Hi Adam, thank your for your review.
We just published https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-08 that hopefully resolves your DISCUSS and COMMENT. > On 4. Sep 2019, at 09:44, Adam Roach via Datatracker <[email protected]> wrote: > > Adam Roach has entered the following ballot position for > draft-ietf-oauth-jwt-introspection-response-07: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-introspection-response/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Thanks for the work the authors and other contributors have > put into creating this document. > > I have a privacy concern that I think warrants text in the document. > > Section 8.3.1 introduces a significant amount of personally-identifiable > information. While I understand that this is needed for the use case > cited in the introduction (issuing certificated for electronic signatures), > I think the document needs some treatment of the sensitivity of this > information, the basis that the server uses to decide whether to include > it, and how consent to disclose it might be obtained from the user. We added text about the trust management between AS and RS and how an AS determines what data a RS is allowed to receive (Sections 3 and 5). We also re-reworked the Privacy Considerations section and added text about prerequisites for personal data transfer between AS and RS and security requirements in this context. > > I'm putting this in as a DISCUSS, because I really do think this is > a showstopper for publication. I am quite aware, however, that I might > simply be missing some important aspect of the solution that makes my > concerns moot. Please point me in the right direction if this is the > case, and I'll be happy to clear. We had some assumptions (just) in mind that we now added to the document. I hope this clears your DISCUSS. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > ยง3: > >> The example response contains the following JSON document: >> >> { >> "sub": "Z5O3upPC88QrAjx00dis", >> "aud": "https://protected.example.net/resource";, >> "scope": "read write dolphin", >> "iss": "https://server.example.com/";, >> "active": true, >> "exp": 1419356238, >> "iat": 1419350238, >> "client_id": "l238j323ds-23ij4", >> "given_name": "John", >> "family_name":"Doe", >> "birthdate":"1982-02-01" >> } > > The example response actually contains the following JSON document: > > { > "sub":"Z5O3upPC88QrAjx00dis", > "aud":"https:\/\/protected.example.net\/resource", > "extension_field":"twenty-seven", > "scope":"read write dolphin", > "iss":"https:\/\/server.example.com\/", > "active":true, > "exp":1419356238, > "iat":1419350238, > "client_id":"l238j323ds-23ij4", > "username":"jdoe" > } > > Note the presence of "extension_field" and "username" fields, and the > absence of "given_name", "family_name", and "birthdate" fields. There's > also a bunch of unnecessarily escaped "/" characters in the document > in the JWT, but not the expanded example; and while these are semantically > insignificant, the discrepancy seems gratuitous. > > It is probably worthwhile updating either the JWT or the expanded > example so that they match. We re-did the whole example. best regards. Torsten. > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
