[OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-jwt-bcp-06.txt
Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 07 June 2019 18:17 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFE2E1201A2 for <oauth@ietfa.amsl.com>; Fri, 7 Jun 2019 11:17:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9YaP0IVbfVK9 for <oauth@ietfa.amsl.com>; Fri, 7 Jun 2019 11:17:39 -0700 (PDT)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22E6912010E for <oauth@ietf.org>; Fri, 7 Jun 2019 11:17:39 -0700 (PDT)
Received: by mail-wm1-x330.google.com with SMTP id w9so4613883wmd.1 for <oauth@ietf.org>; Fri, 07 Jun 2019 11:17:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:references:to:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=9/KaKT8GLoZ03fD8nzbjs1wRobyFI9KUHGaHU/ELcdE=; b=AYCTInS6V8zjXrDvKanrbZufptPtV/6sRH5H1msuN1AK5kqIlqiFxqbm7Zm6POf3mH p8d3xyBVLommG5I4LFiEo9a1tMYiu0+s2Od8w44tZ+cZMly+coAv87YrGkLdzV4Omk+A jlqquebRmmtFK3UBWUbbeFiJuc4AMDssxmasnfXgra4q2QifHEN12nfJUdCLqGqk7Ycj GoLQNUoP86GY276T8ZSg/fyfDX8IkAEP70Ya7ujybA2f2w534qqaA8YagsGJ6xNe/KHK j9TFPF/ZwRcQBhU6tMBkEEs7sW3LVuUrSzGqwSX6/AN9nRqJx41iCXbZnAJddlgIYPZ4 9rIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:references:to:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=9/KaKT8GLoZ03fD8nzbjs1wRobyFI9KUHGaHU/ELcdE=; b=q60RYEqpzIif11iGFP/YcPxeeMieYPShbxCaQoDSIrP88R4uo5qw+L7G2NpaX/q98g SjtUZNR/EF8UlaTebczcKqmfA5WqDvuzFGRaZ2cDxzpAkydTb0PcNMg5NoiSDu6fNL46 WfhOoQNXxVYzaK2lVGcYXHUuKhxmw1Zg6eDM+opQr4DT0xSd2U6EUH9f/hp0BEg/zOXV BggvJfdJ4i+We68QHY/RkLMMfW0D/IaBOE4+SxZMRlWWOVZv/wxRy5+bM1Gt2OviQXF5 ESDPmlAZHyx2FIE9HQySVQRJ9tP64zNP+dA32rEBNuwysQHJ682QsUXXld0RPNu3qkXZ zlBw==
X-Gm-Message-State: APjAAAUbek6KYAcNIzBfXI/064rFA9WTBIxuiWRclzZOVNgEW6BMB2Py 28X3yjaxnJf7NgJhkHyqR5haQToN
X-Google-Smtp-Source: APXvYqwdtiKHY0PzJjC97DA8XbhUDmNg3WKelsLcZNSqRGYwCG/b4bcKgMCGaQprEhADNhKLuMI1zg==
X-Received: by 2002:a1c:23c4:: with SMTP id j187mr4674176wmj.176.1559931457393; Fri, 07 Jun 2019 11:17:37 -0700 (PDT)
Received: from [10.0.0.148] (bzq-109-67-95-113.red.bezeqint.net. [109.67.95.113]) by smtp.gmail.com with ESMTPSA id q20sm6134021wra.36.2019.06.07.11.17.36 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 07 Jun 2019 11:17:36 -0700 (PDT)
References: <155993088012.27385.9526522170989488513.idtracker@ietfa.amsl.com>
To: oauth <oauth@ietf.org>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
X-Forwarded-Message-Id: <155993088012.27385.9526522170989488513.idtracker@ietfa.amsl.com>
Message-ID: <dab0f52e-c43b-236d-3f5e-90013cf18dee@gmail.com>
Date: Fri, 07 Jun 2019 21:17:35 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <155993088012.27385.9526522170989488513.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Bs8l02Yi3iqDE3nN2rqh2HVTEgE>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-jwt-bcp-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2019 18:17:42 -0000
Dear WG members, Version -06 addresses Roman's AD comments, basically separating the rationale from the recommendations to maintain the document's internal consistency. We also removed one SHOULD-level recommendation, "Sensitive information, such as passwords, SHOULD be padded before being encrypted." While length hiding would be nice in principle, standard ciphers such as AES-GCM do not provide it out of the box. Thanks, Yaron -------- Forwarded Message -------- Subject: New Version Notification for draft-ietf-oauth-jwt-bcp-06.txt Date: Fri, 07 Jun 2019 11:08:00 -0700 From: internet-drafts@ietf.org To: Michael B. Jones <mbj@microsoft.com>, Dick Hardt <dick.hardt@gmail.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, Michael Jones <mbj@microsoft.com> A new version of I-D, draft-ietf-oauth-jwt-bcp-06.txt has been successfully submitted by Yaron Sheffer and posted to the IETF repository. Name: draft-ietf-oauth-jwt-bcp Revision: 06 Title: JSON Web Token Best Current Practices Document date: 2019-06-07 Group: oauth Pages: 16 URL: https://www.ietf.org/internet-drafts/draft-ietf-oauth-jwt-bcp-06.txt Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/ Htmlized: https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-06 Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwt-bcp-06 Abstract: JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity, and in other application areas. The goal of this Best Current Practices document is to provide actionable guidance leading to secure implementation and deployment of JWTs. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat
- [OAUTH-WG] Fwd: New Version Notification for draf… Yaron Sheffer
- Re: [OAUTH-WG] Fwd: New Version Notification for … Roman Danyliw