Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Brian Campbell <bcampbell@pingidentity.com> Tue, 14 November 2017 09:04 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7F43120046 for <oauth@ietfa.amsl.com>; Tue, 14 Nov 2017 01:04:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ngtsk3t5AnxQ for <oauth@ietfa.amsl.com>; Tue, 14 Nov 2017 01:03:59 -0800 (PST)
Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63CE3128D3E for <oauth@ietf.org>; Tue, 14 Nov 2017 01:03:59 -0800 (PST)
Received: by mail-it0-x230.google.com with SMTP id m191so12787002itg.2 for <oauth@ietf.org>; Tue, 14 Nov 2017 01:03:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IoU084qkf9h94U3rd/KfFjhWuY/LN0houvP7xplXYqA=; b=b/Uayt13jcJ2DM7sygpW42Hut58tHp83fC3znuW8cCuQGpMcmeIFcAjpc2t/iXjE1n ulJwxmLJ0e4oVQBpCWe8kQSuXB8SL999Wglhy9qZYAhP4ijDgp9j0a7V2nf5DLnrGGCo gDkZD7WSJnf428vGOZoeO6YAUMOTbi5Q6hRfA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IoU084qkf9h94U3rd/KfFjhWuY/LN0houvP7xplXYqA=; b=WDQyJUHme0qpCnLXS3+Ln87WrG/ZYUVQX5AjuCrNJZLrAYj4TOOMYS7bClxvarzgEd WM+YsDTi6/gDifaFcgCOPJEAtPnhLmzmmgWCza1Qg7pTs+mIiLwYyVV7J7JEKPOOqEIw 8gp80gTfTr0nU8Sdj6/IRo0i9bMDw20A73MoEdoO5H4Cp3iuaa3b5RjnImipMd4Zzse4 3RisEPtWB5LMh1ufY7QRjC7yM+l9cJYhGoJnruXNvnKYaPqeoSl6mFPal3UVb7lL+tyr /q8WVxe4mPVeV1R98zjx46l7sQOANrNjsSm9aWPxsTg98lNhi4G+7JLPLddl/lcZp7mU TOpQ==
X-Gm-Message-State: AJaThX6k0KKMVzEGIRBsT7wxi/4pNifoYZNK7IIEMnBwejbk2ZCN3q9z 3oDQ7nMsnH2ChJ3XwgDAWD5YBh5vN4yRA+OWFYtgSY5HHPn1kPF1XXrjuzWPWrQtJVrt3g1HmFS nmBYzqB6oU9CniA==
X-Google-Smtp-Source: AGs4zMYUNAqw8vxh8eaQEWqkDlnNTwe6AuWpoHQVzFPSbuuq2YL/rslvFkptb2ELpa+OxOz9Ki2B+2F+QQIg1JboK10=
X-Received: by 10.36.23.215 with SMTP id 206mr13158610ith.62.1510650238651; Tue, 14 Nov 2017 01:03:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.106.34 with HTTP; Tue, 14 Nov 2017 01:03:28 -0800 (PST)
In-Reply-To: <CY4PR21MB05045E56B6AB61AE66AA3D6EF5A00@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <CY4PR21MB0504A6F0739B0F3EFA46AE54F5D70@CY4PR21MB0504.namprd21.prod.outlook.com> <4524B6AF-E350-4D58-8ACC-1554D2506191@oracle.com> <CA+k3eCSeUqE8Tnr_OA__BrRLEUXjPDpjV0qF69t5dVL_RBXnVw@mail.gmail.com> <CY4PR21MB05045E56B6AB61AE66AA3D6EF5A00@CY4PR21MB0504.namprd21.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 14 Nov 2017 17:03:28 +0800
Message-ID: <CA+k3eCQFNh2JsQdSNdwDQ1LX3mxfxAoJJLv0QNUok2b_iZAJCA@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: "Phil Hunt (IDM)" <phil.hunt@oracle.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a114376eedae66d055dedaaeb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/83BIWqy7L2dQmj3s14VzHCbouN8>
Subject: Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 09:04:02 -0000

Resurrecting the thread that had a request for more guidance around how to
use the explicit typing with nested JWTs. As discussed/requested during the
WG meeting.

On Mon, Jul 17, 2017 at 5:55 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> Good point.  I’d had that thought as well at one point but failed to
> express it in the draft.  Will do.
>
>
>
>                                                        -- Mike
>
>
>
> *From:* Brian Campbell [mailto:bcampbell@pingidentity.com]
> *Sent:* Monday, July 17, 2017 11:53 AM
> *To:* Phil Hunt (IDM) <phil.hunt@oracle.com>
> *Cc:* Mike Jones <Michael.Jones@microsoft.com>om>; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] JSON Web Token Best Current Practices draft
> describing Explicit Typing
>
>
>
> Could some more guidance be provided around how to use the explicit typing
> with nested JWTs?
>
> I'd imagine that the "typ" header should be in the header of the JWT that
> is integrity protected by the issuer?
>
>
>
> On Tue, Jul 4, 2017 at 9:58 PM, Phil Hunt (IDM) <phil.hunt@oracle.com>
> wrote:
>
> +1
>
>
>
> Thanks Mike.
>
> Phil
>
>
> On Jul 4, 2017, at 12:43 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> The JWT BCP draft has been updated to describe the use of explicit typing
> of JWTs as one of the ways to prevent confusion among different kinds of
> JWTs.  This is accomplished by including an explicit type for the JWT in
> the “typ” header parameter.  For instance, the Security Event Token (SET)
> specification <http://self-issued.info/?p=1709> now uses the “
> application/secevent+jwt” content type to explicitly type SETs.
>
>
>
> The specification is available at:
>
>    - https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01
>
>
>
> An HTML-formatted version is also available at:
>
>    - http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html
>
>
>
>                                                        -- Mike
>
>
>
> P.S.  This notice was also posted at http://self-issued.info/?p=1714 and
> as @selfissued <https://twitter.com/selfissued>.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*