Re: [OAUTH-WG] Martin Duke's No Objection on draft-ietf-oauth-access-token-jwt-12: (with COMMENT)

Martin Duke <martin.h.duke@gmail.com> Mon, 19 April 2021 22:45 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C4D83A4796; Mon, 19 Apr 2021 15:45:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmPiYg3G_IBu; Mon, 19 Apr 2021 15:45:33 -0700 (PDT)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 675EE3A4795; Mon, 19 Apr 2021 15:45:33 -0700 (PDT)
Received: by mail-il1-x131.google.com with SMTP id l9so2065751ilh.10; Mon, 19 Apr 2021 15:45:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Idk5Zq1BptK7ly9OLUwVLE6+hIB+cZzlnZ1/nq3ABco=; b=YS5wrWiP3/eG1PLlpDLlXQIrBt66Sp1WjSxxbvTrON7detJF/RJ8VTvtr0spnFmRiG JlSeG4ETQjaLwtejv9Uuoe2JMUoQOBlMz1pNqnrYkcP/vQjpWVt7yEkSt7UoZDPDOb10 OV1gPxITJT48HJ+HaMqkae8qTehWeH1X24Nmepr4X7QAexztY8ghbnI3iaxHvzKQCr9K n9Nl2t0rvjVDDFFs3kM4TOutrgDQUsnlmXazil7zsCjB6VomFG8c7n3wW8H9XvNZNThq +3qIyqIgxghSoPwfjBg4UU9BhgcrKjUlX6VgXq6rcxfTj9o0aGnD5FFc07rVbbuXowil P/CQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Idk5Zq1BptK7ly9OLUwVLE6+hIB+cZzlnZ1/nq3ABco=; b=KVwpUMaQFsaELE6Y4lq0MFejRjFXv+ytOtCVsDLZfLEyp1YbpQi9nc+/1soYCrGdy6 4b1uPbsMLF9JbES3xvh58xoMkJ8iiHRYV5oCNl0g4f3ZF9aj4d4IoebNOndYJPqzheZx QvuAaElO5feGVkf4yeGzydXT58lMxdkC5KMirxAYkilyx6gYqgH7a2IU3UdvoTkA4GbO m7pr0ka6Vx/zwxHgPhQumBHFokQPPLhkNJMn6+eWaqlBMiJ9LjoIVJ75VuT0LB++Fhx+ 3uRsfXQ58PVyxJ8UwQGz1mNQH9bv8w0c5qJ4ap4FJpFsZHgr1TaF6neyYrW9+RQHdTWf SDaA==
X-Gm-Message-State: AOAM532Qg77+KvtAdjMWGbeQ5nLnKlSMESGoG71F7dy0mSiwb+xt9E+J aEkPEyDdd1PYKTa/UlafwEKVPEqAyWAvxmOTIPk=
X-Google-Smtp-Source: ABdhPJzqLWP0/NAvWhWtRBxhD/cUADFJOHE3Ve2Z88QnyNnCKpLy5hdRi2O7a9G8Y7Sj+QFwgZRNu6ZuKRUKcDGUxlM=
X-Received: by 2002:a05:6e02:4c4:: with SMTP id f4mr19498364ils.272.1618872331701; Mon, 19 Apr 2021 15:45:31 -0700 (PDT)
MIME-Version: 1.0
References: <161730912872.14258.15710315415917535021@ietfa.amsl.com> <20210408191223.GT79563@kduck.mit.edu> <CO6PR18MB4052778DC903C25D3B38D230AE4E9@CO6PR18MB4052.namprd18.prod.outlook.com>
In-Reply-To: <CO6PR18MB4052778DC903C25D3B38D230AE4E9@CO6PR18MB4052.namprd18.prod.outlook.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Mon, 19 Apr 2021 15:45:20 -0700
Message-ID: <CAM4esxQkWQpXtk9SEc2nE4vC_yAORHnrGHfiPOQpEGUtekAkJA@mail.gmail.com>
To: Vittorio Bertocci <vittorio.bertocci@auth0.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, "draft-ietf-oauth-access-token-jwt@ietf.org" <draft-ietf-oauth-access-token-jwt@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000044936305c05b16c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5Mi8e0wlIgfACxd4P3tfE92GOHU>
Subject: Re: [OAUTH-WG] Martin Duke's No Objection on draft-ietf-oauth-access-token-jwt-12: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 22:45:38 -0000

Alright, this all sounds good without any changes, except:

On Wed, Apr 14, 2021 at 12:18 AM Vittorio Bertocci <
vittorio.bertocci@auth0.com> wrote:

>
>     > (4) I presume it's important that any resouree server rejection of
> the token
>     > should be constant-time. Is this somewhere in the RFC tree, or do we
> need to
>     > explicitly say it here and/or in Security Considerations?
> I am thinking of analogous descriptions in other specs and I don’t recall
> mentions of that aspect, hence I assumed we didn’t have to specify it here
> either. In particular, I glanced thru RFC6750  section 3, which this spec
> specializes for the specific JWT AT scenario, and they don’t mention that
> either.
>

IMO it would be good to add this here, especially if it isn't described
elsewhere in the ecosystem. That said, I'm happy to defer to the Security
AD as to whether this is an important addition.