Re: [OAUTH-WG] JSON Web Token Best Current Practices is now RFC 8725 and BCP 225
Dick Hardt <dick.hardt@gmail.com> Thu, 20 February 2020 00:43 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C446D1200F5 for <oauth@ietfa.amsl.com>; Wed, 19 Feb 2020 16:43:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9SxF9v_R0Wz for <oauth@ietfa.amsl.com>; Wed, 19 Feb 2020 16:43:55 -0800 (PST)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB2F61200C1 for <oauth@ietf.org>; Wed, 19 Feb 2020 16:43:54 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id n25so1658820lfl.0 for <oauth@ietf.org>; Wed, 19 Feb 2020 16:43:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7AkDsfh654FBDUDvAZ1Pt0uOqKISQR3/IIHKnk9qLCY=; b=LEltm/0OOTOViFx3jW0/yun/U6w087jBoq9zkhc7IWSgnQq64Lm3kDmSzG93o4O8ZD Wi+Ihb9GEUJCRTWsuyf5GFFp6USYc0L1C49c1d+8c5cFgKTDnD5N+BRMBkEERDHNLBbM g7AWpvPGErhIICShdZgyc4CKoDJtl9cn5YiDyXn9ZeyJUYGTBsCNufzqNjX7wkOGzLU6 Mp+drJ/db/lfF/KsXWzOl1CUSCeJVNe6wSRClkhXXlO1679p9Y2lD5yCvAKTf1un9PkO MmpmVcg4Mbz1Cq9/omqZl72FH6uOgqJIQyFpXSmC/1IYmH0qp7K3BG+Zzdw7N7VxAPnw R7ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7AkDsfh654FBDUDvAZ1Pt0uOqKISQR3/IIHKnk9qLCY=; b=iz36hRsUhwEtidvoiDrnK8L36q1OvVLQacuipDtHo+xDbx1i56rQJYcWAt4bDxMvY8 3cXSo/fsmv+Q4JHi/XMcxPPj5w+O3nOSieXn1+U9t4INXIqsYWe78Ppc9NacDaUOgBUs rNgoKv+azrxENFJMeLAEsSgKENujirTLOEFzTobz1qIQ8IxWVPs3fWdK+wFUe2S5ZvB4 2S1j7QMoH+KjS+24uoxzFLQueaqiNOVuWmXqoSNfsC7u53a+4M7rEGIlZFIFy52XlunX 2ehSaFsb1EtGB3R3AQX2vrewIOJu+2f0xZwdQUTFEpbl2ZXoVqaeTnJmN2BsVYg49w0V r7QA==
X-Gm-Message-State: APjAAAXrlSBBIAP2ZLdNjhJi86SzVcXUPzZ08L3vOWqsQiwvvGz2Ys25 Z/uFOzvIMr1v3YfPk0Hj4FA3h1coDsLcfwa4w5RYCLifuWk=
X-Google-Smtp-Source: APXvYqzYCJ/zvJFLiN8q4lmkAVHnSxHFEwR4SkVVsY1ZshSfmjxf4ToCZ7vrCGOo2QBQBXkqk1MmJ0YjeF7ugccSfqo=
X-Received: by 2002:ac2:531b:: with SMTP id c27mr14999107lfh.91.1582159432780; Wed, 19 Feb 2020 16:43:52 -0800 (PST)
MIME-Version: 1.0
References: <CH2PR00MB0679CAD5DE171630CDFA8AEEF5100@CH2PR00MB0679.namprd00.prod.outlook.com>
In-Reply-To: <CH2PR00MB0679CAD5DE171630CDFA8AEEF5100@CH2PR00MB0679.namprd00.prod.outlook.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 19 Feb 2020 16:43:26 -0800
Message-ID: <CAD9ie-sr9DKuOK1GsQcUedX1v=YoQH0yD1WJyP77c-PDoRG28Q@mail.gmail.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f80f20059ef7327d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0rSZWKH-woSg8fY_xXn1pRj8K3k>
Subject: Re: [OAUTH-WG] JSON Web Token Best Current Practices is now RFC 8725 and BCP 225
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2020 00:43:58 -0000
I think Mike meant to write "JSON Web Token Best Current Practices" rather than "The OAuth 2.0 Token Exchange specification" On Wed, Feb 19, 2020 at 3:07 PM Mike Jones <Michael.Jones= 40microsoft.com@dmarc.ietf.org> wrote: > The OAuth 2.0 Token Exchange specification is now RFC 8725 > <https://www.rfc-editor.org/rfc/rfc8725.html> and BCP 225 > <https://www.rfc-editor.org/info/bcp225>. The abstract of the > specification is: > > > > JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security > tokens that contain a set of claims that can be signed and/or encrypted. > JWTs are being widely used and deployed as a simple security token format > in numerous protocols and applications, both in the area of digital > identity and in other application areas. This Best Current Practices > document updates RFC 7519 to provide actionable guidance leading to secure > implementation and deployment of JWTs. > > > > The JSON Web Token (JWT) specification [RFC 7519 > <https://tools.ietf.org/html/rfc7519>] was approved in May 2015 > <https://self-issued.info/?p=1387>, almost five years ago, and has been > in production use since at least 2013. This Best Current Practices > <https://tools.ietf.org/html/rfc1818> specification contains a compendium > of lessons learned from real JWT deployments and implementations over that > period. It describes pitfalls and how to avoid them as well as new > recommended practices that enable proactively avoiding problems that could > otherwise arise. Importantly, the BCP introduces no breaking changes to > the JWT specification and does not require changes to existing deployments. > > > > The BCP came about as JWTs were starting to be used in new families of > protocols and applications, both in the IETF and by others. For instance, > JWTs are being used by the IETF STIR working group to enable verification > of the calling party's authorization to use a particular telephone number > for an incoming call, providing verified Caller ID > <https://self-issued.info/?p=2045> to help combat fraudulent and unwanted > telephone calls. The advice in the BCP can be used by new JWT profiles and > applications to take advantage of what’s been learned since we created the > JSON Web Token (JWT) specification over a half decade ago. > > > > -- Mike > > > > P.S. This notice was also posted at https://self-issued.info/?p=2052 and > as @selfissued <https://twitter.com/selfissued>. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >