Thanks a lot for your review, Hannes. Draft -06 incorporates your feedback.
Replies are inline below.
Thanks,
-- Mike
-----Original Message-----
From: Hannes Tschofenig [mailto:[email protected]]
Sent: Monday, March 6, 2017 7:38 AM
To: Mike Jones <[email protected]>; [email protected]
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Authorization
Server Metadata
Hi Mike, Hi all,
as a shepherd I have reviewed the draft and I only have a few minor comments.
RFC 2246 is included in the normative reference section but not mentioned in
the text.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, DOI 10.17487/RFC2246, January 1999,
<http://www.rfc-editor.org/info/rfc2246>.
The same is true for these references:
[RFC7565] Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565,
DOI 10.17487/RFC7565, May 2015,
<http://www.rfc-editor.org/info/rfc7565>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>.
[JWA] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
DOI 10.17487/RFC7518, May 2015,
<http://tools.ietf.org/html/rfc7518>.
These references have all been removed.
The description of this claim sounds a bit strange.
jwks_uri
OPTIONAL. URL of the authorization server's JWK Set [JWK]
document. This contains the signing key(s) the client uses to
validate signatures from the authorization server. The JWK Set
MAY also contain the server's encryption key(s), which are used by
clients to encrypt requests to the server. When both signing and
encryption keys are made available, a "use" (public key use)
parameter value is REQUIRED for all keys in the referenced JWK Set
to indicate each key's intended usage.
Instead of saying "This contains the signing key(s) the client uses to validate
signatures from the authorization server." I would say something like:
"The JWK, once retrieved from the indicate URL, contains the public
key(s) the client uses to validate signatures from the authorization server."
Good catch. Rather than saying “This contains”, it now says “The referenced
document contains”.
Could you also explain how you anticipate these keys to be used? The meta data
may be digitally signed by the authorization server. You obviously need the
public key corresponding to the private key used for signing to the meta-data
JSON payload. You seem to be suggesting to include a URL to that key inside the
message itself. If you are not using HTTPS then you are toast. If you use an
HTTPS-based then you are essentially relying on the trust anchors in the
browser for security. Is that what you want?
The URL is now explicitly required to use the https scheme. This requirement
has now been made explicit in the jwks_uri definition.
Yes, you’re relying on the trust anchors in the browser for security. That’s
why the issuer requires use of the https scheme (meaning that that the AS
metadata will be retrieved from an https URL). The use of TLS for the jwks_uri
is another case of this reliance.
Is this mechanism supposed to work with symmetric as well as asymmetric keys?
No. Given that the JWKS Set is public, it must contain only public keys.
Ciao
Hannes
On 02/20/2017 05:33 PM, Mike Jones wrote:
> Per working group feedback, the document now reflects the singular mission of
> documenting OAuth Authorization Server Metadata as it is actually used in
> practice. I believe that the document today accomplishes this mission and is
> ready for publication.
>
> -- Mike
>
> -----Original Message-----
> From: OAuth [mailto:[email protected]] On Behalf Of Hannes
> Tschofenig
> Sent: Monday, February 20, 2017 1:46 AM
> To: [email protected]<mailto:[email protected]>
> Subject: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Authorization
> Server Metadata
>
> Hi all,
>
> it was roughly a year ago when we issued a working group last call on
> draft-ietf-oauth-discovery, see
> https://www.ietf.org/mail-archive/web/oauth/current/msg15796.html. Lots of
> feedback resulted in a significant restructuring of the document.
>
> The authors of the draft now believe it is ready for a second WGLC and hence
> we would like to start a 2-week review period.
>
> Please provide your review comments no later than March 6th.
>
> Here is the link to the document again:
> https://tools.ietf.org/html/draft-ietf-oauth-discovery-05
>
> Ciao
> Hannes & Derek
>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
