Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Brian Campbell <> Mon, 17 August 2020 15:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 320E13A1113 for <>; Mon, 17 Aug 2020 08:36:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id W62jquCxx-o6 for <>; Mon, 17 Aug 2020 08:36:40 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B414F3A10E4 for <>; Mon, 17 Aug 2020 08:36:39 -0700 (PDT)
Received: by with SMTP id t23so17984801ljc.3 for <>; Mon, 17 Aug 2020 08:36:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3uyM7wSjHi8V/i/M3H0/M02cd78tW8A/HrFtT7O7fv4=; b=Jw8HdccLgDDnOdjArvPFJYzZ4DNs/zDWvcaP5l6RLga2EUvkD/Uoi1uxu9LYOvW5PV LPaQFWD0oHfQEGQRmMovDmeIY5sczKdkyVnPudhnsqy6rHJ0OJ+t0PhwXm/BoJzU4Oxm wu+szJjIg/LBW1ldancGjt5Nezlx9ASeeXGTomQe3i0vzry0nDnumgF5fkLgcLA6tx3b u5EBd5bOsma72OyEiFisUpY6mdsycK5YiQvvLqqiCc6SOAMaPMaV7b7qn5yy/qK1pZIW zgLPSzsPUU66qDeXwk/PahGL2Iv1G9axyVyUQBgUp8JDj9MzML/XMY6B7ZPbBCQ+zPr5 Q1Bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3uyM7wSjHi8V/i/M3H0/M02cd78tW8A/HrFtT7O7fv4=; b=Fy4C9v2vZpGiQ4Hd7jI190xgBa7nSsJLj08TRxg+8e658yZ3UaAOnF9nLbp9DhRpjl 27bS/BD0e464DcGCmhxB1VKJ1MVJqICkvIVPWjE//Kii2AflRSftV3TeCijSXZpgmsQ2 olfJ8nDkz+pLFA7QCTZopJPrFbe9z762WuTwC2gO4PAs9E/K6il09huxSuVJiik7n5Vz 5fhemFClr8dtFQq3JvTqcOoOAqnOEEMO6/hvicfKIm7QxUgdSYftrdLhCI4LXa1JmWt3 yAvati42Zfy/W/kl7B6H8lQXP1xxisfrwwh96kGWA4QI/3oTVCt+GyiUZmGi+6oF38hn nMHw==
X-Gm-Message-State: AOAM532yGe+FOoWCLkdwmlXLTWY5Zg//4XCZZ0wu+YhxPUJFmoNqYRYF UtJeiuKur68jaIH7vsRZyK2MwEeWqdT1K1AperzJSSNl1Gaq5RIfSwc3SdRHgKx2mUu83JGo/+g 4Nl3f1XOwww1brxwKVVqcdA==
X-Google-Smtp-Source: ABdhPJwLlgAbghCMPtGCjAcHftxozEPt3Au1T4Jfa8BtmX7LuIcw3W5fo6vIFHRHSdV1E6gUK22Hjvnq8RGxHTyK3Uw=
X-Received: by 2002:a2e:968c:: with SMTP id q12mr8190062lji.345.1597678597667; Mon, 17 Aug 2020 08:36:37 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Mon, 17 Aug 2020 09:36:11 -0600
Message-ID: <>
To: Vladimir Dzhuvinov <>
Cc: oauth <>
Content-Type: multipart/alternative; boundary="000000000000479b6005ad14893e"
Archived-At: <>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Aug 2020 15:36:41 -0000

On Sat, Aug 15, 2020 at 3:08 AM Vladimir Dzhuvinov <>

> Regarding the "sub != client_id" check -- could a simple rejection of all
> JWTs with "sub" present suffice?

Prohibiting the use of "sub" in request object JWTs would suffice, yes. I'd
suggested the more narrow/specific prohibition with the aim of a smaller
scoped change. But perhaps it'd be simpler to just say don't use "sub"? I
can't think of any non-erroneous reason sub would be in a request object.

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._