Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Brian Campbell <bcampbell@pingidentity.com> Thu, 16 April 2020 20:12 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33AC43A0853 for <oauth@ietfa.amsl.com>; Thu, 16 Apr 2020 13:12:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QccGtqaBmGSp for <oauth@ietfa.amsl.com>; Thu, 16 Apr 2020 13:12:14 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 349883A0852 for <oauth@ietf.org>; Thu, 16 Apr 2020 13:12:14 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id j3so8785648ljg.8 for <oauth@ietf.org>; Thu, 16 Apr 2020 13:12:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7loZrpwwF7vZR/BUenwIMUqJXYNBWaepGvKXFb5zJeo=; b=fETX84BZl+qVyl2XV0MAqCikCYnStnuC1KH3Jz99ykoj3fJ21iNKVtbpqL72LyQzlp dsJaIYDxhS0WozzUiE5GuhN3v5ATJ2k9ADO/XL7x1NHweDHzeeyt2DvhiWy2gEVc/FVr b43ts87H5VkQDKfrmm7WS/DafbhSkVzq6Ut62oolR8mi442KLnvxxCNUiFTdjolXz4QN 0xWCdCbNOd3MO07MXTctG3OCM1AEMWB77OuP9gaWk6wWTF615w1J3ryHl/6fKjOkFgC0 fnF4Di8CRiQn501DBuP3YqeIdfk/DRmjswkQsR5xsu05ZzwSSMS3nVV6bzzYN9Uk24+X mWJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7loZrpwwF7vZR/BUenwIMUqJXYNBWaepGvKXFb5zJeo=; b=OE7Xxxmznv8+6n5RoECjz1sOM0SbTaFKdTljetDHr+Yar6jh9vdCAVG1msJJy7RuLO kfQCf8Ru41iYV0IBFlywlww1tigjC4H4HBWfXzD00zZq4JpQgWdnRuAOY2KWN4eauB/r KqasPfgruLTe5f4zNd4D6KjX1SidOvivL/hG6655WEAq8zajeHbUGsoxpGN+azLiudRx PPk8k+C6Bfy/kaM3y9S5vyD8ayRPHrKfVBugKHPHz9FYYfi8Der1cBMBJ6EY+VmfatEN Ic1d09lku1I5gS0nlcGzwB0ZA+aIDbgP9rfpZEsXDcyEYsbzFESfBnG0BR/+QadjrVJZ pqOA==
X-Gm-Message-State: AGi0PuYymBHJlA/k3S0guSDbIsYhkyO10vza028UhSgFXtBtFmK8sZgw 1ijnU0W0nyLLAgZ3kxEHTEQzpj5ojc4rxFtIdGGGnqi8tJlj6218nbnV4PpW35uE4u8FkZ4zWzV 9rvKUG7FxCAnXpw==
X-Google-Smtp-Source: APiQypJKQLByTP70wSvo/dG6YsqLI4HxbaxVWg2w7kXbuaBRmdelu01x6VbidUDcJpRThmQtGNatDDO3IqG5ohbfXac=
X-Received: by 2002:a2e:868b:: with SMTP id l11mr7598942lji.247.1587067932185; Thu, 16 Apr 2020 13:12:12 -0700 (PDT)
MIME-Version: 1.0
References: <CAGL6epKuHTqLrZEjm0goKV+3jaPfTkN_JSLc0jfQyPqNzeP3aA@mail.gmail.com> <CAGBSGjpBqeHxFNJ7OEXZwYQb=SG6ian=zpoNHezQ_OYwFNZNBw@mail.gmail.com>
In-Reply-To: <CAGBSGjpBqeHxFNJ7OEXZwYQb=SG6ian=zpoNHezQ_OYwFNZNBw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 16 Apr 2020 14:11:46 -0600
Message-ID: <CA+k3eCQGgnSGAcNP4KJik9riWYdRTpSOV-sgZHXMCJUWhh5U5w@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000554af305a36e0c79"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/623hLsTFGkKcJ8_pn5dGjF4WNE0>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2020 20:12:16 -0000

sec 4 does have "The resource server MUST reject any JWT in which the value
of "alg" is "none".'

On Thu, Apr 16, 2020 at 1:09 PM Aaron Parecki <aaron@parecki.com> wrote:

> Section 2.1 says:
>
> > Although JWT access tokens can use any signing algorithm, use of
> > asymmetric algorithms is RECOMMENDED
>
> Can this be strengthened to disallow the `none` algorithm? Something like
> adding "... and MUST NOT use the "none" algorithm".
>
> Given that the JWT BCP doesn't disallow the "none" algorithm, technically
> someone could follow both this JWT Access Token spec and the JWT BCP spec
> and end up with an implementation that allows an AS to accept JWTs with the
> "none" algorithm.
>
> ----
> Aaron Parecki
> aaronparecki.com
> @aaronpk <http://twitter..com/aaronpk>
>
>
>
> On Wed, Apr 15, 2020 at 11:59 AM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> wrote:
>
>> Hi all,
>>
>>
>>
>> This is a second working group last call for "JSON Web Token (JWT)
>> Profile for OAuth 2.0 Access Tokens".
>>
>>
>>
>> Here is the document:
>>
>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06
>>
>>
>>
>> Please send your comments to the OAuth mailing list by April 29, 2020.
>>
>>
>>
>> Regards,
>>
>>  Rifaat & Hannes
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._