Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-09
John Bradley <ve7jtb@ve7jtb.com> Sat, 19 July 2014 12:36 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E3E61B27F9 for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 05:36:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7BAeHWH1dhR5 for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 05:36:49 -0700 (PDT)
Received: from mail-pa0-f45.google.com (mail-pa0-f45.google.com [209.85.220.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7F0A1B27F2 for <oauth@ietf.org>; Sat, 19 Jul 2014 05:36:48 -0700 (PDT)
Received: by mail-pa0-f45.google.com with SMTP id eu11so7009722pac.4 for <oauth@ietf.org>; Sat, 19 Jul 2014 05:36:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Ob0iQgUixVjAP5vQr4FUHchMx3XsCqN0xRqufM5t8hY=; b=RDDnSoURK7xhS2G7r85Ha8VD0Bmj7UJ73eGbkHE3CuK13UuaI+SEkEfFjlr/hrjp4Q WDkQaJ/m2s/O60CC+RghoQc/nAC69pUGb96Y5ruzPrgyVzsSf5QgjyBe2sMkILNgQ3Aj U07vd0EjMwPM0TsPfIpYqLHJgjClcM7hfKbVINpN5IT1RLCrBkfVxCbHLipd+aSpy7ur uBzd7cgr7jq3Jk6bQks+88BxTt4upT1v/Rv+pE9yeNDpThREAdczymz8R94zm55snu+L N/aQGNsRellfRF03s+6MBLG+Tt92tRuneHkK0+SrIirHCDRo043WS5j/XA61dr5KNivO MH0Q==
X-Gm-Message-State: ALoCoQkzjuJKCApvRN7dmtMdI81kqJMu4ihwZzaOOAJfjubTK2cUyENYYDnNKJ50sV0GqUV6sCa0
X-Received: by 10.68.222.136 with SMTP id qm8mr1295878pbc.92.1405773408420; Sat, 19 Jul 2014 05:36:48 -0700 (PDT)
Received: from [10.71.6.108] (soln-sr3455.solutionip.com. [70.233.112.2]) by mx.google.com with ESMTPSA id wp3sm8488922pbc.67.2014.07.19.05.36.46 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 19 Jul 2014 05:36:47 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_20C450FE-6F4B-401C-99E1-9B22586281E1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <7DDBCE8B-4B39-432E-8925-B0C6D762A54C@oracle.com>
Date: Sat, 19 Jul 2014 05:37:00 -0700
Message-Id: <1452B71B-DB68-477E-BFE0-0765387B2934@ve7jtb.com>
References: <CAHbuEH5NdcWNrJ1JEpdSaBfCDbz+zUZyiNf_yfJ9zTHxG0G1PQ@mail.gmail.com> <CA+k3eCQp5mkSKsHV5T509ymd4MoA=7E3WdO_94cMPn+wByZknw@mail.gmail.com> <7DDBCE8B-4B39-432E-8925-B0C6D762A54C@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/9KEvTuP8QY2-O0yA9TjEPY7pHgM
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-09
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2014 12:36:51 -0000
While a JWT might generically have many different audiences like resource servers, this profile is about sending it to the token endpoint at an AS for authentication or authorization. I think adding something about the RS will confuse people. I think Brian's text is fine. John B. On Jul 18, 2014, at 11:45 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > Should that be encrypted for the intended audience (aud) of the JWT which may be the AS and/or the resource server? > > Phil > > On Jul 18, 2014, at 21:52, Brian Campbell <bcampbell@pingidentity.com> wrote: > >> Sorry for the slow response on this Kathleen, my day job has been keeping me busy recently. And, honestly, I was kind of hopeful someone would volunteer some text in the meantime. But that didn't happen so how about the following? >> >> A JWT may contain privacy-sensitive information and, to prevent disclosure of such information to unintended parties, should only be transmitted over encrypted channels, such as TLS. In cases where it’s desirable to prevent disclosure of certain information the client, the JWT may be be encrypted to the authorization server. >> >> Deployments should determine the minimum amount of information necessary to complete the exchange and include only such claims in the JWT. In some cases the "sub" (subject) claim can be a value representing an anonymous or pseudonymous user as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1]. >> >> >> On Thu, Jul 3, 2014 at 3:26 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: >> >> Hello, >> >> I just read through draft-ietf-oauth-jwt-bearer-09 and it looks good. The only question/comment I have is that I don't see any mention of privacy considerations in the referenced security sections. COuld you add something? It is easily addressed by section 10.8 of RFC6749, but there is no mention of privacy considerations. I'm sure folks could generate great stories about who accessing what causing privacy considerations to be important. >> >> Thanks & have a nice weekend! >> >> -- >> >> Best regards, >> Kathleen >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-… Kathleen Moriarty
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Brian Campbell
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Phil Hunt
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… John Bradley
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Brian Campbell
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Kathleen Moriarty
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Mike Jones