Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-jwt-bcp-06.txt
Roman Danyliw <rdd@cert.org> Fri, 07 June 2019 18:27 UTC
Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AD96120074 for <oauth@ietfa.amsl.com>; Fri, 7 Jun 2019 11:27:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nAJtc_Q9QENb for <oauth@ietfa.amsl.com>; Fri, 7 Jun 2019 11:27:13 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0190C1200D6 for <oauth@ietf.org>; Fri, 7 Jun 2019 11:27:11 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x57IRA4F030293; Fri, 7 Jun 2019 14:27:10 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu x57IRA4F030293
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1559932030; bh=hz9T1qI39J+vJ+Q07wLDBoANCreV/0EJhOg/jMj19nQ=; h=From:To:Subject:Date:References:In-Reply-To:From; b=XI/C9owsHzvQ4l+u6JvIW9Kprc84fzh0IlT+cUFcpYz2H+i1Hm7IUTTJskHu/q74+ Cc+sjbvsGuJa7nc+6lpwF1+gnQb/leWOyjSnIRvbRM3PGx1ILjR+/O8mTs8Hmxy9A1 ejdnDKESnlunxn38UhkCfxfWclOmmfZDPhY1XAuU=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x57IR716042694; Fri, 7 Jun 2019 14:27:07 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0439.000; Fri, 7 Jun 2019 14:27:06 -0400
From: Roman Danyliw <rdd@cert.org>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-jwt-bcp-06.txt
Thread-Index: AQHVHV1WfdxJKPB+Dkm0hNLHJv+bnaaQglrQ
Date: Fri, 07 Jun 2019 18:27:06 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC01B338896A@marathon>
References: <155993088012.27385.9526522170989488513.idtracker@ietfa.amsl.com> <dab0f52e-c43b-236d-3f5e-90013cf18dee@gmail.com>
In-Reply-To: <dab0f52e-c43b-236d-3f5e-90013cf18dee@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9ArNeEfHxv44qay9P5xqmJI19aw>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-jwt-bcp-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2019 18:27:16 -0000
Hi Yaron! Thanks for this quick update. It addresses my feedback. I'll advance the document. Roman > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Yaron Sheffer > Sent: Friday, June 07, 2019 2:18 PM > To: oauth <oauth@ietf.org> > Subject: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth- > jwt-bcp-06.txt > > Dear WG members, > > Version -06 addresses Roman's AD comments, basically separating the > rationale from the recommendations to maintain the document's internal > consistency. > > We also removed one SHOULD-level recommendation, "Sensitive > information, such as passwords, SHOULD be padded before being > encrypted." While length hiding would be nice in principle, standard ciphers > such as AES-GCM do not provide it out of the box. > > Thanks, > Yaron > > -------- Forwarded Message -------- > Subject: New Version Notification for draft-ietf-oauth-jwt-bcp-06.txt > Date: Fri, 07 Jun 2019 11:08:00 -0700 > From: internet-drafts@ietf.org > To: Michael B. Jones <mbj@microsoft.com>, Dick Hardt > <dick.hardt@gmail.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, Michael > Jones <mbj@microsoft.com> > > > A new version of I-D, draft-ietf-oauth-jwt-bcp-06.txt has been successfully > submitted by Yaron Sheffer and posted to the IETF repository. > > Name: draft-ietf-oauth-jwt-bcp > Revision: 06 > Title: JSON Web Token Best Current Practices > Document date: 2019-06-07 > Group: oauth > Pages: 16 > URL: > https://www.ietf.org/internet-drafts/draft-ietf-oauth-jwt-bcp-06.txt > Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/ > Htmlized: https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-06 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp > Diff: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwt-bcp-06 > > Abstract: > JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security > tokens that contain a set of claims that can be signed and/or > encrypted. JWTs are being widely used and deployed as a simple > security token format in numerous protocols and applications, both in > the area of digital identity, and in other application areas. The > goal of this Best Current Practices document is to provide actionable > guidance leading to secure implementation and deployment of JWTs. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Fwd: New Version Notification for draf… Yaron Sheffer
- Re: [OAUTH-WG] Fwd: New Version Notification for … Roman Danyliw