The comments from my review of this document have all been addressed, thanks.
I do agree with Brian about some of the concerns around alg:none. I wouldn't expect any normative changes to the text at this point, but I do think an informative reference to the in-progress "Deprecate none" draft would be helpful: https://datatracker.ietf.org/doc/draft-ietf-jose-deprecate-none-rsa15/ The "Deprecate" draft was already adopted by the jose WG two months before the first rfc8275bis draft was published, so it was already established as the direction the WG was heading. While it's still a draft, a normative reference would not be appropriate at this time, but a pointer to it in section 3.2 would be helpful to future readers. I would rather see that added in this draft rather than waiting until a future revision of rfc8725bis. Aaron On Mon, Dec 15, 2025 at 8:44 AM Michael Jones <[email protected]> wrote: > FYI, Yaron created GitHub issues at > https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis/issues for each > of Brian's sets of comments and replies were made there. > https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis/pull/32 was > created an incorporated, which adds additional context on the use of > explicit typing to the specification. You can see that text in context in > the editor's draft at > https://drafts.oauth.net/draft-ietf-oauth-rfc8725bis/draft-ietf-oauth-rfc8725bis.html#name-use-explicit-typing > . > > -- Mike > > -----Original Message----- > From: Rifaat Shekh-Yusef via Datatracker <[email protected]> > Sent: Monday, December 1, 2025 5:46 AM > To: [email protected]; [email protected]; > [email protected] > Subject: WG Last Call: draft-ietf-oauth-rfc8725bis-02 (Ends 2025-12-15) > > > Subject: WG Last Call: draft-ietf-oauth-rfc8725bis-02 (Ends 2025-12-15) > > This message starts a 2-week WG Last Call for this document. > > Abstract: > JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security > tokens that contain a set of claims that can be signed and/or > encrypted. JWTs are being widely used and deployed as a simple > security token format in numerous protocols and applications, both in > the area of digital identity and in other application areas. This > Best Current Practices (BCP) specification updates RFC 7519 to > provide actionable guidance leading to secure implementation and > deployment of JWTs. > > This BCP specification furthermore replaces the existing JWT BCP > specification RFC 8725 to provide additional actionable guidance > covering threats and attacks that have been discovered since RFC 8725 > was published. > > File can be retrieved from: > https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc8725bis/ > > Please review and indicate your support or objection to proceed with the > publication of this document by replying to this email keeping > [email protected] in copy. Objections should be motivated and suggestions to > resolve them are highly appreciated. > > Authors, and WG participants in general, are reminded again of the > Intellectual Property Rights (IPR) disclosure obligations described in BCP > 79 [1]. Appropriate IPR disclosures required for full conformance with the > provisions of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of > any. Sanctions available for application to violators of IETF IPR Policy > can be found at [3]. > > Thank you. > > [1] https://datatracker.ietf.org/doc/bcp78/ > [2] https://datatracker.ietf.org/doc/bcp79/ > [3] https://datatracker.ietf.org/doc/rfc6701/ > > > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
