+1
The JWT may well be about the sub but presented by some software component
that should be independently identified.
On Mon, Mar 23, 2015 at 2:25 AM, Nat Sakimura sakim...@gmail.com wrote:
Re:
https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3
I understand the
Gmail always returns a non-empty scope value in our error response, so the
proposed protocol change would not affect our implementation.
On Sun, Mar 22, 2015 at 10:26 PM, Benjamin Kaduk ka...@mit.edu wrote:
Hi all,
During the shepherd review for draft-ietf-kitten-sasl-oauth-19, I noticed
an
As mentioned in today’s IETF meeting, here are the two drafts dealing with
generic token swap:
https://tools.ietf.org/html/draft-hunt-oauth-chain-01
https://tools.ietf.org/html/draft-richer-oauth-chain-00
signature.asc
Description: Message signed with OpenPGP using GPGMail
+1
sounds reasonable to distinguish the software and the user.
Am 23. März 2015 08:25:13 MEZ, schrieb Nat Sakimura sakim...@gmail.com:
Re:
https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3
I understand the use of sub in this section comes down from SAML but I
feel
Re:
https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3
I understand the use of sub in this section comes down from SAML but I feel
that some separation between sub and presenter would be nice.
For example, when I am presenting the token using an app that I installed
on
Do folks in the WG think there'd be utility in having a way to identity the
finger/thumbprint of a key in the cnf claim. A presenter might, for
example, present the JWT along with a public JWK and some
proof-of-possession of that JWK. And the JWK would be bound to the JWT via
the thumbprint,
When the JWT is itself encrypted as a JWE, would it not be reasonable to
have a symmetric key be represented in the cnf claim with the jwk member as
an unencrypted JSON Web Key?
Is such a possibility left as an exercise to the reader? Or should it be
more explicitly allowed or disallowed?
Yes, kid could do it. It just seemed less than idea and that, for
confirmation, it might be useful to explicitly say this is the thumbprint
of the key that'll confirm this JWT rather than here's something that
points to a key for confirmation and in some cases it might be a
thumbprint.
But I just
I was going to ask this question during the just-concluded WG session at
IETF-92, but with a full agenda and little time I thought it might be better to
ask this question on-list.
The Registration Data Access Protocol (RDAP, a work product of the WEIRDS WG)
uses a RESTful web service to access
Looks like we are heading to the bbq grill at the hotel, if you're (Hannes)
late and still want to join us.
On Mar 22, 2015 6:10 PM, Derek Atkins de...@ihtfp.com wrote:
Hi,
Hannes and I would like to have a lunch meeting before the OAUTH meeting
to chat about various ongoing WG activities.
Section 3.1.2. of RFC6794 [0] says that:
The redirection endpoint URI MUST be an absolute URI as defined by
[RFC3986] Section 4.3. The endpoint URI MAY include an
application/x-www-form-urlencoded formatted (per Appendix B) query
component ([RFC3986] Section 3.4), which MUST be retained when
Yeah, it could be done with kid. But that would require a bit more
out-of-band understanding between the parties to know that the kid is, in
fact, a thumbprint. Seems like it'd be better to outright support a
thumbprint rather than overloading kid, if thumbprint representation of the
key for
In JWT, we generally use key IDs to identify keys. Per
draft-ietf-jose-jwt-thumbprint, *one* value that can be used as a key ID, but
it's not the only one. That's up to the application.
But especially since Jim Schaad had us take out the thumbprint claim names,
kid is the clear winner as the
ok, this is a full circle to my original comment Would not kid do?
2015年3月23日(月) 13:52 Brian Campbell bcampb...@pingidentity.com:
I wasn't necessarily suggesting to drop the kid one.
On Mon, Mar 23, 2015 at 1:00 PM, Nat Sakimura sakim...@gmail.com wrote:
+1 for dropping kid in favor of
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol Working Group of
the IETF.
Title : OAuth 2.0 Dynamic Client Registration Management
Protocol
Authors : Justin Richer
+1 for dropping kid in favor of thumbprint.
2015年3月23日(月) 12:56 Brian Campbell bcampb...@pingidentity.com:
Yeah, it could be done with kid. But that would require a bit more
out-of-band understanding between the parties to know that the kid is, in
fact, a thumbprint. Seems like it'd be better
+1
The thumbprint is a semantic way to identify a key. The key id claim name is
the syntactic representation of a key identifier of any type. One type of key
ID is a thumbprint. One place to put a thumbprint is in a key ID.
— Justin
On Mar 23, 2015, at 1:47 PM, Mike Jones
I wasn't necessarily suggesting to drop the kid one.
On Mon, Mar 23, 2015 at 1:00 PM, Nat Sakimura sakim...@gmail.com wrote:
+1 for dropping kid in favor of thumbprint.
2015年3月23日(月) 12:56 Brian Campbell bcampb...@pingidentity.com:
Yeah, it could be done with kid. But that would require a
18 matches
Mail list logo
