As I said during the meeting, I am supportive of doing this work but do hope the authors have appetite for what they might be signing up for. Aaron's review points to some of the work needed. The https://datatracker.ietf.org/doc/draft-ietf-jose-deprecate-none-rsa15/ work should almost certainly be referred to. I believe the current text around compression in JWE is a bit overreaching and lacking in subtlety about when it's reasonable to use. I'm not terribly thrilled about the way explicit typing has worked in practice but I'm admittedly not sure how it could be improved at this point. I'm sure there's more once the box is opened.
It seems the draft is largely a rehash of RFC8725 with some additions and likely other updates. It should probably explicitly obsolete RFC8725 and indicate that it updates BCP 225 by replacing 8725. A more formal section that describes the changes from RFC8725 would also be nice and is AFAIK common practice in such a document. Similarly it'd be good etiquette to, in the acknowledgements, distinguish between contributors to the original document and those that have contributed to the updates. I know from some github interactions, for one example, that Filip Skokan has helped guide some of the updated text but he's not mentioned at present. As also somewhat gratuitously mentioned at the meeting, a few years back I did a talk a few times on JWT vulnerabilities and tried to take a balanced look at many of the criticisms. I don't think there's anything novel or unknown in it, but I think it might provide some useful perspective. If anyone is interested in seeing that, or just helping drive the meager view count up, a recording of one instance of the talk is here https://www.youtube.com/watch?v=IgKRGS6cQWw On Wed, Aug 6, 2025 at 11:03 AM Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> wrote: > All, > > This is a call for adoption for the *RFC8725bis* draft that was discussed > during the last IETF meeting in Madrid: > https://datatracker.ietf.org/doc/draft-sheffer-oauth-rfc8725bis/ > > Remember that adoption does not mean a document is finished, only that it > is an acceptable starting point. > > Please, reply on the mailing list and let us know if you are in favor or > against adopting this draft as WG document, by August 22nd. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
