Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

At Nat's request, I've created a pull request addressing Cross-JWT Confusion security considerations. It addresses both Brian's comment and the IESG comments about explicit typing. See the full PR at https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10. See the source diffs at

Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Oops, that's my bad. Thanks for the correction -- I've linked to your message in the datatracker (but didn't bother to have the datatracker send a third copy of my updated-again ballot position). -Ben On Thu, Aug 13, 2020 at 03:00:33PM -0600, Brian Campbell wrote: > While some discussion of why

Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

While some discussion of why explicit typing was not used might be useful to have, that thread started with a request for security considerations prohibiting use of the "sub" with a client ID value. Because such a request JWT could be repurposed for JWT client authentication. And explicit typing

Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Hi Nat, Also inline. On Thu, Aug 13, 2020 at 11:25:27PM +0900, Nat Sakimura wrote: >Thanks Benjamin. >My replies inline below: >On Wed, Aug 12, 2020 at 12:53 AM Benjamin Kaduk via Datatracker > wrote: > > Benjamin Kaduk has entered the following ballot position for >

Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Murray, Thanks very much for your comment. My replies inline: On Wed, Aug 12, 2020 at 4:56 PM Murray Kucherawy via Datatracker < nore...@ietf.org> wrote: > Murray Kucherawy has entered the following ballot position for > draft-ietf-oauth-jwsreq-26: No Objection > > When responding, please keep

Re: [OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

You are welcome. Actually, for 5.2, I should probably replace with more modern examples instead of old phones and old Internet Explorer. E.g., a) a mobile app making an authorization request through a mobile browser; b) RAR. On Thu, Aug 13, 2020 at 10:44 PM Eric Vyncke (evyncke) wrote: > Than

Re: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Dear Robert, Thanks for the comment. Internet Explorer limitation is interesting from the historical perspective but can probably now safely removed as well. We may want to put an example such as a Mobile App spawning external browser to make an authorization request instead. Cheers, Nat On

Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Thanks Benjamin. My replies inline below: On Wed, Aug 12, 2020 at 12:53 AM Benjamin Kaduk via Datatracker < nore...@ietf.org> wrote: > Benjamin Kaduk has entered the following ballot position for > draft-ietf-oauth-jwsreq-26: No Objection > > When responding, please keep the subject line intact

Re: [OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Than you Nat for the quick reply and the fixes Regards -éric From: Nat Sakimura Date: Thursday, 13 August 2020 at 15:43 To: Eric Vyncke Cc: The IESG , oauth , "oauth-cha...@ietf.org" , "draft-ietf-oauth-jws...@ietf.org" Subject: Re: [OAUTH-WG] Éric Vyncke's No Objection on

Re: [OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Thanks, Éric. Reply inline: On Wed, Aug 5, 2020 at 5:47 PM Éric Vyncke via Datatracker wrote: > Éric Vyncke has entered the following ballot position for > draft-ietf-oauth-jwsreq-26: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses