[OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt

John Bradley <ve7jtb@ve7jtb.com> Thu, 30 March 2017 20:00 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12CA912944B for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 13:00:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ptg_OIFIsWJ for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 13:00:12 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 819AD126B72 for <oauth@ietf.org>; Thu, 30 Mar 2017 13:00:12 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id y18so883506itc.0 for <oauth@ietf.org>; Thu, 30 Mar 2017 13:00:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=message-id:mime-version:to:from:subject:date:importance:in-reply-to :references; bh=euUrcQqbm32pQtXySKQk58Z2RxeyU6o4hL8jJqdKKPI=; b=Bx7c1EN3IFfoGE/gxr3SxYcBeEY8vtpdQzZ5Fq4UzPtQ2S16WAOdZ2SR/Ga7zWVw2I aOVy/jn26LAQ4TGdtW94jhqgkpBE8VcYWnGvK8/vWyDfzoEkahRaN/rlGdm2WixjTi0a koaL8srN2HYQKMdAGjvtz2l0xj8d1LHWxNLJSXKtJW/G5Sn5080ODio20M4z7PRSjNpd UEjiyw7E8409L+Br1SxnJcea4TSSVOYi+XOJRiwSdO8gSQ5BUUUWXsY3pZzAHkQa29AK t00Thh1QDMvMKPiiozmf9HULQ0Xjq6+VDIq4x8I3ldU+Pbq1GZwwduLVxBmRe9kxTgBY vO9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:mime-version:to:from:subject:date :importance:in-reply-to:references; bh=euUrcQqbm32pQtXySKQk58Z2RxeyU6o4hL8jJqdKKPI=; b=UseFQV4LK35Kowb4SkAxDmQPHyUx6w/qMYpsXv/olcMEx5inykcgvPXu7RWAbZkINv i/VA0LaV+xxqNvVg+zw2B4tAJTK80MlEaYb+EvZ0kOOTZxhboV6zm7cjNrumLjSMV0Cc Kj8Wx5FnBk9S9kkSWa9dji0H4rCB//RyHHJv9JVzEjYJq6oSrGmaqhugabrtYtbj4fZ4 N14Qkyw8tdaFpAQF7ipUjHBRIkupHw8aKa2sqPU+PP+SjH2Ohl+MNivMA1BvlBE8/H3Y 3wGpI1T/iWE88nOo0z+U0ddDJbIiHzaR0uP+CbwNc2nKelUdfsleEE3d9Utf/0PMzjOm z19g==
X-Gm-Message-State: AFeK/H3mXB92JQZ7Fphinc+vVjwRscndnI6Rb97qcfDD74v5sdGvgLv2rIjVp5laYRm6yG8y
X-Received: by 10.36.204.137 with SMTP id x131mr2733188itf.35.1490904011361; Thu, 30 Mar 2017 13:00:11 -0700 (PDT)
Received: from ?IPv6:::ffff:31.133.184.100? (dhcp-b864.meeting.ietf.org. [31.133.184.100]) by smtp.gmail.com with ESMTPSA id 100sm1943159iot.39.2017.03.30.13.00.09 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Mar 2017 13:00:10 -0700 (PDT)
Message-ID: <58dd63ca.e7136b0a.5e8ec.8d9e@mx.google.com>
MIME-Version: 1.0
To: IETF OAUTH <oauth@ietf.org>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Thu, 30 Mar 2017 15:00:11 -0500
Importance: normal
X-Priority: 3
In-Reply-To: <149089911092.15436.12952695214868679547@ietfa.amsl.com>
References: <149089911092.15436.12952695214868679547@ietfa.amsl.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="94eb2c05bf74024147054bf82423"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-tUrNY1X9eI_tQGI8T-IGx4xHy8>
Subject: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 20:00:15 -0000

Based on feeback from the IESG we have removed some of the optionality in the draft. 

It is a shorter read than draft 12.   

John B.

Sent from Mail for Windows 10

From: internet-drafts@ietf.org
Sent: March 30, 2017 1:38 PM
To: i-d-announce@ietf.org
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)
        Authors         : Nat Sakimura
                          John Bradley
	Filename        : draft-ietf-oauth-jwsreq-13.txt
	Pages           : 27
	Date            : 2017-03-30

Abstract:
   The authorization request in OAuth 2.0 described in RFC 6749 utilizes
   query parameter serialization, which means that Authorization Request
   parameters are encoded in the URI of the request and sent through
   user agents such as web browsers.  While it is easy to implement, it
   means that (a) the communication through the user agents are not
   integrity protected and thus the parameters can be tainted, and (b)
   the source of the communication is not authenticated.  Because of
   these weaknesses, several attacks to the protocol have now been put
   forward.

   This document introduces the ability to send request parameters in a
   JSON Web Token (JWT) instead, which allows the request to be signed
   with JSON Web Signature (JWS) and/or encrypted with JSON Web
   Encryption (JWE) so that the integrity, source authentication and
   confidentiality property of the Authorization Request is attained.
   The request can be sent by value or by reference.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-13


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth