Hi Mike, Hi all, as a shepherd I have reviewed the draft and I only have a few minor comments.
RFC 2246 is included in the normative reference section but not
mentioned in the text.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, DOI 10.17487/RFC2246, January 1999,
<http://www.rfc-editor.org/info/rfc2246>.
The same is true for these references:
[RFC7565] Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565,
DOI 10.17487/RFC7565, May 2015,
<http://www.rfc-editor.org/info/rfc7565>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>.
[JWA] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
DOI 10.17487/RFC7518, May 2015,
<http://tools.ietf.org/html/rfc7518>.
The description of this claim sounds a bit strange.
jwks_uri
OPTIONAL. URL of the authorization server's JWK Set [JWK]
document. This contains the signing key(s) the client uses to
validate signatures from the authorization server. The JWK Set
MAY also contain the server's encryption key(s), which are used by
clients to encrypt requests to the server. When both signing and
encryption keys are made available, a "use" (public key use)
parameter value is REQUIRED for all keys in the referenced JWK Set
to indicate each key's intended usage.
Instead of saying "This contains the signing key(s) the client uses to
validate signatures from the authorization server." I would say
something like:
"The JWK, once retrieved from the indicate URL, contains the public
key(s) the client uses to validate signatures from the authorization
server."
Could you also explain how you anticipate these keys to be used? The
meta data may be digitally signed by the authorization server. You
obviously need the public key corresponding to the private key used for
signing to the meta-data JSON payload. You seem to be suggesting to
include a URL to that key inside the message itself. If you are not
using HTTPS then you are toast. If you use an HTTPS-based then you are
essentially relying on the trust anchors in the browser for security. Is
that what you want?
Is this mechanism supposed to work with symmetric as well as asymmetric
keys?
Ciao
Hannes
On 02/20/2017 05:33 PM, Mike Jones wrote:
> Per working group feedback, the document now reflects the singular mission of
> documenting OAuth Authorization Server Metadata as it is actually used in
> practice. I believe that the document today accomplishes this mission and is
> ready for publication.
>
> -- Mike
>
> -----Original Message-----
> From: OAuth [mailto:[email protected]] On Behalf Of Hannes Tschofenig
> Sent: Monday, February 20, 2017 1:46 AM
> To: [email protected]
> Subject: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Authorization Server
> Metadata
>
> Hi all,
>
> it was roughly a year ago when we issued a working group last call on
> draft-ietf-oauth-discovery, see
> https://www.ietf.org/mail-archive/web/oauth/current/msg15796.html. Lots of
> feedback resulted in a significant restructuring of the document.
>
> The authors of the draft now believe it is ready for a second WGLC and hence
> we would like to start a 2-week review period.
>
> Please provide your review comments no later than March 6th.
>
> Here is the link to the document again:
> https://tools.ietf.org/html/draft-ietf-oauth-discovery-05
>
> Ciao
> Hannes & Derek
>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
