[OAUTH-WG] issuer (was draft-ietf-oauth-jwt-bearer-06)

Brian Campbell <bcampbell@pingidentity.com> Mon, 04 November 2013 18:44 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 24DA011E81BC for <oauth@ietfa.amsl.com>; Mon, 4 Nov 2013 10:44:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.899
X-Spam-Status: No, score=-5.899 tagged_above=-999 required=5 tests=[AWL=0.078, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Q1LTduTji0Bb for <oauth@ietfa.amsl.com>; Mon, 4 Nov 2013 10:43:56 -0800 (PST)
Received: from na3sys009aog112.obsmtp.com (na3sys009aog112.obsmtp.com []) by ietfa.amsl.com (Postfix) with ESMTP id EB4C911E81CE for <oauth@ietf.org>; Mon, 4 Nov 2013 10:43:52 -0800 (PST)
Received: from mail-ie0-f172.google.com ([]) (using TLSv1) by na3sys009aob112.postini.com ([]) with SMTP ID DSNKUnfq5ro4GxEu6I6hXWt0WM4A8e/BCkhL@postini.com; Mon, 04 Nov 2013 10:43:53 PST
Received: by mail-ie0-f172.google.com with SMTP id tp5so13379448ieb.3 for <oauth@ietf.org>; Mon, 04 Nov 2013 10:43:49 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=oRNclp3nbG405y1BkDkmhFEyydj1YKriIyD9fO0AkAk=; b=KdEZQpo1ady0fO9Fr4gEDcM6QaXNMdwbwv8On4Vc054hR8jyg5NwbGbWuG4Ge7ZNJn r6+4HADu3ctB6EbNadJfqmUJzlvFWpn+IKFc6RwbRyJa+BbZ1sIfLcWRXaYGhN/9k5tR nW3ZiSi16Pm8VjmKP65UYECt09lSOc4fEEu7rH5KjbhjXVScRWE8fj75NJbd6XGxDzv2 csO3BMRN+uzm7WL4//H6Svxx9qmbOIZJL5yxfDVOwr7ir+NisyqAE/b6EHIVJlDnkZ7C BRJv06YAciItryu16IrVwTU5a3RjwmAaYqFyvcX56EnEgHnromuCclYX8JdYgEB0LQPO +mwg==
X-Gm-Message-State: ALoCoQlrCJviL19jNeIyD8AjhY0Hjt0ya7uNL+GjO7oXMnDdD6vZkqIfeUR/7Xsxo4QyRdcXKyY3RwNsjtl9JBoUJansQMhYt0M40sxt4FW2XzDTEJm8E7GJe4mFalMV5PkBLHOpKI22jFbWmjhHgiYgZ1BeV/ohrA==
X-Received: by with SMTP id c18mr2012905ics.46.1383590629015; Mon, 04 Nov 2013 10:43:49 -0800 (PST)
X-Received: by with SMTP id c18mr2012902ics.46.1383590628918; Mon, 04 Nov 2013 10:43:48 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 4 Nov 2013 10:43:18 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 04 Nov 2013 10:43:18 -0800
Message-ID: <CA+k3eCQf8KGizXyppz6Orrm-VNsucX4kHD9npbpwsDU=mSH=7w@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: [OAUTH-WG] issuer (was draft-ietf-oauth-jwt-bearer-06)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2013 18:44:03 -0000

On Fri, Nov 1, 2013 at 1:52 PM, Hannes Tschofenig
<hannes.tschofenig@gmx.net> wrote:
> Section 3:
> You write:
> "
>    1.   The JWT MUST contain an "iss" (issuer) claim that contains a
>         unique identifier for the entity that issued the JWT.  Issuer
>         values SHOULD be compared using the Simple String Comparison
>         method defined in Section 6.2.1 of RFC 3986 [RFC3986], unless
>         otherwise specified by the application.
> "
> What is not stated here is what are the two values that are compared against
> each other. One value is the issuer claim from the JWT and the other value
> is the, I guess, an entry from a whitelist of trusted issuers.

Yes, typically the issuer value is used to lookup policy or
configuration data in order to process the transaction. But that is an
implementation choice and certainly not the only way it could be done.

I've always thought that talking about comparing issuer values is
somewhat misleading. Can that second sentence be omitted? Or is there
a better way to convey what is intended here? Which is, I think, that
even though issuer may be a URI, it should simply be treated as a case
sensitive string?