<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"Helvetica Neue";
panose-1:2 0 5 3 0 0 0 2 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:115%;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt">Dear iGov contributors,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt">During the last iGov WG call June 25, I volunteered, along with Tom Clancy, to serve as editor for the next iGov Implementers Draft. We also discussed the timeline and requirements for publishing an Implementer’s Draft this Fall
to meet the needs of iGov stakeholders.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt">As a part of that timeline, I’d like to wrap up the remaining OAuth 2.0 Profile Issues at the July 23 meeting. I realize the IETF meetings are next week, but the iGov meeting will occur before any IETF meetings on Tuesday. Then
I’d like to wrap up the OpenID Connect profile at the August 20 iGov WG meeting.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt">Tom and I marked the remaining Issues (listed below) for the iGov OAuth 2.0 profile with BLOCKER to track them.
</span><span style="font-size:11.0pt"><a href="https://bitbucket.org/openid/igov/issues?status=new&status=open&status=submitted&is_spam=%21spam&priority=blocker"><span style="color:#0D6EEC">OAuth 2.0 Profile Issues</span></a></span><u><span style="font-size:11.0pt;color:#0D6EEC">
</span></u><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal;text-autospace:none">
<span style="font-family:"Helvetica Neue""> <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<a href="https://bitbucket.org/openid/igov/issues/10"><span style="font-size:11.0pt;font-family:"Helvetica Neue"">#10</span></a><span style="font-size:11.0pt;font-family:"Helvetica Neue""> Change parameters from OIDC (nonce) to OAuth parameters in examples?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<a href="https://bitbucket.org/openid/igov/issues/14"><span style="font-size:11.0pt;font-family:"Helvetica Neue"">#14</span></a><span style="font-size:11.0pt;font-family:"Helvetica Neue""> Require JWTs and Introspection?
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt;font-family:"Helvetica Neue""> See Section 3.2.1. JWTs are required.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt;font-family:"Helvetica Neue""> Vague wording around Introspection – is introspection required by RS on every request?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<a href="https://bitbucket.org/openid/igov/issues/15"><span style="font-size:11.0pt;font-family:"Helvetica Neue"">#15</span></a><span style="font-size:11.0pt;font-family:"Helvetica Neue""> Is the RS supposed to use Introspection on every request? (similar to
Issue #14)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<a href="https://bitbucket.org/openid/igov/issues/17"><span style="font-size:11.0pt;font-family:"Helvetica Neue"">#17</span></a><span style="font-size:11.0pt;font-family:"Helvetica Neue""> Move section on Authorization Response (Section 3.3) before section
on RS interactions (Section 3.2)?</span><span style="font-family:"Helvetica Neue""><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<a href="https://bitbucket.org/openid/igov/issues/18"><span style="font-size:11.0pt;font-family:"Helvetica Neue"">#18</span></a><span style="font-size:11.0pt;font-family:"Helvetica Neue""> Why does token lifetime depend on client type?
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt;font-family:"Helvetica Neue""> “For public clients access tokens SHOULD have a valid lifetime no greater than fifteen minutes”<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<a href="https://bitbucket.org/openid/igov/issues/27"><span style="font-size:11.0pt;font-family:"Helvetica Neue"">#27</span></a><span style="font-size:11.0pt;font-family:"Helvetica Neue""> Add best practices documents as references: RFC8725 and RFC9068</span><span style="font-family:"Helvetica Neue""><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<a href="https://bitbucket.org/openid/igov/issues/32"><span style="font-size:11.0pt;font-family:"Helvetica Neue"">#32</span></a><span style="font-size:11.0pt;font-family:"Helvetica Neue""> Require request object signature?
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;text-indent:24.0pt;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt;font-family:"Helvetica Neue"">The issue claims protection against the attack in (with what Daniel calls “Stronger Attacker Model”)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;line-height:normal;text-autospace:none">
<span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:black;background:white"><a href="https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/">https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/</a></span><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:#172B4D;background:white"> </span><span style="font-family:"Helvetica Neue""><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<a href="https://bitbucket.org/openid/igov/issues/34"><span style="font-size:11.0pt;font-family:"Helvetica Neue"">#34</span></a><span style="font-size:11.0pt;font-family:"Helvetica Neue""> Add DNSSEC Considerations section?</span><span style="font-family:"Helvetica Neue""><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<a href="https://bitbucket.org/openid/igov/issues/35"><span style="font-size:11.0pt;font-family:"Helvetica Neue"">#35</span></a><span style="font-size:11.0pt;font-family:"Helvetica Neue""> Add Privacy Considerations section?</span><span style="font-family:"Helvetica Neue""><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<a href="https://bitbucket.org/openid/igov/issues/38"><span style="font-size:11.0pt;font-family:"Helvetica Neue"">#38</span></a><span style="font-size:11.0pt;font-family:"Helvetica Neue""> Add “Each RS can only trust tokens from a single Authorization Server”?
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt;font-family:"Helvetica Neue""> Provides protection from authorization server mix-up attacks.</span><span style="font-family:"Helvetica Neue""><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<a href="https://bitbucket.org/openid/igov/issues/43"><span style="font-size:11.0pt;font-family:"Helvetica Neue"">#43</span></a><span style="font-size:11.0pt;font-family:"Helvetica Neue""> Add “Clients MUST use a unique redirect URI for each logical authorization
server”? <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:24.0pt;text-indent:-24.0pt;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt;font-family:"Helvetica Neue""> Provides protection from authorization server mix-up attacks.</span><span style="font-family:"Helvetica Neue""><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal;text-autospace:none">
<span style="font-family:"Helvetica Neue""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt">Hope to see you at the WG meeting next week.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal;text-autospace:none">
<span style="font-size:11.0pt">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;line-height:115%">Kelley<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;line-height:115%"><o:p> </o:p></span></p>
</div>
</body>
</html>