[OAUTH-WG] Comments on draft-ietf-oauth-security-topics-05

2018-03-22 Thread Phil Hunt
Torsten, Great document! Some minor nits and comments: Abstract - double period after first sentence. > It updates and extends the OAuth 2.0 Security Threat Model to >incorporate practical experiences gathered since OAuth 2.0 was >published and cover new threats relevant due to the

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

2018-03-22 Thread Brian Campbell
Yeah, I think that works. Thanks. On Thu, Mar 22, 2018 at 2:16 PM, Mike Jones wrote: > I propose that the following text be added to address your comment, > Brian. Does this text work for you? > > > > When applying explicit typing to a Nested JWT, the "typ" header

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

2018-03-22 Thread Mike Jones
I propose that the following text be added to address your comment, Brian. Does this text work for you? When applying explicit typing to a Nested JWT, the "typ" header parameter containing the explicit type value MUST be present in the inner JWT of the Nested JWT (the JWT whose payload is the

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

2018-03-22 Thread Justin Richer
I like the new text, it frames the error better and puts it in the context where it’s likely to be exploited. IE, newly dynamically registered clients shouldn’t be trusted as much as others. — Justin > On Mar 22, 2018, at 8:16 AM, Brian Campbell > wrote: > >

[OAUTH-WG] OAuth 2.0 Seamless Flow - first draft

2018-03-22 Thread Omer Levi Hevroni
Hey After presenting the flow yesterday, I've submitted the first draft: https://tools.ietf.org/html/draft-seamless-flow-00 I tried to answer all the question that raised during the session. Looking forward to hear your feedback. Omer ___ OAuth mailing

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

2018-03-22 Thread Brian Campbell
That works for me On Wed, Mar 21, 2018 at 7:34 PM, Torsten Lodderstedt < tors...@lodderstedt.net> wrote: > Hi all, > > thanks for your feedback. Here is my text proposal for section 3.8.1. > > —— > > Attackers could try to utilize a user's trust in the authorization >server (and its URL in

[OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-bcp-01.txt

2018-03-22 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : JSON Web Token Best Current Practices Authors : Yaron Sheffer Dick Hardt