[OAUTH-WG] WGLC on draft-ietf-oauth-mtls-07

[Rifaat Shekh-Yusef]

 All,

As discussed during the meeting today, we are starting a WGLC on the MTLS
document:
*https://tools.ietf.org/html/draft-ietf-oauth-mtls-07
*

Please, review the document and provide feedback on any issues you see with
the document.

The WGLC will end in two weeks, on April 2, 2018.

Regards,
 Rifaat and Hannes
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

[Joseph Heenan]

Hi Torsten,

As we briefly spoke about earlier, "3.8.1. Authorization Server as Open 
Redirector" could I think be made more explicit.

Currently it explicitly mentions the invalid_request and invalid_scope errors 
must not redirect back to the client's registered redirect uri.

https://tools.ietf.org/html/rfc6749#section-4.1.2.1 defines several more 
potential errors that appear to fall into the same category. I understand to 
block the attack fully we need 'must not redirect's for all the kinds of error 
that could cause an automatic redirect back to the client's registered redirect 
uri without any user interaction - 'unauthorized_client' and 
'unsupported_response_type' seem to fall into that category. 'server_error' 
also seems dodgy (I would wager that on some servers that are known ways to 
provoke server errors), and I would have doubts about 'temporarily_unavailable' 
too.

Thanks

Joseph

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Publication has been requested for draft-ietf-oauth-device-flow-07

[Justin Richer]

Something to consider in the new security text that’s just occurred to me: 

If an attacker gets their account tied to a user’s device, there’s a risk that 
the attacker would potentially be able to get that user’s information as input 
through the device. Setting aside the obvious alexa-style panopticon boxes for 
a minute, just think of a set-top box that allows you to enter your credit card 
information through the device itself. You’d then be buying your attacker the 
new season of Stargate, or whatever.

 — Justin

> On Mar 19, 2018, at 12:06 PM, William Denniss  wrote:
> 
> The update has been posted and is now available. 
> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-08 
> 
> 
> Thanks Scott for the feedback, and Justin for reviewing!
> 
> 
> On Thu, Mar 8, 2018 at 6:19 PM Justin Richer  > wrote:
> +1
> 
>> On Mar 5, 2018, at 10:23 PM, William Denniss > > wrote:
>> 
>> Thanks again for the feedback Scott. I've staged an update here: 
>> https://github.com/WilliamDenniss/draft-ietf-oauth-device-flow/pull/6 
>> 
>> 
>> It expands on the brute force attack section to include some detail on this 
>> attack, as it is quite unique for OAuth brute-force attacks (since the 
>> victim actually ends up with the attacker's grant on the device, instead of 
>> the other way around – not that this is totally safe of course, it's just 
>> unique).  It also adds some further discussion around what factors need to 
>> be considered by authorization servers when creating the user code format.
>> 
>> I'll post this once my co-authors have reviewed, and the submission tool 
>> re-opens.
>> 
>> 
>> On Fri, Jan 5, 2018 at 10:56 AM Rifaat Shekh-Yusef > > wrote:
>> Hi Scott,
>> 
>> Sorry, I missed that last discussion that you had with William.
>> 
>> 
>> William,
>> 
>> Can you please update the document based on your last discussion with Scott?
>> I will then update the request for publication to use the new updated 
>> version.
>> 
>> Regards,
>>  Rifaat
>> 
>> 
>> 
>> On Fri, Jan 5, 2018 at 12:40 PM, Hollenbeck, Scott > > wrote:
>> > -Original Message-
>> > From: OAuth [mailto:oauth-boun...@ietf.org 
>> > ] On Behalf Of Rifaat Shekh-
>> > Yusef
>> > Sent: Friday, January 05, 2018 12:30 PM
>> > To: e...@rtfm.com 
>> > Cc: oauth@ietf.org ; iesg-secret...@ietf.org 
>> > ; oauth-cha...@ietf.org 
>> > 
>> > Subject: [EXTERNAL] [OAUTH-WG] Publication has been requested for draft-
>> > ietf-oauth-device-flow-07
>> >
>> > Rifaat Shekh-Yusef has requested publication of draft-ietf-oauth-device-
>> > flow-07 as Proposed Standard on behalf of the OAUTH working group.
>> >
>> > Please verify the document's state at
>> > https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ 
>> > 
>> 
>> The document really should be updated to reflect the last call discussions 
>> prior to requesting publication for the -07 version that needs to be updated.
>> 
>> Scott
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth 
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth 
>> 
> 

