[OAUTH-WG] Explicit typing of SD-JWTs (was SD-JWT architecture feedback)

Actually, the JWT BCP (which we were both authors of) does not recommend using a single media type. Rather, it recommends using a specific media type suffix in the “typ” values: When explicit typing is employed for a JWT, it

[OAUTH-WG] Leading underscores in SD-JWT Claim Names (was SD-JWT architecture feedback)

SD-JWT is following an existing OAuth (and OpenID) convention by including an underscore prefix in the names of claims about claims. You’ll find that _claim_names and _claim_sources are registered at https://www.iana.org/assignments/jwt/jwt.xhtml, which are both claims about claims, rather tha

[OAUTH-WG] Re: Call for adoption - PIKA

e spec clearly says that the certificates used MUST NOT be TLS certificates. Sincerely, -- Mike From: Richard Barnes Sent: Wednesday, September 18, 2024 7:28 AM To: Michael

[OAUTH-WG] Re: WGLC for SD-JWT

I'm going to resurrect exactly one of my previous review comments that was not addressed. The original comment was: 6.1. Issuance

[OAUTH-WG] Re: Call for adoption - PIKA

From: Richard Barnes Sent: Monday, September 16, 2024 2:10 PM To: Michael Jones Cc: Rifaat Shekh-Yusef ; oauth Subject: Re: [OAUTH-WG] Re: Call for adoption - PIKA Hi Mike, This is a call for *adoption*, not a WGLC. Our thinking was that these were fine problems for the WG to work on. The

[OAUTH-WG] Re: Call for adoption - PIKA

I regret to have to report that the issues that I believe resulted in the first call for adoption failing, despite being discussed on-list and at IETF 120, have not been addressed in the specification. I did have a productive con

[OAUTH-WG] Re: Feedback on OAuth 2.0 Protected Resource Metadata

This is addressed in https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-10.html. -- Mike From: Michael Jones Sent: Saturday, September 14, 2024 4:49 PM To: Ralph Bragg ; oauth@ietf.org Subject: RE: Feedback on OAuth

[OAUTH-WG] Re: Feedback on OAuth 2.0 Protected Resource Metadata

From: Ralph Bragg Sent: Friday, September 13, 2024 8:34 PM To: Michael Jones ; michael_b_jo...@hotmail.com; oauth@ietf.org Subject: Feedback on OAuth 2.0 Protected Resource Metadata Hi, Can I please request that additional metadata types for describing resource access requirements be included

[OAUTH-WG] OAuth 2.0 Protected Resource Metadata draft addressing reviews since IETF Last Call

Aaron Parecki and I published a new version the "OAuth 2.0 Protected Resource Metadata" specification that addresses the review comments received since the IETF Last Call. Per the history entries, the changes were: * Added metadata values declaring support for DPoP an

[OAUTH-WG] Re: Opsdir last call review of draft-ietf-oauth-resource-metadata-08

Bo, the newly published version of https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/ incorporates the changes to address your review comments. Thanks again! -- Mike -Original Message- From: Michael Jones

[OAUTH-WG] Re: Secdir last call review of draft-ietf-oauth-resource-metadata-08

Mandelberg Sent: Thursday, September 12, 2024 4:42 PM To: Michael Jones ; sec...@ietf.org Cc: draft-ietf-oauth-resource-metadata@ietf.org; last-c...@ietf.org; oauth@ietf.org; Arnt Gulbrandsen ; Deb Cooley Subject: Re: Secdir last call review of draft-ietf-oauth-resource-metadata-08 Those

[OAUTH-WG] Re: Opsdir last call review of draft-ietf-oauth-resource-metadata-08

-oauth-resource-metadata/commit/fe6fd613eae34e3c63acbec340d21de21a3a1176, which adds sequence numbers to the diagram. Thanks again! -- Mike -Original Message- From: Michael Jones Sent: Tuesday, September 10, 2024 7:26 PM To

[OAUTH-WG] Re: Secdir last call review of draft-ietf-oauth-resource-metadata-08

again! -- Mike -Original Message- From: Michael Jones Sent: Tuesday, September 10, 2024 7:23 PM To: David Mandelberg ; sec...@ietf.org Cc: draft-ietf-oauth-resource-metadata@ietf.org; last-c...@ietf.org; oauth@ietf.org; Arnt Gulbrandsen ; Deb Cooley

