reader of the draft. So maybe something more or different is needed to prevent the misunderstanding? <br></span></div><div> </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="auto"><div dir="auto"><br></div><div dir="auto">* alg=none does not seem to be prohibited. This nullify the value of JARM so it should introduce a requirement prohibiting it and the client side check as well. </div></div></div></blockquote><div><br></div><div>It is prohibited in the <a href="https://openid.bitbucket.io/fapi/openid-fapi-jarm.html#section-3-3.1.1" target="_blank">authorization_signed_response_alg client metadata</a> but I agree that explicitly prohibiting it in the client side processing rules would be good to add. Probably in the authorization_signing_alg_values_supported AS metadata too. </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="auto"><div dir="auto"><br></div><div dir="auto">* The verification process by the client does not use normative language. </div></div></div></blockquote><div><br></div><div>The <a href="https://openid.bitbucket.io/fapi/openid-fapi-jarm.html#name-processing-rules" target="_blank">processing rules for the client</a> does indeed have normative language, so I honestly do not understand this comment. <br></div><div> </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="auto"><div dir="auto"><br></div><div dir="auto">* Protocol run identifier such as nonce or PKCE should be required. </div><div dir="auto"><div dir="auto"><br></div></div></div></div></blockquote><div><br></div><div>That is beyond the scope of JARM, which is intended to be only a small simple extension spec that allows for signing and encryption of the authorization response. Use of PKCE and/or state are discussed somewhat in the security considerations and maybe could be covered better. But JARM shouldn't be placing requirements on other unrelated protocol elements. That's more appropriate from things like the security BCP, FAPI security profiles, and OAuth 2.1. <br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="auto"><div dir="auto"><div dir="auto"></div><div dir="auto">I will file those issues later when I get back to my computer. </div><div dir="auto"><br></div><div dir="auto">Best,</div><div dir="auto"><br></div><div dir="auto">Nat Sakamura </div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">2022年6月1日(水) 23:53 Dave Tonge via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:"trebuchet ms",sans-serif">Bumping this email as discussed on the call</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 25 May 2022 at 17:15, Dave Tonge <<a href="mailto:dave.tonge@momentumft.co.uk" rel="noreferrer" target="_blank">dave.tonge@momentumft.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:"trebuchet ms",sans-serif">Dear FAPI Working Group</div><div style="font-family:"trebuchet ms",sans-serif"><br></div><div style="font-family:"trebuchet ms",sans-serif">We would like to start the working group last call for <span style="font-family:Arial,Helvetica,sans-serif">JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)</span></div><div style="font-family:"trebuchet ms",sans-serif"><br></div><div style="font-family:"trebuchet ms",sans-serif">The latest draft is available here:</div><div style="font-family:"trebuchet ms",sans-serif"><a href="https://openid.bitbucket.io/fapi/openid-fapi-jarm.html" rel="noreferrer" target="_blank">https://openid.bitbucket.io/fapi/openid-fapi-jarm.html</a><br></div><div style="font-family:"trebuchet ms",sans-serif"><br></div><div style="font-family:"trebuchet ms",sans-serif">Please provide your feedback by the 1st of June so that we can start the public review period.</div><div style="font-family:"trebuchet ms",sans-serif"><br></div><div style="font-family:"trebuchet ms",sans-serif">Thank you</div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:1em;font-weight:bold;line-height:1.4"><div style="color:rgb(97,97,97);font-family:"Open Sans";font-size:14px;font-weight:normal;line-height:21px"><div style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold"><div style="font-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4"><div style="font-weight:400;color:rgb(51,51,51);line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">Dave Tonge</div><div style="font-size:0.8125em;line-height:1.4"><div style="font-family:"trebuchet ms",sans-serif">FAPI WG Co-Chair</div><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</blockquote></div>
<br>
<p dir="ltr"><font size="1">Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at <a href="https://register.fca.org.uk/" rel="noreferrer" target="_blank">https://register.fca.org.uk/</a>. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772. Registered address: C/O Roxburgh Milkins Limited Merchants House North, Wapping Road, Bristol, United Kingdom, BS1 4RW, United Kingdom. Moneyhub Financial Technology Limited 2022 © Moneyhub Enterprise.</font><br></p><p dir="ltr" style="font-weight:bold"><span style="color:rgb(128,128,128);font-family:Arial;font-weight:400"><font size="1">DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.</font></span></p><br>_______________________________________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" rel="noreferrer" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</blockquote></div>
_______________________________________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</blockquote></div>
</div>
<br>
<i style="margin:0px;padding:0px;border:0px none;outline:currentcolor none 0px;vertical-align:baseline;background:none 0% 0% repeat scroll rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px none;outline:currentcolor none 0px;vertical-align:baseline;background:none 0% 0% repeat scroll transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr">Nat Sakimura<div>NAT.Consulting LLC</div></div></div>
</blockquote></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Nat Sakimura<div>NAT.Consulting LLC</div></div></div>