At Nat's request, I've created a pull request addressing Cross-JWT Confusion
security considerations. It addresses both Brian's comment and the IESG
comments about explicit typing. See the full PR at
https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10. See the source diffs
at
https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10/address-iesg-and-working-group-comments/diff#chg-draft-ietf-oauth-jwsreq.xml.
Please review!
This is only the first commit, albeit, one that addresses some of the must
substantive issues. More commits will follow addressing additional IESG
comments.
-- Mike
-----Original Message-----
From: OAuth <oauth-boun...@ietf.org> On Behalf Of Benjamin Kaduk
Sent: Thursday, August 13, 2020 2:59 PM
To: Brian Campbell <bcampb...@pingidentity.com>
Cc: draft-ietf-oauth-jws...@ietf.org; oauth-cha...@ietf.org; The IESG
<i...@ietf.org>; oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on
draft-ietf-oauth-jwsreq-26: (with COMMENT)
Oops, that's my bad. Thanks for the correction -- I've linked to your message
in the datatracker (but didn't bother to have the datatracker send a third copy
of my updated-again ballot position).
-Ben
On Thu, Aug 13, 2020 at 03:00:33PM -0600, Brian Campbell wrote:
> While some discussion of why explicit typing was not used might be
> useful to have, that thread started with a request for security
> considerations prohibiting use of the "sub" with a client ID value.
> Because such a request JWT could be repurposed for JWT client
> authentication. And explicit typing wouldn't help in that situation.
>
> On Tue, Aug 11, 2020 at 2:50 PM Benjamin Kaduk via Datatracker <
> nore...@ietf.org> wrote:
>
> >
> > --------------------------------------------------------------------
> > --
> > COMMENT:
> > --------------------------------------------------------------------
> > --
> >
> > [updated to note that, per
> > https://mailarchive.ietf.org/arch/msg/oauth/Lqu15MJikyZrXZo5qsTPK2o0
> > eaE/ and the JWT BCP (RFC 8725), some discussion of why explicit
> > typing is not used would be in order]
> >
> >
>
> --
> _CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly
> prohibited. If you have received this communication in error, please
> notify the sender immediately by e-mail and delete the message and any
> file attachments from your computer. Thank you._
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