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-08.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

Title   : OAuth 2.0 Device Flow for Browserless and Input 
Constrained Devices
Authors : William Denniss
  John Bradley
  Michael B. Jones
  Hannes Tschofenig
Filename: draft-ietf-oauth-device-flow-08.txt
Pages   : 18
Date: 2018-03-19

Abstract:
   This OAuth 2.0 authorization flow for browserless and input
   constrained devices, often referred to as the device flow, enables
   OAuth clients to request user authorization from devices that have an
   Internet connection, but don't have an easy input method (such as a
   smart TV, media console, picture frame, or printer), or lack a
   suitable browser for a more traditional OAuth flow.  This
   authorization flow instructs the user to perform the authorization
   request on a secondary device, such as a smartphone.  There is no
   requirement for communication between the constrained device and the
   user's secondary device.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-08
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-device-flow-08

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-08


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

[Brian Campbell]

And let us not forget about JWS unencoded payload
https://tools.ietf.org/html/rfc7797

On Mar 19, 2018 11:41 AM, "Samuel Erdtman"  wrote:

> Hi,
>
> Adding an additional proposal to the table. Mike Jones, Anders Rundgren
> and I have created a version of JWS there the signed JSON data does not
> have to be Base64url encoded (the JSON is signed using ES6 serialization
> rules). One of the benefits to this approach would be that the
> introspection data is transferred in cleartext while still fully protected.
> Since it is transferred in the response body and not in a URL there is no
> need for the Base64url encoding.
>
> The draft can be fond here
> https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jws-00
>
> And the example from your draft would look like this (the signature is not
> valid, I just copied it from another place)
> {
>   "sub": "Z5O3upPC88QrAjx00dis",
>   "aud": "https://protected.example.net/resource";,
>   "extension_field": "twenty-seven",
>   "scope": "read write dolphin",
>   "iss": "https://server.example.com/";,
>   "active": true,
>   "exp": 1419356238,
>   "iat": 1419350238,
>   "client_id": "l238j323ds-23ij4",
>   "username": "jdoe"
>   "__cleartext_signature": {
> "alg": "ES256",
> "kid": "example.com:p256",
> "signature": "pXP0GFHms0SntctNk1G1pHZfccVYdZkmAJktY_hpMsI
>   AckzX7wZJIJNlsBzmJ1_7LmKATiW-YHHZjsYdT96JZw"
>   }
> }
>
>
>
>
> On Mon, Mar 19, 2018 at 11:22 AM, Phil Hunt  wrote:
>
>> +1.  This is what I expected.
>>
>> Phil
>>
>> Oracle Corporation, Identity Cloud Services Architect
>> @independentid
>> www.independentid.com
>> phil.h...@oracle.com
>>
>> On Mar 19, 2018, at 10:16 AM, Torsten Lodderstedt <
>> tors...@lodderstedt.net> wrote:
>>
>> We explicitly want the token (JSON object) to be signed not the HTTP
>> response. I think using JWS is the most generic way to achieve that goal..
>>
>> Am 19.03..2018 um 09:57 schrieb Phil Hunt :
>>
>> This draft has similar issues to https://tools.ietf.org/html
>> /draft-richer-oauth-signed-http-request-01
>>
>> Rather than *try* sign HTTP, a signed JWT object is more reliably
>> returned.
>>
>> Phil
>>
>>
>> On Mar 19, 2018, at 8:25 AM, LARMIGNAT Louis <
>> louis.larmig...@wavestone.com> wrote:
>>
>> Hi,
>>
>> The draft *Signing HTTP Messages** 
>> (https://tools.ietf.org/html/draft-cavage-http-signatures-09
>> )* could
>> not meet this requirement in a more generic way ?
>>
>> Regards,
>> Louis
>>
>> *De :* OAuth  *De la part de* Brock Allen
>> *Envoyé :* dimanche 18 mars 2018 20:40
>> *À :* Torsten Lodderstedt ; oauth@ietf.org
>> *Objet :* Re: [OAUTH-WG] Fwd: New Version Notification for
>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>>
>> Why is TLS to the intospection endpoint not sufficient? Are you thinking
>> there needs to be some multi-tenancy support of some kind?
>>
>> -Brock
>>
>>
>> On 3/18/2018 3:33:16 PM, Torsten Lodderstedt 
>> wrote:
>> Hi all,
>>
>> I just submitted a new draft that Vladimir Dzhuvinov and I have written.
>> It proposes a JWT-based response type for Token Introspection. The
>> objective is to provide resource servers with signed tokens in case they
>> need cryptographic evidence that the AS created the token (e.g. for
>> liability).
>>
>> I will present the new draft in the session on Wednesday.
>>
>> kind regards,
>> Torsten.
>>
>>
>> Anfang der weitergeleiteten Nachricht:
>>
>> *Von: *internet-dra...@ietf.org
>> *Betreff: New Version Notification for
>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt*
>> *Datum: *18. März 2018 um 20:19:37 MEZ
>> *An: *"Vladimir Dzhuvinov" , "Torsten
>> Lodderstedt" 
>>
>>
>>
>> A new version of I-D, draft-lodderstedt-oauth-jwt-in
>> trospection-response-00.txt
>> has been successfully submitted by Torsten Lodderstedt and posted to the
>> IETF repository.
>>
>> Name:   draft-lodderstedt-oauth-jwt-introspection-response
>> Revision: 00
>> Title:  JWT Response for OAuth Token Introspection
>> Document date:  2018-03-15
>> Group:  Individual Submission
>> Pages:  5
>> URL:https://www.ietf.org/internet-drafts/draft-lodder
>> stedt-oauth-jwt-introspection-response-00.txt
>> Status: https://datatracker.ietf.org/doc/draft-lodderstedt-
>> oauth-jwt-introspection-response/
>> Htmlized:   https://tools.ietf.org/html/draft-lodderstedt-oauth-jw
>> t-introspection-response-00
>> Htmlized:   https://datatracker.ietf.org/doc/html/draft-loddersted
>> t-oauth-jwt-introspection-response
>> 
>>
>>
>> Abstract:
>>   This draft proposes an additional JSON Web Token (JWT) based response
>>   for OAuth 2.0 Token Introspection.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> The IETF Secretariat
>>

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

[Samuel Erdtman]

Hi,

Adding an additional proposal to the table. Mike Jones, Anders Rundgren and
I have created a version of JWS there the signed JSON data does not have to
be Base64url encoded (the JSON is signed using ES6 serialization rules).
One of the benefits to this approach would be that the introspection data
is transferred in cleartext while still fully protected. Since it is
transferred in the response body and not in a URL there is no need for the
Base64url encoding.

The draft can be fond here
https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jws-00

And the example from your draft would look like this (the signature is not
valid, I just copied it from another place)
{
  "sub": "Z5O3upPC88QrAjx00dis",
  "aud": "https://protected.example.net/resource";,
  "extension_field": "twenty-seven",
  "scope": "read write dolphin",
  "iss": "https://server.example.com/";,
  "active": true,
  "exp": 1419356238,
  "iat": 1419350238,
  "client_id": "l238j323ds-23ij4",
  "username": "jdoe"
  "__cleartext_signature": {
"alg": "ES256",
"kid": "example.com:p256",
"signature": "pXP0GFHms0SntctNk1G1pHZfccVYdZkmAJktY_hpMsI
  AckzX7wZJIJNlsBzmJ1_7LmKATiW-YHHZjsYdT96JZw"
  }
}




On Mon, Mar 19, 2018 at 11:22 AM, Phil Hunt  wrote:

