[OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
John Bradley <ve7jtb@ve7jtb.com> Thu, 30 March 2017 20:00 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12CA912944B for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 13:00:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ptg_OIFIsWJ for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 13:00:12 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 819AD126B72 for <oauth@ietf.org>; Thu, 30 Mar 2017 13:00:12 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id y18so883506itc.0 for <oauth@ietf.org>; Thu, 30 Mar 2017 13:00:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=message-id:mime-version:to:from:subject:date:importance:in-reply-to :references; bh=euUrcQqbm32pQtXySKQk58Z2RxeyU6o4hL8jJqdKKPI=; b=Bx7c1EN3IFfoGE/gxr3SxYcBeEY8vtpdQzZ5Fq4UzPtQ2S16WAOdZ2SR/Ga7zWVw2I aOVy/jn26LAQ4TGdtW94jhqgkpBE8VcYWnGvK8/vWyDfzoEkahRaN/rlGdm2WixjTi0a koaL8srN2HYQKMdAGjvtz2l0xj8d1LHWxNLJSXKtJW/G5Sn5080ODio20M4z7PRSjNpd UEjiyw7E8409L+Br1SxnJcea4TSSVOYi+XOJRiwSdO8gSQ5BUUUWXsY3pZzAHkQa29AK t00Thh1QDMvMKPiiozmf9HULQ0Xjq6+VDIq4x8I3ldU+Pbq1GZwwduLVxBmRe9kxTgBY vO9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:mime-version:to:from:subject:date :importance:in-reply-to:references; bh=euUrcQqbm32pQtXySKQk58Z2RxeyU6o4hL8jJqdKKPI=; b=UseFQV4LK35Kowb4SkAxDmQPHyUx6w/qMYpsXv/olcMEx5inykcgvPXu7RWAbZkINv i/VA0LaV+xxqNvVg+zw2B4tAJTK80MlEaYb+EvZ0kOOTZxhboV6zm7cjNrumLjSMV0Cc Kj8Wx5FnBk9S9kkSWa9dji0H4rCB//RyHHJv9JVzEjYJq6oSrGmaqhugabrtYtbj4fZ4 N14Qkyw8tdaFpAQF7ipUjHBRIkupHw8aKa2sqPU+PP+SjH2Ohl+MNivMA1BvlBE8/H3Y 3wGpI1T/iWE88nOo0z+U0ddDJbIiHzaR0uP+CbwNc2nKelUdfsleEE3d9Utf/0PMzjOm z19g==
X-Gm-Message-State: AFeK/H3mXB92JQZ7Fphinc+vVjwRscndnI6Rb97qcfDD74v5sdGvgLv2rIjVp5laYRm6yG8y
X-Received: by 10.36.204.137 with SMTP id x131mr2733188itf.35.1490904011361; Thu, 30 Mar 2017 13:00:11 -0700 (PDT)
Received: from ?IPv6:::ffff:31.133.184.100? (dhcp-b864.meeting.ietf.org. [31.133.184.100]) by smtp.gmail.com with ESMTPSA id 100sm1943159iot.39.2017.03.30.13.00.09 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Mar 2017 13:00:10 -0700 (PDT)
Message-ID: <58dd63ca.e7136b0a.5e8ec.8d9e@mx.google.com>
MIME-Version: 1.0
To: IETF OAUTH <oauth@ietf.org>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Thu, 30 Mar 2017 15:00:11 -0500
Importance: normal
X-Priority: 3
In-Reply-To: <149089911092.15436.12952695214868679547@ietfa.amsl.com>
References: <149089911092.15436.12952695214868679547@ietfa.amsl.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="94eb2c05bf74024147054bf82423"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-tUrNY1X9eI_tQGI8T-IGx4xHy8>
Subject: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 20:00:15 -0000
Based on feeback from the IESG we have removed some of the optionality in the draft. It is a shorter read than draft 12. John B. Sent from Mail for Windows 10 From: internet-drafts@ietf.org Sent: March 30, 2017 1:38 PM To: i-d-announce@ietf.org Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol of the IETF. Title : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) Authors : Nat Sakimura John Bradley Filename : draft-ietf-oauth-jwsreq-13.txt Pages : 27 Date : 2017-03-30 Abstract: The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents are not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and/or encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-13 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Brian Campbell
- [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13… internet-drafts
- [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsre… John Bradley
- Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-j… Mike Jones
- Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-j… John Bradley
- Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-j… Mike Jones
- Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-j… Nat Sakimura
- Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-j… John Bradley
- Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-j… sakimura@gmail.com
- Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-j… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Sergey Beryozkin
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Nat Sakimura