[OAUTH-WG] Re: Opsdir last call review of draft-ietf-oauth-resource-metadata-08

Thanks for your review, Bo. My replies are inline below, prefixed by "Mike>". -Original Message- From: Bo Wu via Datatracker Sent: Thursday, August 29, 2024 5:53 AM To: ops-...@ietf.org Cc: draft-ietf-oauth-resource-metadata@ietf.org; last-c...@ietf.org; oauth@ietf.org Subject: Ops

[OAUTH-WG] Re: Secdir last call review of draft-ietf-oauth-resource-metadata-08

Thanks David. My replies are inline below, prefixed by "Mike>". -Original Message- From: David Mandelberg via Datatracker Sent: Friday, August 16, 2024 3:42 PM To: sec...@ietf.org Cc: draft-ietf-oauth-resource-metadata@ietf.org; last-c...@ietf.org; oauth@ietf.org Subject: Secdir la

[OAUTH-WG] Re: Review of draft-ietf-oauth-selective-disclosure-jwt-10

. Best wishes, -- Mike From: Kristina Yasuda Sent: Wednesday, August 14, 2024 6:07 AM To: Brian Campbell Cc: Michael Jones ; oauth@ietf.org Subject: Re: [OAUTH-WG] Re: Review of draft-ietf-oauth

[OAUTH-WG] Review of draft-ietf-oauth-selective-disclosure-jwt-10

I read https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html in its entirety, resulting in these suggestions. Some are for readability. Some are for consistency with related specifications, including JWT. Some are for security and correctness. The most important

[OAUTH-WG] Re: OAuth 2.0 Protected Resource Metadata - Implementations

OpenID Federation implementations use the Protected Resource Metadata definitions in this specification. Among others, Connect2ID and Authlete have OpenID Federation implementations. I know that it's deployed in the Italian SPID CIE national federation.

[OAUTH-WG] Re: OAuth 2.0 Protected Resource Metadata - IPR Disclosure

I am not aware of any IPR associated with this specification. -- Mike From: Rifaat Shekh-Yusef Sent: Wednesday, July 10, 2024 9:06:26 AM To: oauth Subject: [OAUTH-WG] OAuth 2.0 Protected Resource Metadata - IPR Disclosure Mike, Phil, Aaron, As part of the she

[OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Protected Resource Metadata draft

Can you reply to this today, Rifaat? Thanks, -- Mike From: Michael Jones Sent: Saturday, July 6, 2024 12:55:19 PM To: Rifaat Shekh-Yusef Cc: oauth Subject: RE: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource Metadata draft What puzzles me of

[OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Protected Resource Metadata draft

time. If not the text already proposed in the PR, what specifically would you suggest that we say about downgrade possibilities? -- Mike From: Rifaat Shekh-Yusef Sent: Saturday, July 6, 2024 5:05 AM To: Michael Jones Cc: oauth

[OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Protected Resource Metadata draft

The PR https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/45 is intended to address these shepherd review comments. Please review. Thanks, -- Mike Fro

[OAUTH-WG] Re: Product Support for RFC8414 well-known URIs

I'm aware of many production deployments of authorization server metadata that, for the issuer https://example.com/tenants/tenant123 use the OpenID Connect .well-known path formulation https://example.com/tenants/tenant123/.well-known/openid-configuration and none that use https://example.com/

[OAUTH-WG] Re: Call for adoption - PIKA

The other critique I voiced of the approach is that the application-level X.509 certificate can be used to secure the HOST part of the issuer, but not the entire issuer, since in general, the issuer will contain a PATH. Yes, the service hosting the issuers controls all the paths, as Richard rep

[OAUTH-WG] Re: [media-types] Re: Request for registering media types and structured suffixes defined by W3C VCWG candidate recommendations

It’s my hope that the registrations of application/vc+sd-jwt and application/vp+sd-jwt will be able to be done in a way that works for both VC-JOSE-COSE and SD-JWT-VC. As I see it, that should be an attainable goal and one that the interested parties should work together towards.

[OAUTH-WG] Re: Fwd: Internet Terminology Glossary

If you want a dynamic document, you could create a BCP. And the RFC could indicate that it obsoletes RFC 4949. From: Rifaat Shekh-Yusef Sent: Thursday, June 13, 2024 10:34 AM To: Michael Jones Cc: oauth ; id-al...@ietf.org Subject: Re: [OAUTH-WG] Fwd: Internet Terminology Glossary That&#

[OAUTH-WG] Re: Fwd: Internet Terminology Glossary

Is this intended to replace https://www.rfc-editor.org/rfc/rfc4949.html? From: Rifaat Shekh-Yusef Sent: Thursday, June 13, 2024 9:14 AM To: oauth Subject: [OAUTH-WG] Fwd: Internet Terminology Glossary -- Forwarded message - From: Rifaat Shekh-Yusef mailto:rifaat.s.i...@gmail.c

[OAUTH-WG] Re: Call for adoption - PIKA

.well-known endpoint for this specification used to retrieve keys used to validate the issuer signature. It's a well-established pattern that should be used here too. -- Mike -Original Message- From: Watson Ladd Sent: Monday, June 10, 2024 8:36 PM To

[OAUTH-WG] Re: Call for adoption - PIKA

directly understanding the structure and fields of X.509 to applications using it. Eliminate that, and I’ll support adoption. -- Mike From: Richard Barnes Sent: Monday, June 10, 2024 8:18 PM To: Michael Jones Cc: Rifaat Shekh-Yusef

[OAUTH-WG] Re: Call for adoption - PIKA

As both I and Giuseppe pointed out, the requirement for applications to use and understand X.509 certificates means that the draft is way beyond the minimum complexity needed. Eliminate application-level X.509 (which is an anachronism that OAuth and JOSE have moved away from), and I’ll support

[OAUTH-WG] Re: Call for adoption - PIKA

While I'm generally supportive of the goals of this draft, I have issues with the mechanisms proposed. Therefore, I believe that more working group discussion is needed before adoption. If I were to do something along these lines, I would not use "x5c". Other than for TLS certificates, the OA

[OAUTH-WG] Re: Second WGLC for OAuth 2.0 Protected Resource Metadata

Having addressed the first WGLC comments in -04 and adding a pretty diagram in -05, I believe this is ready for publication. Thanks, -- Mike From: Rifaat Shekh-Yusef S

[OAUTH-WG] Secdir telechat review of draft-ietf-oauth-security-topics-27

Reviewer: Michael Jones Review result: Ready After -27 was posted, which addressed my SecDir review comments, I re-reviewed. The only remaining bug I found is typographical. In 4.2.1, the underscore is missing from access_token in "(and potentially access token)". This is true in bot

[OAUTH-WG] Re: Secdir last call review of draft-ietf-oauth-security-topics-26

ore is missing from access_token in "(and potentially access token)". This is true in both the .txt and .html renderings. -- Mike From: Daniel Fett Sent: Monday, April 29, 2024 6:06 AM To: Michael Jones ; sec...@ietf.org

[OAUTH-WG] Parameter pollution with redirect_uri injection in Authorization step

Hi Daniel and crew, Do you believe this issue is addressed in the OAuth Security BCP? If so, can you please add a reference to the pertinent text to this issue, so we can close it on that basis? Thanks,

[OAUTH-WG] Secdir last call review of draft-ietf-oauth-security-topics-26

Reviewer: Michael Jones Review result: Has Issues Comments on substantive issues with the specification: In 4.15. Client Impersonating Resource Owner, the sentence “If the resource server cannot properly distinguish between access tokens issued to clients and access tokens issued to end-users

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-04.html has been published addressing the WGLC feedback received. Thanks all for the thorough reviews! Rifaat and/or Hannes, can you please start the second WGLC at your convenience?

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

Hi Pieter, As you know, Aaron and I worked through your comments, filing issues at https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/ and creating PRs addressing them. Thanks for your engagement via the issue tracker as we worked through the issues. https://www.ietf.org/archive/i

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

Sent: Thursday, April 4, 2024 2:42 PM To: Michael Jones Cc: Vladimir Dzhuvinov ; oauth@ietf.org Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata Apologies, I just noticed an unfinished sentence in my prior message (embarrassing but I guess I started to write it and then change

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

In October 2023, we added this text describing signing resource responses: These values may be used by other specifications, such as the jwks_uri used to publish public keys the resource server uses to sign resource responses, as described in Section 5.6.2 of [FAPI.MessageSigning

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

Thanks again for the detailed review, Atul! I’ve updated the PR accordingly. Responses are inline below… From: OAuth On Behalf Of Atul Tulshibagwale Sent: Friday, March 29, 2024 6:31 PM To: Rifaat Shekh-Yusef ; oauth Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata Cont

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

Hi Atul, I’ve created https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/23 addressing many of your comments. Dispositions of all the comments are described inline below. Thanks again,

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

Thanks for the detailed read, Atul. We’ll create a PR addressing these suggestions. Separately, while it may seem obvious with me being an editor, for the record, I support publication of this specification as an RFC. -- Mike Fro

Re: [OAUTH-WG] Signed JWK Sets

Also, see the additional key parameter registrations https://openid.net/specs/openid-federation-1_0.html#section-16.8, which can be used to indicate key expiration time, etc. From: Michael Jones Sent: Sunday, March 17, 2024 7:00 PM To: Richard Barnes ; oauth@ietf.org WG Cc: Sharon Goldberg

Re: [OAUTH-WG] Signed JWK Sets

Signed JWK Sets are part of the OpenID Federation specification and are in production use. For instance, see https://openid.net/specs/openid-federation-1_0.html#name-metadata-extensions-for-jwk and the "keys" registration at https://openid.net/specs/openid-federation-1_0.html#name-registry-con

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-resource-metadata-03.txt

This version applies a correction by Filip Skokan. -- Mike -Original Message- From: OAuth On Behalf Of internet-dra...@ietf.org Sent: Thursday, February 1, 2024 1:44 PM To: i-d-annou...@ietf.org Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf

Re: [OAUTH-WG] IETF119 - Call for topics

Please put time on the agenda to discuss draft-ietf-oauth-resource-metadata. Thanks, -- Mike From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent: Wednesday, January 24, 20

[OAUTH-WG] OAuth 2.0 Protected Resource Metadata draft addressing all known issues

Aaron Parecki and I have published a draft of the "OAuth 2.0 Protected Resource Metadata" specification that addresses all the issues that we're aware of. In particular, the updates address the comments received during the discussions at IETF 118. As described in the

[OAUTH-WG] Preventing use of a constant PKCE challenge value

Hi all, I filed https://github.com/oauthstuff/draft-ietf-oauth-security-topics/pull/86 as a result of discussions at IETF in Prague but it seems to have stalled. What text are we going to add to draft-ietf-oauth-security-topics to prevent use of a constant PKCE challenge value, if not that pro

Re: [OAUTH-WG] Request to add a profile parameter to +jwt and +sd-jwt

Orie, you wrote: TLDR; TallTed believes that the convention in the JWT BCP is not correct: https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing So instead of seeing: application/secevent+jwt We should be seeing: application/jwt; profile=secevent For what it's worth, the

[OAUTH-WG] Parameter pollution with redirect_uri injection in Authorization step

An issue was filed in the OpenID Connect repository at https://bitbucket.org/openid/connect/issues/2074/parameter-pollution-with-redirect_uri that the working group believes is actually about OAuth and not specific to OpenID Connect. The description of the issue is: We have researched the OAu

Re: [OAUTH-WG] Call for adoption - JWT and CWT Status List

To Aaron’s naming points, I would be fine changing the title in the draft from “OAuth Status List” to “OAuth Token Status List”, if there’s working group consensus to do so. We could have that discussion in Prague. The name change was motivated by feedback from multiple sources that the old na

[OAUTH-WG] OAuth 2.0 Protected Resource Metadata updated in preparation for IETF 118

Aaron Parecki and I have updated the "OAuth 2.0 Protected Resource Metadata" specification in preparation for presentation and discussions at IETF 118 in Prague. The updates address comments received during the discussions at I

Re: [OAUTH-WG] Call for adoption - JWT and CWT Status List

I support adoption. From: OAuth on behalf of Amir Sharif Sent: Saturday, September 30, 2023 7:45:04 AM To: Rifaat Shekh-Yusef ; oauth Subject: Re: [OAUTH-WG] Call for adoption - JWT and CWT Status List I support the adoption. On Sat, 30 Sep 2023 at 16:41, m

Re: [OAUTH-WG] RFC 9449 on OAuth 2.0 Demonstrating Proof of Possession (DPoP)

Congratulations everyone who participated in making this happen. This could be a game-changer. A great day for OAuth! Happily, -- Mike FYI, I wrote about this at https://self-issued.info/?p=2417 and https://www.linkedin.com/posts

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption. -- Mike From: OAuth on behalf of Dick Hardt Sent: Wednesday, August 23, 2023 8:09:46 PM To: Rifaat Shekh-Yusef Cc: oauth Subject: Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata I support adoption. On Wed, Aug 23, 2023 at

Re: [OAUTH-WG] OAuth Trust model

I HIGHLY recommend the authoritative blog post on the subject “OAuth 2.0 and Sign-In”, written by a dear friend to many of us, Vittorio Bertocci, just over a decade ago. While Microsoft took it down, it lives on in the Wayback Machine at http://web.archive.org/web/20130105031040/http://blogs.m

Re: [OAUTH-WG] Call for adoption - Attestation-Based Client Authentication

I support adoption. From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent: Saturday, July 29, 2023 12:27 PM To: oauth Subject: [OAUTH-WG] Call for adoption - Attestation-Based Client Authentication All, This is an official call for adoption for the Attestation-Based Client Authentication draft dis

Re: [OAUTH-WG] Call for adoption - SD-JWT-based Verifiable Credentials

I support adoption. From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent: Saturday, July 29, 2023 12:25 PM To: oauth Subject: [OAUTH-WG] Call for adoption - SD-JWT-based Verifiable Credentials All, This is an official call for adoption for the SD-JWT-based Verifiable Credentials draft discussed i

Re: [OAUTH-WG] IETF117 - OAuth WG call for topics

Aaron Parecki and I would like 15-20 minutes to discuss: OAuth 2.0 Protected Resource Metadata https://www.ietf.org/archive/id/draft-jones-oauth-resource-metadata-04.html Per my previous e-mail, we made the updates requested by the working group at IETF 116, combining

[OAUTH-WG] OAuth 2.0 Protected Resource Metadata now with WWW-Authenticate

In collaboration with Aaron Parecki, the ability for OAuth 2.0 protected resource servers to return their resource identifiers via WWW-Authenticate has been added to the OAuth 2.0 Protected Resource Metadata specification. This enables clients to dynamically learn ab

Re: [OAUTH-WG] Request for Feedback on "SD-JWT VC" Draft Specification

Here's some feedback based on a full read of the draft... You will eventually be asked to reference RFC 8174, like is done at https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-conventions-and-terminology. You might as well do it sooner than later. To follow the IETF draft nami

Re: [OAUTH-WG] Paul Wouters' No Objection on draft-ietf-oauth-dpop-14: (with COMMENT)

Thanks for reviewing the specification, Paul. The authors agree it is too late in the game to change the name of "nonce". FYI, I plan to dial into the telechat and listen in on mute, in case anyone wants to ask questions during the call. Best wishes,

[OAUTH-WG] Vacationing this week & e-mail address

Hi all, I wanted to let you know that I'm vacationing this week, and so mostly won't be participating in discussions. I'll respond next week. Also, at present I’m using the e-mail address michael_b_jo...@hotmail.com to send e-mail to IETF mailing lists because currently I’m unable to send e

[OAUTH-WG] JOSE and JWT specs updated for IETF 85 working group meetings

I’ve made a small set of updates to the JSON Object Signing and Encryption (JOSE) and JSON Web Token (JWT) specs in preparation for the JOSE and OAuth working group meetings at IETF 85. These updates incorporate resolutions to issues that have been discussed by the working groups since publ