> +1.  This is what I expected.
>
> Phil
>
> Oracle Corporation, Identity Cloud Services Architect
> @independentid
> www.independentid.com
> phil.h...@oracle.com
>
> On Mar 19, 2018, at 10:16 AM, Torsten Lodderstedt 
> wrote:
>
> We explicitly want the token (JSON object) to be signed not the HTTP
> response. I think using JWS is the most generic way to achieve that goal.
>
> Am 19.03.2018 um 09:57 schrieb Phil Hunt :
>
> This draft has similar issues to https://tools.ietf.org/
> html/draft-richer-oauth-signed-http-request-01
>
> Rather than *try* sign HTTP, a signed JWT object is more reliably returned.
>
> Phil
>
>
> On Mar 19, 2018, at 8:25 AM, LARMIGNAT Louis <
> louis.larmig...@wavestone.com> wrote:
>
> Hi,
>
> The draft *Signing HTTP Messages** 
> (https://tools.ietf.org/html/draft-cavage-http-signatures-09
> )* could not
> meet this requirement in a more generic way ?
>
> Regards,
> Louis
>
> *De :* OAuth  *De la part de* Brock Allen
> *Envoyé :* dimanche 18 mars 2018 20:40
> *À :* Torsten Lodderstedt ; oauth@ietf.org
> *Objet :* Re: [OAUTH-WG] Fwd: New Version Notification for
> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>
> Why is TLS to the intospection endpoint not sufficient? Are you thinking
> there needs to be some multi-tenancy support of some kind?
>
> -Brock
>
>
> On 3/18/2018 3:33:16 PM, Torsten Lodderstedt 
> wrote:
> Hi all,
>
> I just submitted a new draft that Vladimir Dzhuvinov and I have written.
> It proposes a JWT-based response type for Token Introspection. The
> objective is to provide resource servers with signed tokens in case they
> need cryptographic evidence that the AS created the token (e.g. for
> liability).
>
> I will present the new draft in the session on Wednesday.
>
> kind regards,
> Torsten.
>
>
> Anfang der weitergeleiteten Nachricht:
>
> *Von: *internet-dra...@ietf.org
> *Betreff: New Version Notification for
> draft-lodderstedt-oauth-jwt-introspection-response-00.txt*
> *Datum: *18. März 2018 um 20:19:37 MEZ
> *An: *"Vladimir Dzhuvinov" , "Torsten
> Lodderstedt" 
>
>
>
> A new version of I-D, draft-lodderstedt-oauth-jwt-
> introspection-response-00.txt
> has been successfully submitted by Torsten Lodderstedt and posted to the
> IETF repository.
>
> Name:   draft-lodderstedt-oauth-jwt-introspection-response
> Revision: 00
> Title:  JWT Response for OAuth Token Introspection
> Document date:  2018-03-15
> Group:  Individual Submission
> Pages:  5
> URL:https://www.ietf.org/internet-drafts/draft-
> lodderstedt-oauth-jwt-introspection-response-00.txt
> Status: https://datatracker.ietf.org/doc/draft-
> lodderstedt-oauth-jwt-introspection-response/
> Htmlized:   https://tools.ietf.org/html/draft-lodderstedt-oauth-
> jwt-introspection-response-00
> Htmlized:   https://datatracker.ietf.org/doc/html/draft-
> lodderstedt-oauth-jwt-introspection-response
> 
>
>
> Abstract:
>   This draft proposes an additional JSON Web Token (JWT) based response
>   for OAuth 2.0 Token Introspection.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
> The information transmitted in the present email including the attachment
> is intended only for the person to whom or entity to which it is addressed
> and may contain confidential and/or privileged material. Any review,
> retransmission, dissemination or other use of, or taking of any action in
> reliance upon this information by persons or 

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

[Phil Hunt]

+1.  This is what I expected.

Phil

Oracle Corporation, Identity Cloud Services Architect
@independentid
www.independentid.com phil.h...@oracle.com 


> On Mar 19, 2018, at 10:16 AM, Torsten Lodderstedt  
> wrote:
> 
> We explicitly want the token (JSON object) to be signed not the HTTP 
> response. I think using JWS is the most generic way to achieve that goal.
> 
>> Am 19.03.2018 um 09:57 schrieb Phil Hunt > >:
>> 
>> This draft has similar issues to 
>> https://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01 
>> 
>> 
>> Rather than *try* sign HTTP, a signed JWT object is more reliably returned.
>> 
>> Phil
>> 
>> 
>>> On Mar 19, 2018, at 8:25 AM, LARMIGNAT Louis >> > wrote:
>>> 
>>> Hi,
>>>  
>>> The draft Signing HTTP Messages <> 
>>> (https://tools.ietf.org/html/draft-cavage-http-signatures-09 
>>> ) could not 
>>> meet this requirement in a more generic way ?
>>>  
>>> Regards,
>>> Louis
>>>  
>>> De : OAuth mailto:oauth-boun...@ietf.org>> De la 
>>> part de Brock Allen
>>> Envoyé : dimanche 18 mars 2018 20:40
>>> À : Torsten Lodderstedt >> >; oauth@ietf.org 
>>> Objet : Re: [OAUTH-WG] Fwd: New Version Notification for 
>>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>>>  
>>> Why is TLS to the intospection endpoint not sufficient? Are you thinking 
>>> there needs to be some multi-tenancy support of some kind?
>>>  
>>> -Brock
>>>  
>>> On 3/18/2018 3:33:16 PM, Torsten Lodderstedt >> > wrote:
>>> 
>>> Hi all,
>>>  
>>> I just submitted a new draft that Vladimir Dzhuvinov and I have written. It 
>>> proposes a JWT-based response type for Token Introspection. The objective 
>>> is to provide resource servers with signed tokens in case they need 
>>> cryptographic evidence that the AS created the token (e.g. for liability). 
>>>  
>>> I will present the new draft in the session on Wednesday.
>>>  
>>> kind regards,
>>> Torsten. 
>>> 
>>> 
>>> Anfang der weitergeleiteten Nachricht:
>>>  
>>> Von: internet-dra...@ietf.org 
>>> Betreff: New Version Notification for 
>>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>>> Datum: 18. März 2018 um 20:19:37 MEZ
>>> An: "Vladimir Dzhuvinov" >> >, "Torsten Lodderstedt" 
>>> mailto:tors...@lodderstedt.net>>
>>>  
>>> 
>>> A new version of I-D, 
>>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>>> has been successfully submitted by Torsten Lodderstedt and posted to the
>>> IETF repository.
>>> 
>>> Name:   draft-lodderstedt-oauth-jwt-introspection-response
>>> Revision: 00
>>> Title:  JWT Response for OAuth Token Introspection
>>> Document date:  2018-03-15
>>> Group:  Individual Submission
>>> Pages:  5
>>> URL:
>>> https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>>>  
>>> 
>>> Status: 
>>> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/
>>>  
>>> 
>>> Htmlized:   
>>> https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00
>>>  
>>> 
>>> Htmlized:   
>>> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response
>>>  
>>> 
>>> 
>>> 
>>> Abstract:
>>>   This draft proposes an additional JSON Web Token (JWT) based response
>>>   for OAuth 2.0 Token Introspection.
>>> 
>>> 
>>> 
>>> 
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org 
>>> .
>>> 
>>> The IETF Secretariat
>>> 
>>>  
>>> The information transmitted in the present email including the attachment 
>>> is intended only for the person to whom or entity to which it is addressed 
>>> and may contain confidential and/or privileged material. Any review, 
>>> retransmission, dissemination or other use of, or taking of any action in 
>>> reliance upon this information by persons or entities other than the 
>>> intended recipient is prohibited. If you received this in error, please 
>>> contact the sender and delete all copies of the material. 
>>> 
>>> Ce message et toutes les pièces qui y sont éventuellement jointes sont 
>>> confidentiels et transmis à l'intention exclusive de son desti

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

[Torsten Lodderstedt]

We explicitly want the token (JSON object) to be signed not the HTTP response. 
I think using JWS is the most generic way to achieve that goal.

