Re: [OAUTH-WG] JWT Destination Claim
Tony, thanks as always for your thoughtful, well reasoned, and helpful comments. I'm well aware of the potential for confusion, which is why I endeavored to address the differences between aud and dst with text in the draft. I do appreciate your permission to use it ourselves and I'll be sure to let the engineers that have already deployed it know that they have your blessing. As I said on Monday, it struck me as something that would have value well beyond our own usage and that was why I wanted to start a conversation about standardization. You're stance on that has been made pretty clear, thanks. On Wed, Mar 25, 2015 at 6:57 PM, Anthony Nadalin wrote: > There some folks out there that are using AUD to mean DST. Adding DST is > confusing, if you want to use it that's fine but don't see a need to > standardize every claim that someone comes up with > > Sent from my Windows Phone > -- > From: Brian Campbell > Sent: 3/25/2015 2:19 PM > To: Mike Jones > Cc: oauth > Subject: Re: [OAUTH-WG] JWT Destination Claim > > FWIW, I did have that as an open issue in the draft: > http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00#appendix-A > > Though the way I worded it probably shows my bias. > > On Wed, Mar 25, 2015 at 2:16 PM, Mike Jones > wrote: > >> Thanks for posting this, Brian. To get it down on the list, I’ll >> repeat my comment made in person that just as “aud” used to be >> single-valued and ended up being multi-valued, I suspect some applications >> would require the same thing of “dst” – at least when “aud” and “dst” are >> different. And even if “dst” becomes multi-valued, it’s OK for particular >> applications to require that it be single-valued in their usage. >> >> >> >> -- Mike >> >> >> >> *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Brian >> Campbell >> *Sent:* Wednesday, March 25, 2015 2:08 PM >> *To:* oauth >> *Subject:* [OAUTH-WG] JWT Destination Claim >> >> >> >> Here are the slides that I rushed though at the end of the Dallas meeting: >> >> https://www.ietf.org/proceedings/92/slides/slides-92-oauth-1.pdf >> >> >> >> And the -00 draft: >> http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00 >> >> In an informal discussion earlier this week John B. suggested that some >> additional thinking and/or clarification is needed with regard to what >> parts of the URI to include and check. Particularly with respect to query >> and fragment. And he's probably right. >> > > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] JWT Destination Claim
There some folks out there that are using AUD to mean DST. Adding DST is confusing, if you want to use it that's fine but don't see a need to standardize every claim that someone comes up with Sent from my Windows Phone From: Brian Campbell<mailto:bcampb...@pingidentity.com> Sent: 3/25/2015 2:19 PM To: Mike Jones<mailto:michael.jo...@microsoft.com> Cc: oauth<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] JWT Destination Claim FWIW, I did have that as an open issue in the draft: http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00#appendix-A Though the way I worded it probably shows my bias. On Wed, Mar 25, 2015 at 2:16 PM, Mike Jones mailto:michael.jo...@microsoft.com>> wrote: Thanks for posting this, Brian. To get it down on the list, I’ll repeat my comment made in person that just as “aud” used to be single-valued and ended up being multi-valued, I suspect some applications would require the same thing of “dst” – at least when “aud” and “dst” are different. And even if “dst” becomes multi-valued, it’s OK for particular applications to require that it be single-valued in their usage. -- Mike From: OAuth [mailto:oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>] On Behalf Of Brian Campbell Sent: Wednesday, March 25, 2015 2:08 PM To: oauth Subject: [OAUTH-WG] JWT Destination Claim Here are the slides that I rushed though at the end of the Dallas meeting: https://www.ietf.org/proceedings/92/slides/slides-92-oauth-1.pdf And the -00 draft: http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00 In an informal discussion earlier this week John B. suggested that some additional thinking and/or clarification is needed with regard to what parts of the URI to include and check. Particularly with respect to query and fragment. And he's probably right. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] JWT Destination Claim
FWIW, I did have that as an open issue in the draft: http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00#appendix-A Though the way I worded it probably shows my bias. On Wed, Mar 25, 2015 at 2:16 PM, Mike Jones wrote: > Thanks for posting this, Brian. To get it down on the list, I’ll repeat > my comment made in person that just as “aud” used to be single-valued and > ended up being multi-valued, I suspect some applications would require the > same thing of “dst” – at least when “aud” and “dst” are different. And > even if “dst” becomes multi-valued, it’s OK for particular applications to > require that it be single-valued in their usage. > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Brian > Campbell > *Sent:* Wednesday, March 25, 2015 2:08 PM > *To:* oauth > *Subject:* [OAUTH-WG] JWT Destination Claim > > > > Here are the slides that I rushed though at the end of the Dallas meeting: > > https://www.ietf.org/proceedings/92/slides/slides-92-oauth-1.pdf > > > > And the -00 draft: > http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00 > > In an informal discussion earlier this week John B. suggested that some > additional thinking and/or clarification is needed with regard to what > parts of the URI to include and check. Particularly with respect to query > and fragment. And he's probably right. > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] JWT Destination Claim
Thanks for posting this, Brian. To get it down on the list, I’ll repeat my comment made in person that just as “aud” used to be single-valued and ended up being multi-valued, I suspect some applications would require the same thing of “dst” – at least when “aud” and “dst” are different. And even if “dst” becomes multi-valued, it’s OK for particular applications to require that it be single-valued in their usage. -- Mike From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Wednesday, March 25, 2015 2:08 PM To: oauth Subject: [OAUTH-WG] JWT Destination Claim Here are the slides that I rushed though at the end of the Dallas meeting: https://www.ietf.org/proceedings/92/slides/slides-92-oauth-1.pdf And the -00 draft: http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00 In an informal discussion earlier this week John B. suggested that some additional thinking and/or clarification is needed with regard to what parts of the URI to include and check. Particularly with respect to query and fragment. And he's probably right. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] JWT Destination Claim
Here are the slides that I rushed though at the end of the Dallas meeting: https://www.ietf.org/proceedings/92/slides/slides-92-oauth-1.pdf And the -00 draft: http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00 In an informal discussion earlier this week John B. suggested that some additional thinking and/or clarification is needed with regard to what parts of the URI to include and check. Particularly with respect to query and fragment. And he's probably right. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth