At Nat's request, I've created a pull request addressing Cross-JWT Confusion security considerations. It addresses both Brian's comment and the IESG comments about explicit typing. See the full PR at https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10. See the source diffs at https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10/address-iesg-and-working-group-comments/diff#chg-draft-ietf-oauth-jwsreq.xml. Please review!
This is only the first commit, albeit, one that addresses some of the must substantive issues. More commits will follow addressing additional IESG comments. -- Mike -----Original Message----- From: OAuth <oauth-boun...@ietf.org> On Behalf Of Benjamin Kaduk Sent: Thursday, August 13, 2020 2:59 PM To: Brian Campbell <bcampb...@pingidentity.com> Cc: draft-ietf-oauth-jws...@ietf.org; oauth-cha...@ietf.org; The IESG <i...@ietf.org>; oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT) Oops, that's my bad. Thanks for the correction -- I've linked to your message in the datatracker (but didn't bother to have the datatracker send a third copy of my updated-again ballot position). -Ben On Thu, Aug 13, 2020 at 03:00:33PM -0600, Brian Campbell wrote: > While some discussion of why explicit typing was not used might be > useful to have, that thread started with a request for security > considerations prohibiting use of the "sub" with a client ID value. > Because such a request JWT could be repurposed for JWT client > authentication. And explicit typing wouldn't help in that situation. > > On Tue, Aug 11, 2020 at 2:50 PM Benjamin Kaduk via Datatracker < > nore...@ietf.org> wrote: > > > > > -------------------------------------------------------------------- > > -- > > COMMENT: > > -------------------------------------------------------------------- > > -- > > > > [updated to note that, per > > https://mailarchive.ietf.org/arch/msg/oauth/Lqu15MJikyZrXZo5qsTPK2o0 > > eaE/ and the JWT BCP (RFC 8725), some discussion of why explicit > > typing is not used would be in order] > > > > > > -- > _CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you._ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth