date:20180209

Re: [OAUTH-WG] FW: New Version Notification for draft-ietf-oauth-jwsreq-15.txt

2018-02-09 Thread n-sakimura

Right. It has been hanging there since July... 

Nat

-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Vladimir Dzhuvinov
Sent: Friday, February 09, 2018 5:03 PM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] FW: New Version Notification for 
draft-ietf-oauth-jwsreq-15.txt

Hi Nat,

I suppose you saw the FAPI WG ticket to consider adding an AS metadata 
parameter for the request object endpoint:

https://bitbucket.org/openid/fapi/issues/134/

Perhaps that issue should be addressed here, in the OAuth WG. But I'm not sure 
what can be done at this stage, with draft-ietf-oauth-jwsreq-15 have gone to 
the IESG.

Vladimir


On 21/07/17 16:25, Nat Sakimura wrote:
> Hi
>
> This version hopefully have addressed all the comments that I received during 
> IESG review. 
> I also added RFC8141 as the reference to URN. 
>
> The main difference from -12 that was posted in March are: 
>
> 1) Now, all the parameters to be used MUST reside within the request object. 
>(It is still possible to be duplicated but they are ignored from 
> the security point of view by the server that supports this spec.)
> 2) Clarified that when request object is stored by the authorization server, 
> `request_uri` can be a URN. 
> 3) Added text on the security risks of using `request_uri` in the security 
> consideration. 
>
> Best,
>
> Nat Sakimura
>
> --
> PLEASE READ :This e-mail is confidential and intended for the named recipient 
> only. If you are not an intended recipient, please notify the sender  and 
> delete this e-mail.
>
>
>> -Original Message-
>> From: internet-dra...@ietf.org [mailto:internet-dra...@ietf.org]
>> Sent: Friday, July 21, 2017 10:14 PM
>> To: Nat Sakimura ; John Bradley 
>> 
>> Subject: New Version Notification for draft-ietf-oauth-jwsreq-15.txt
>>
>>
>> A new version of I-D, draft-ietf-oauth-jwsreq-15.txt has been 
>> successfully submitted by Nat Sakimura and posted to the IETF repository.
>>
>> Name:draft-ietf-oauth-jwsreq
>> Revision:15
>> Title:   The OAuth 2.0 Authorization Framework: JWT Secured
>> Authorization Request (JAR)
>> Document date:   2017-07-21
>> Group:   oauth
>> Pages:   26
>> URL:
>> https://www.ietf.org/internet-drafts/draft-ietf-oauth-jwsreq-15.txt
>> Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>> Htmlized:   https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-15
>> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-15
>> Diff:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-15
>>
>> Abstract:
>>The authorization request in OAuth 2.0 described in RFC 6749 utilizes
>>query parameter serialization, which means that Authorization Request
>>parameters are encoded in the URI of the request and sent through
>>user agents such as web browsers.  While it is easy to implement, it
>>means that (a) the communication through the user agents are not
>>integrity protected and thus the parameters can be tainted, and (b)
>>the source of the communication is not authenticated.  Because of
>>these weaknesses, several attacks to the protocol have now been put
>>forward.
>>
>>This document introduces the ability to send request parameters in a
>>JSON Web Token (JWT) instead, which allows the request to be signed
>>with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
>>(JWE) so that the integrity, source authentication and
>>confidentiality property of the Authorization Request is attained.
>>The request can be sent by value or by reference.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of 
>> submission until the htmlized version and diff are available at 
>> tools.ietf.org.
>>
>> The IETF Secretariat
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] FW: New Version Notification for draft-ietf-oauth-jwsreq-15.txt

2018-02-09 Thread Vladimir Dzhuvinov

Hi Nat,

I suppose you saw the FAPI WG ticket to consider adding an AS metadata
parameter for the request object endpoint:

https://bitbucket.org/openid/fapi/issues/134/

Perhaps that issue should be addressed here, in the OAuth WG. But I'm
not sure what can be done at this stage, with draft-ietf-oauth-jwsreq-15
have gone to the IESG.

Vladimir


On 21/07/17 16:25, Nat Sakimura wrote:
> Hi
>
> This version hopefully have addressed all the comments that I received during 
> IESG review. 
> I also added RFC8141 as the reference to URN. 
>
> The main difference from -12 that was posted in March are: 
>
> 1) Now, all the parameters to be used MUST reside within the request object. 
>(It is still possible to be duplicated but they are ignored from the 
> security point of view by the server that supports this spec.)
> 2) Clarified that when request object is stored by the authorization server, 
> `request_uri` can be a URN. 
> 3) Added text on the security risks of using `request_uri` in the security 
> consideration. 
>
> Best, 
>
> Nat Sakimura
>
> --
> PLEASE READ :This e-mail is confidential and intended for the named recipient 
> only. If you are not an intended recipient, please notify the sender  and 
> delete this e-mail.
>
>
>> -Original Message-
>> From: internet-dra...@ietf.org [mailto:internet-dra...@ietf.org]
>> Sent: Friday, July 21, 2017 10:14 PM
>> To: Nat Sakimura ; John Bradley 
>> 
>> Subject: New Version Notification for draft-ietf-oauth-jwsreq-15.txt
>>
>>
>> A new version of I-D, draft-ietf-oauth-jwsreq-15.txt has been 
>> successfully submitted by Nat Sakimura and posted to the IETF repository.
>>
>> Name:draft-ietf-oauth-jwsreq
>> Revision:15
>> Title:   The OAuth 2.0 Authorization Framework: JWT Secured
>> Authorization Request (JAR)
>> Document date:   2017-07-21
>> Group:   oauth
>> Pages:   26
>> URL:
>> https://www.ietf.org/internet-drafts/draft-ietf-oauth-jwsreq-15.txt
>> Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>> Htmlized:   https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-15
>> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-15
>> Diff:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-15
>>
>> Abstract:
>>The authorization request in OAuth 2.0 described in RFC 6749 utilizes
>>query parameter serialization, which means that Authorization Request
>>parameters are encoded in the URI of the request and sent through
>>user agents such as web browsers.  While it is easy to implement, it
>>means that (a) the communication through the user agents are not
>>integrity protected and thus the parameters can be tainted, and (b)
>>the source of the communication is not authenticated.  Because of
>>these weaknesses, several attacks to the protocol have now been put
>>forward.
>>
>>This document introduces the ability to send request parameters in a
>>JSON Web Token (JWT) instead, which allows the request to be signed
>>with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
>>(JWE) so that the integrity, source authentication and
>>confidentiality property of the Authorization Request is attained.
>>The request can be sent by value or by reference.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of 
>> submission until the htmlized version and diff are available at 
>> tools.ietf.org.
>>
>> The IETF Secretariat
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth




smime.p7s
Description: S/MIME Cryptographic Signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] FW: New Version Notification for draft-ietf-oauth-jwsreq-15.txt

Re: [OAUTH-WG] FW: New Version Notification for draft-ietf-oauth-jwsreq-15.txt

2 matches

Site Navigation

Mail list logo

Footer information