Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Thu, 13 Aug 2020 15:59:54 -0700 

At Nat's request, I've created a pull request addressing Cross-JWT Confusion 
security considerations.  It addresses both Brian's comment and the IESG 
comments about explicit typing.  See the full PR at 
https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10.  See the source diffs 
at 
https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10/address-iesg-and-working-group-comments/diff#chg-draft-ietf-oauth-jwsreq.xml.
  Please review!

This is only the first commit, albeit, one that addresses some of the must 
substantive issues.  More commits will follow addressing additional IESG 
comments.

                                -- Mike

-----Original Message-----
From: OAuth <[email protected]> On Behalf Of Benjamin Kaduk
Sent: Thursday, August 13, 2020 2:59 PM
To: Brian Campbell <[email protected]>
Cc: [email protected]; [email protected]; The IESG 
<[email protected]>; oauth <[email protected]>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on 
draft-ietf-oauth-jwsreq-26: (with COMMENT)

Oops, that's my bad.  Thanks for the correction -- I've linked to your message 
in the datatracker (but didn't bother to have the datatracker send a third copy 
of my updated-again ballot position).

-Ben

On Thu, Aug 13, 2020 at 03:00:33PM -0600, Brian Campbell wrote:
> While some discussion of why explicit typing was not used might be 
> useful to have, that thread started with a request for security 
> considerations prohibiting use of the "sub" with a client ID value. 
> Because such a request JWT could be repurposed for JWT client 
> authentication. And explicit typing wouldn't help in that situation.
> 
> On Tue, Aug 11, 2020 at 2:50 PM Benjamin Kaduk via Datatracker < 
> [email protected]> wrote:
> 
> >
> > --------------------------------------------------------------------
> > --
> > COMMENT:
> > --------------------------------------------------------------------
> > --
> >
> > [updated to note that, per
> > https://mailarchive.ietf.org/arch/msg/oauth/Lqu15MJikyZrXZo5qsTPK2o0
> > eaE/ and the JWT BCP (RFC 8725), some discussion of why explicit 
> > typing is not used would be in order]
> >
> >
> 
> --
> _CONFIDENTIALITY NOTICE: This email may contain confidential and 
> privileged material for the sole use of the intended recipient(s). Any 
> review, use, distribution or disclosure by others is strictly 
> prohibited.  If you have received this communication in error, please 
> notify the sender immediately by e-mail and delete the message and any 
> file attachments from your computer. Thank you._

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to