> Am 19.03.2018 um 09:57 schrieb Phil Hunt :
> 
> This draft has similar issues to 
> https://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01 
> 
> 
> Rather than *try* sign HTTP, a signed JWT object is more reliably returned.
> 
> Phil
> 
> 
>> On Mar 19, 2018, at 8:25 AM, LARMIGNAT Louis > > wrote:
>> 
>> Hi,
>>  
>> The draft Signing HTTP Messages <> 
>> (https://tools.ietf.org/html/draft-cavage-http-signatures-09 
>> ) could not 
>> meet this requirement in a more generic way ?
>>  
>> Regards,
>> Louis
>>  
>> De : OAuth mailto:oauth-boun...@ietf.org>> De la 
>> part de Brock Allen
>> Envoyé : dimanche 18 mars 2018 20:40
>> À : Torsten Lodderstedt > >; oauth@ietf.org 
>> Objet : Re: [OAUTH-WG] Fwd: New Version Notification for 
>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>>  
>> Why is TLS to the intospection endpoint not sufficient? Are you thinking 
>> there needs to be some multi-tenancy support of some kind?
>>  
>> -Brock
>>  
>> On 3/18/2018 3:33:16 PM, Torsten Lodderstedt > > wrote:
>> 
>> Hi all,
>>  
>> I just submitted a new draft that Vladimir Dzhuvinov and I have written. It 
>> proposes a JWT-based response type for Token Introspection. The objective is 
>> to provide resource servers with signed tokens in case they need 
>> cryptographic evidence that the AS created the token (e.g. for liability). 
>>  
>> I will present the new draft in the session on Wednesday.
>>  
>> kind regards,
>> Torsten. 
>> 
>> 
>> Anfang der weitergeleiteten Nachricht:
>>  
>> Von: internet-dra...@ietf.org 
>> Betreff: New Version Notification for 
>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>> Datum: 18. März 2018 um 20:19:37 MEZ
>> An: "Vladimir Dzhuvinov" > >, "Torsten Lodderstedt" 
>> mailto:tors...@lodderstedt.net>>
>>  
>> 
>> A new version of I-D, 
>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>> has been successfully submitted by Torsten Lodderstedt and posted to the
>> IETF repository.
>> 
>> Name:   draft-lodderstedt-oauth-jwt-introspection-response
>> Revision: 00
>> Title:  JWT Response for OAuth Token Introspection
>> Document date:  2018-03-15
>> Group:  Individual Submission
>> Pages:  5
>> URL:
>> https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>>  
>> 
>> Status: 
>> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/
>>  
>> 
>> Htmlized:   
>> https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00
>>  
>> 
>> Htmlized:   
>> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response
>>  
>> 
>> 
>> 
>> Abstract:
>>   This draft proposes an additional JSON Web Token (JWT) based response
>>   for OAuth 2.0 Token Introspection.
>> 
>> 
>> 
>> 
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org 
>> .
>> 
>> The IETF Secretariat
>> 
>>  
>> The information transmitted in the present email including the attachment is 
>> intended only for the person to whom or entity to which it is addressed and 
>> may contain confidential and/or privileged material. Any review, 
>> retransmission, dissemination or other use of, or taking of any action in 
>> reliance upon this information by persons or entities other than the 
>> intended recipient is prohibited. If you received this in error, please 
>> contact the sender and delete all copies of the material. 
>> 
>> Ce message et toutes les pièces qui y sont éventuellement jointes sont 
>> confidentiels et transmis à l'intention exclusive de son destinataire. Toute 
>> modification, édition, utilisation ou diffusion par toute personne ou entité 
>> autre que le destinataire est interdite. Si vous avez reçu ce message par 
>> erreur, nous vous remercions de nous en informer immédiatement et de le 
>> supprimer ainsi que les pièces qui y sont éventuellement jointes. 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org 

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

[Torsten Lodderstedt]

> Am 18.03.2018 um 20:40 schrieb Brock Allen :
> 
> Why is TLS to the intospection endpoint not sufficient?

TLS is sufficient, if AS and RS want to ensure the integrity of the token data 
(on transit). But there are use cases, where the RS wants evidence (== digital 
signature over the token) who created the token. This is for 
non-repudation/liability.

> Are you thinking there needs to be some multi-tenancy support of some kind?

With respect to what party? The draft allows every RS to choose the response 
type and if JWT, the algorithms to use. 

kind regards,
Torsten.   
 
> 
> -Brock
> 
>> On 3/18/2018 3:33:16 PM, Torsten Lodderstedt  wrote:
>> 
>> Hi all,
>> 
>> I just submitted a new draft that Vladimir Dzhuvinov and I have written. It 
>> proposes a JWT-based response type for Token Introspection. The objective is 
>> to provide resource servers with signed tokens in case they need 
>> cryptographic evidence that the AS created the token (e.g. for liability). 
>> 
>> I will present the new draft in the session on Wednesday.
>> 
>> kind regards,
>> Torsten. 
>> 
>>> Anfang der weitergeleiteten Nachricht:
>>> 
>>> Von: internet-dra...@ietf.org 
>>> Betreff: New Version Notification for 
>>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>>> Datum: 18. März 2018 um 20:19:37 MEZ
>>> An: "Vladimir Dzhuvinov" >> >, "Torsten Lodderstedt" 
>>> mailto:tors...@lodderstedt.net>>
>>> 
>>> 
>>> A new version of I-D, 
>>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>>> has been successfully submitted by Torsten Lodderstedt and posted to the
>>> IETF repository.
>>> 
>>> Name:   draft-lodderstedt-oauth-jwt-introspection-response
>>> Revision:   00
>>> Title:  JWT Response for OAuth Token Introspection
>>> Document date:  2018-03-15
>>> Group:  Individual Submission
>>> Pages:  5
>>> URL:
>>> https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>>>  
>>> 
>>> Status: 
>>> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/
>>>  
>>> 
>>> Htmlized:   
>>> https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00
>>>  
>>> 
>>> Htmlized:   
>>> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response
>>>  
>>> 
>>> 
>>> 
>>> Abstract:
>>>   This draft proposes an additional JSON Web Token (JWT) based response
>>>   for OAuth 2.0 Token Introspection.
>>> 
>>> 
>>> 
>>> 
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org 
>>> .
>>> 
>>> The IETF Secretariat
>>> 
>> 



smime.p7s
Description: S/MIME cryptographic signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

[Phil Hunt]

This draft has similar issues to 
https://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01

Rather than *try* sign HTTP, a signed JWT object is more reliably returned.

Phil


> On Mar 19, 2018, at 8:25 AM, LARMIGNAT Louis  
> wrote:
> 
> Hi,
>  
> The draft Signing HTTP Messages <> 
> (https://tools.ietf.org/html/draft-cavage-http-signatures-09 
> ) could not meet 
> this requirement in a more generic way ?
>  
> Regards,
> Louis
>  
> De : OAuth mailto:oauth-boun...@ietf.org>> De la 
> part de Brock Allen
> Envoyé : dimanche 18 mars 2018 20:40
> À : Torsten Lodderstedt  >; oauth@ietf.org 
> Objet : Re: [OAUTH-WG] Fwd: New Version Notification for 
> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>  
> Why is TLS to the intospection endpoint not sufficient? Are you thinking 
> there needs to be some multi-tenancy support of some kind?
>  
> -Brock
>  
> On 3/18/2018 3:33:16 PM, Torsten Lodderstedt  > wrote:
> 
> Hi all,
>  
> I just submitted a new draft that Vladimir Dzhuvinov and I have written. It 
> proposes a JWT-based response type for Token Introspection. The objective is 
> to provide resource servers with signed tokens in case they need 
> cryptographic evidence that the AS created the token (e.g. for liability). 
>  
> I will present the new draft in the session on Wednesday.
>  
> kind regards,
> Torsten. 
> 
> 
> Anfang der weitergeleiteten Nachricht:
>  
> Von: internet-dra...@ietf.org 
> Betreff: New Version Notification for 
> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
> Datum: 18. März 2018 um 20:19:37 MEZ
> An: "Vladimir Dzhuvinov"  >, "Torsten Lodderstedt" 
> mailto:tors...@lodderstedt.net>>
>  
> 
> A new version of I-D, 
> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
> has been successfully submitted by Torsten Lodderstedt and posted to the
> IETF repository.
> 
> Name:   draft-lodderstedt-oauth-jwt-introspection-response
> Revision: 00
> Title:  JWT Response for OAuth Token Introspection
> Document date:  2018-03-15
> Group:  Individual Submission
> Pages:  5
> URL:
> https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>  
> 
> Status: 
> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/
>  
> 
> Htmlized:   
> https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00
>  
> 
> Htmlized:   
> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response
>  
> 
> 
> 
> Abstract:
>   This draft proposes an additional JSON Web Token (JWT) based response
>   for OAuth 2.0 Token Introspection.
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org 
> .
> 
> The IETF Secretariat
> 
>  
> The information transmitted in the present email including the attachment is 
> intended only for the person to whom or entity to which it is addressed and 
> may contain confidential and/or privileged material. Any review, 
> retransmission, dissemination or other use of, or taking of any action in 
> reliance upon this information by persons or entities other than the intended 
> recipient is prohibited. If you received this in error, please contact the 
> sender and delete all copies of the material. 
> 
> Ce message et toutes les pièces qui y sont éventuellement jointes sont 
> confidentiels et transmis à l'intention exclusive de son destinataire. Toute 
> modification, édition, utilisation ou diffusion par toute personne ou entité 
> autre que le destinataire est interdite. Si vous avez reçu ce message par 
> erreur, nous vous remercions de nous en informer immédiatement et de le 
> supprimer ainsi que les pièces qui y sont éventuellement jointes. 
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

[LARMIGNAT Louis]

Hi,

The draft Signing HTTP Messages 
(https://tools.ietf.org/html/draft-cavage-http-signatures-09) could not meet 
this requirement in a more generic way ?

Regards,
Louis

De : OAuth  De la part de Brock Allen
Envoyé : dimanche 18 mars 2018 20:40
À : Torsten Lodderstedt ; oauth@ietf.org
Objet : Re: [OAUTH-WG] Fwd: New Version Notification for 
draft-lodderstedt-oauth-jwt-introspection-response-00.txt

Why is TLS to the intospection endpoint not sufficient? Are you thinking there 
needs to be some multi-tenancy support of some kind?

-Brock


On 3/18/2018 3:33:16 PM, Torsten Lodderstedt 
mailto:tors...@lodderstedt.net>> wrote:
Hi all,

I just submitted a new draft that Vladimir Dzhuvinov and I have written. It 
proposes a JWT-based response type for Token Introspection. The objective is to 
provide resource servers with signed tokens in case they need cryptographic 
evidence that the AS created the token (e.g. for liability).

I will present the new draft in the session on Wednesday.

kind regards,
Torsten.


Anfang der weitergeleiteten Nachricht:

Von: internet-dra...@ietf.org
Betreff: New Version Notification for 
draft-lodderstedt-oauth-jwt-introspection-response-00.txt
Datum: 18. März 2018 um 20:19:37 MEZ
An: "Vladimir Dzhuvinov" 
mailto:vladi...@connect2id.com>>, "Torsten 
Lodderstedt" mailto:tors...@lodderstedt.net>>


A new version of I-D, draft-lodderstedt-oauth-jwt-introspection-response-00.txt
has been successfully submitted by Torsten Lodderstedt and posted to the
IETF repository.

Name:   draft-lodderstedt-oauth-jwt-introspection-response
Revision: 00
Title:  JWT Response for OAuth Token Introspection
Document date:  2018-03-15
Group:  Individual Submission
Pages:  5
URL:
https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt
Status: 
https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/
Htmlized:   
https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00
Htmlized:   
https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response


Abstract:
  This draft proposes an additional JSON Web Token (JWT) based response
  for OAuth 2.0 Token Introspection.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at 
tools.ietf.org.

The IETF Secretariat

The information transmitted in the present email including the attachment is 
intended only for the person to whom or entity to which it is addressed and may 
contain confidential and/or privileged material. Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon this 
information by persons or entities other than the intended recipient is 
prohibited. If you received this in error, please contact the sender and delete 
all copies of the material.

Ce message et toutes les pièces qui y sont éventuellement jointes sont 
confidentiels et transmis à l'intention exclusive de son destinataire. Toute 
modification, édition, utilisation ou diffusion par toute personne ou entité 
autre que le destinataire est interdite. Si vous avez reçu ce message par 
erreur, nous vous remercions de nous en informer immédiatement et de le 
supprimer ainsi que les pièces qui y sont éventuellement jointes.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth