As you all know, I’m not a cryptographer, but I really can’t imagine how this solution would actually be robust enough to be considered secure. If the file is hosted outside of the device, what prevents the URL from being provided by a device illegitimately?
Smith
———————
Smith Kennedy
smith.kennedy at hp.com
On Oct 11, 2025, at 9:31 AM, Michael Sweet via ipp <ipp at pwg.org> wrote:
CAUTION: External Email
All,
This is a new "solution" to client registration... I personally hope to see support for so-called "native" applications but right now (like most OAuth RFCs) very little is required...
Begin forwarded message:
From: "Lombardo, Jeff" <jeffsec=40amazon.com at dmarc.ietf.org>
Subject: [OAUTH-WG] Re: I-D Action: draft-ietf-oauth-client-id-metadata-document-00.txt
Date: October 8, 2025 at 2:52:34 PM EDT
To: "oauth at ietf.org" <oauth at ietf.org>, "i-d-announce at ietf.org" <i-d-announce at ietf.org>
Having done a review recently and looking at implementing it, I support adoption.
Jean-François “Jeff” Lombardo | Amazon Web Services
Architecte Principal de Solutions, Spécialiste de Sécurité
Principal Solution Architect, Security Specialist
Montréal, Canada
Commentaires à propos de notre échange? Exprimez-vous ici.
Thoughts on our interaction? Provide feedback here.
-----Original Message-----
From: internet-drafts at ietf.org <internet-drafts at ietf.org>
Sent: October 8, 2025 2:48 PM
To: i-d-announce at ietf.org
Cc: oauth at ietf.org
Subject: [EXT] [OAUTH-WG] I-D Action: draft-ietf-oauth-client-id-metadata-document-00.txt
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque.
Internet-Draft draft-ietf-oauth-client-id-metadata-document-00.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF.
Title: OAuth Client ID Metadata Document
Authors: Aaron Parecki
Emelia Smith
Name: draft-ietf-oauth-client-id-metadata-document-00.txt
Pages: 12
Dates: 2025-10-08
Abstract:
This specification defines a mechanism through which an OAuth client
can identify itself to authorization servers, without prior dynamic
client registration or other existing registration. This is through
the usage of a URL as a client_id in an OAuth flow, where the URL
refers to a document containing the necessary client metadata,
enabling the authorization server to fetch the metadata about the
client as needed.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/<https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/>
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html<https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html>
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
OAuth mailing list -- oauth at ietf.org
To unsubscribe send an email to oauth-leave at ietf.org
_______________________________________________
OAuth mailing list -- oauth at ietf.org
To unsubscribe send an email to oauth-leave at ietf.org
________________________
Michael Sweet
_______________________________________________
ipp mailing list
ipp at pwg.orghttps://www.pwg.org/mailman/listinfo/ipp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20251012/2caf07e2/attachment.html>