Re: [OAUTH-WG] Disable JWK "use" parameter for octet sequence keys?
IMHO "use" is less useful for JWKs of type "oct" but not to the point of disallowing it. Your question is probably better suited for the JOSE WG list though, rather than OAUTH. On Sun, Apr 19, 2015 at 4:01 AM, Vladimir Dzhuvinov wrote: > A developer working with the Nimbus jose+jwt library raised the question > whether setting of the public "use" [1] parameter should be disabled for > JWKs of type "oct". This appears to make sense, even though the JWA spec > [2] doesn't mention it. Is this correct? > > Thanks, > > Vladimir > > [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-key-40#section-4.2 > [2] > > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-6.4 > > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] AD Review of draft-ietf-oauth-introspection-07
Hi Justin, On Mon, Apr 20, 2015 at 8:24 AM, Justin Richer wrote: > Kathleen, > > Thanks for the update. How would we best handle this situation, since it's > really referring to additional information that's outside the scope of the > interoperable core? Since we're not specifying what the data is, we're not > really in a position to say what the concerns are in a concrete manner. I'm > thinking a sentence or two like this in the privacy considerations section: > > If the protected resource sends additional information about the client's > request to the authorization server using an extension of this > specification, such as the client's IP address or other information, such > information could have have additional privacy considerations. > > I think that looks good and you may want to say it is out-of scope for this draft so no one asks why you didn't go deeper. Let me know once it is ready and I'll kick off last call. Thanks. Kathleen > > > -- Justin > > > On 4/19/2015 7:01 PM, Kathleen Moriarty wrote: > > Hello, > > Thank you for your work on draft-ietf-oauth-introspection-07. The > security considerations appear to be addressed well and I was glad to see > how a response is handled when the response code is false, to not reveal > information as to why. > > The privacy considerations look good, but I do have another question > that should be addressed in the draft in regard to privacy. > > Section 2.1 says an IP address (or something else) might be used to > provide context of the query, the authorization server could have other > information about the client. It would be good to mention privacy related > considerations for the client in this case in addition to what gets > returned in the Introspection Response (already covered). > > Thank you. > > > -- > > Best regards, > Kathleen > > > ___ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > -- Best regards, Kathleen ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] AD Review of draft-ietf-oauth-introspection-07
Kathleen, Thanks for the update. How would we best handle this situation, since it's really referring to additional information that's outside the scope of the interoperable core? Since we're not specifying what the data is, we're not really in a position to say what the concerns are in a concrete manner. I'm thinking a sentence or two like this in the privacy considerations section: If the protected resource sends additional information about the client's request to the authorization server using an extension of this specification, such as the client's IP address or other information, such information could have have additional privacy considerations. -- Justin On 4/19/2015 7:01 PM, Kathleen Moriarty wrote: Hello, Thank you for your work on draft-ietf-oauth-introspection-07. The security considerations appear to be addressed well and I was glad to see how a response is handled when the response code is false, to not reveal information as to why. The privacy considerations look good, but I do have another question that should be addressed in the draft in regard to privacy. Section 2.1 says an IP address (or something else) might be used to provide context of the query, the authorization server could have other information about the client. It would be good to mention privacy related considerations for the client in this case in addition to what gets returned in the Introspection Response (already covered). Thank you. -- Best regards, Kathleen ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth