Re: [Jwt-reg-review] [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-authz
Brian Campbell <bcampbell@pingidentity.com> Tue, 21 January 2020 21:36 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 912FF120019 for <jwt-reg-review@ietfa.amsl.com>; Tue, 21 Jan 2020 13:36:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bLDgL7SEGP1j for <jwt-reg-review@ietfa.amsl.com>; Tue, 21 Jan 2020 13:35:55 -0800 (PST)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 181AB1200B8 for <jwt-reg-review@ietf.org>; Tue, 21 Jan 2020 13:35:55 -0800 (PST)
Received: by mail-lf1-x12a.google.com with SMTP id i23so3592707lfo.7 for <jwt-reg-review@ietf.org>; Tue, 21 Jan 2020 13:35:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nn1NWEslU/8NVBmZpCNjBFRfJ3OFtWvXu0a8G7cw3LM=; b=JPwL3PeD1/7Qk6R0vko0YHWF//cvN+ABTLDHpGvh/EbZoM0L8FbZtPm6awkGGW7gdD WDSxGIc4hf5bCD3I416FL73Dq4Zwzm2tKDftMtfFm/O4VnBtwrea4Sq1/ktet5sZeMTP mcU6TZ/3Efc66aqPKHWHu0mcVB8118UmRd4WDEAxcdVjqdMdH0r6bUM20/g9xRknba6L 7EQgm3A4Rs0cw5oAvcEF4V35n4w8wDbJjoEepU6GqOlnzbIhIWx7NLSeaxZdth//jGEt 7zFrF2EQJ607kSVE94AJa9CllYreT4++Nueg+OpUqcVkYj354B9mmZlPc7mlr2kQ5dyh WarQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nn1NWEslU/8NVBmZpCNjBFRfJ3OFtWvXu0a8G7cw3LM=; b=NwCuW5aqSY5mEHGdw7bHS7uULPDJzyKHirsyUgZyyoPVZV7hHQXaXjg+H2a6kO3nxN 9zjbReMl57Aya+vBXKrM5yoCiCA4pnrPTJXxq/FKMnH/5VnTaP+bknHk2kXFUcxTSrk8 dRKw5BbIXDC600+WKdbqcEfkQJhqmgcc8TBq8LcFaOT87kDzAw57rYPxCAnmEXvyLgm8 R+a8I4GGZlEa2AhhrRMG8X6txG2Rb3morRUgZoCIkPQZxYOdA28+UTsl9XIeRXA6fzHL R/IvpoP21pDicaqaGnSUAedmSfgV8/5J4kmYkDg0e8ZY738gTxt4jj7qFkTznO+ENbFS skwg==
X-Gm-Message-State: APjAAAXgSZ5OmsLrXOdfjlJjYPskalZYGMngFbfRmcDwdbqIA+Q0fD8c r+87PP25NaoRu4aXbG//J5O2Mt6qf6lAQS3q1an2LurkrRLq9VqHgn272QsonyG1x+wutNxOgAU xAomR23FeInDKMBMdlfW/m/E3ww==
X-Google-Smtp-Source: APXvYqx3DlU2Qb081XChtQHsNKYYW+Ss7Qoc0KyoJov8K5ri71AuJZv+f9Y5nO+g3jdwnKQEeh/UAaoFh9pLeDJuie8=
X-Received: by 2002:ac2:5f68:: with SMTP id c8mr3659659lfc.196.1579642553276; Tue, 21 Jan 2020 13:35:53 -0800 (PST)
MIME-Version: 1.0
References: <9c32d171-9a4a-ba71-c989-92a177d9e989@gmx.de> <dc02aa6c-5cfc-bfb1-9672-facf7eb17ad7@gmx.de> <CA+k3eCSnNdvZAZZmequkLdcU_OkgD2au7+yFZOMJT3w0CLsrOQ@mail.gmail.com> <14a3c79d23e94d938be4a173a6c8256d@combitech.se> <CA+k3eCQBRyZAmw_d0Mz3jZR0e5u7U77KnDnZbYm2Ad9=BP08OA@mail.gmail.com> <504e86ae-f577-8526-e1cb-ed38d6a2e36f@gmx.de>
In-Reply-To: <504e86ae-f577-8526-e1cb-ed38d6a2e36f@gmx.de>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 21 Jan 2020 14:35:26 -0700
Message-ID: <CA+k3eCR6z6KiRYah1_vNAHJpF48WWNoib-yLe412TjzFhgqR0w@mail.gmail.com>
To: Ludwig Seitz <ludwig_seitz@gmx.de>
Cc: Seitz Ludwig <ludwig.seitz@combitech.se>, Roman Danyliw <rdd@cert.org>, "jwt-reg-review@ietf.org" <jwt-reg-review@ietf.org>, Jim Schaad <ietf@augustcellars.com>, The IESG <iesg@ietf.org>, "ace@ietf.org" <ace@ietf.org>, "drafts-lastcall@iana.org" <drafts-lastcall@iana.org>, Benjamin Kaduk <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary="00000000000042b246059cad317a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/hbmXtKKNPljcyQqWt-eiYnFE0z8>
Subject: Re: [Jwt-reg-review] [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-authz
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2020 21:36:02 -0000
Thanks Ludwig, -31 is improved with regard to my previous concerns about 'exi' On Sat, Jan 18, 2020 at 9:22 AM Ludwig Seitz <ludwig_seitz@gmx.de> wrote: > On 2020-01-13 22:01, Brian Campbell wrote: > > Thanks for the updates Lugwig, > > > > Section 6.6. does propose one mitigation for the unbounded memory growth > > problem. However, it relies on the AS to do pretty specific things with > > the content of other claims for it to even be possible for an RS to > > perform the mitigation approach. Do you think, for interoperability, it > > needs to be more prescriptive? Like maybe requiring the cti/jti claim > > with specific content and characteristics when exi is present or > > embedding/encoding that sequence number in the value of the exi itself > > alongside the lifetime of the token. > > > > > > This sounds like a reasonable requirement. I'm even inclined to make > that a MUST and not just a SHALL. Next update coming soon. > > /Ludwig > > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [Jwt-reg-review] Requested review for IANA regist… Ludwig Seitz
- Re: [Jwt-reg-review] Requested review for IANA re… Ludwig Seitz
- Re: [Jwt-reg-review] Requested review for IANA re… Brian Campbell
- Re: [Jwt-reg-review] [Ace] Requested review for I… Brian Campbell
- Re: [Jwt-reg-review] [Ace] Requested review for I… Brian Campbell
- Re: [Jwt-reg-review] [Ace] Requested review for I… Ludwig Seitz
- Re: [Jwt-reg-review] [Ace] Requested review for I… Brian Campbell
- [Jwt-reg-review] [IANA #1160802] Re: [Ace] Reques… Sabrina Tanamal via RT
- [Jwt-reg-review] [IANA #1160802] Re: [Ace] Reques… Sabrina Tanamal via RT
- [Jwt-reg-review] [IANA #1158948] Requested review… Sabrina Tanamal via RT
- Re: [Jwt-reg-review] [EXTERNAL] [IANA #1158948] R… Mike Jones
- Re: [Jwt-reg-review] [EXTERNAL] [IANA #1160802] R… Mike Jones
- [Jwt-reg-review] [IANA #1158948] Requested review… Sabrina Tanamal via RT