IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

Phil Hunt <phil.hunt@oracle.com> Mon, 19 March 2018 08:58 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEF6E124235 for <oauth@ietfa.amsl.com>; Mon, 19 Mar 2018 01:58:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.028
X-Spam-Level:
X-Spam-Status: No, score=-2.028 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7r3D4qrSrtvW for <oauth@ietfa.amsl.com>; Mon, 19 Mar 2018 01:58:10 -0700 (PDT)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7621C1200F1 for <oauth@ietf.org>; Mon, 19 Mar 2018 01:58:10 -0700 (PDT)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w2J8rgNr009332; Mon, 19 Mar 2018 08:58:06 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=corp-2017-10-26; bh=Obo1698KZ96D6EbCGIzbC+Myvt8cBIcN5/HBKnJxN/k=; b=JYbECDRGDfz255jjaFHe8ogtCwtdLcnWA1Kz1k/w/uv0kaKw3nCDkI2tF0888+Gj6dQz ZPYVtYmIfsD5xXL+UacUXL5x9FqawTrUFgWDcMuM2+o71dOVhxNt4woY0F+X4J3f4VCT bG+7EAJYjMopv2faW10QICZZGBa1sjV/VhoJKw7avxmsDh5sPnw4Uo45KIiosVvhHLP3 9+vlGIfheQX1pY+aikTY+FFH0Ht+CAEVv0GEx6LQ/bpZA1Fyw9GrnEDXTOIL0ZE7lbRL vg+ghz5a7wcZjgqk/dTpc4gyjG36iy+3qi6seqG4Zx/kP8ThuHTF1DMf4Jolpxrsrr4D vw==
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp2120.oracle.com with ESMTP id 2gta3m80mw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 19 Mar 2018 08:58:06 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w2J8vxkY019360 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 19 Mar 2018 08:58:00 GMT
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w2J8vwuq021133; Mon, 19 Mar 2018 08:57:59 GMT
Received: from dhcp-9f83.meeting.ietf.org (/31.133.159.131) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 19 Mar 2018 01:57:58 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Message-Id: <85274C99-A8AA-452C-B8BC-46E7869642EB@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DC5F3267-BA29-413C-84C8-453C6D3F559B"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Mon, 19 Mar 2018 08:57:55 +0000
In-Reply-To: <DB5PR03MB1191DFA3BACC2806E2C07899F6D40@DB5PR03MB1191.eurprd03.prod.outlook.com>
Cc: Brock Allen <brockallen@gmail.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, "oauth@ietf.org" <oauth@ietf.org>
To: LARMIGNAT Louis <Louis.LARMIGNAT@wavestone.com>
References: <152140077785.15835.11388192447917251931.idtracker@ietfa.amsl.com> <2A1E98B8-973E-44F0-96F0-E319FD6969A8@lodderstedt.net> <308c1c61-a2ba-4e45-9fe6-9d525e554fb7@getmailbird.com> <DB5PR03MB1191DFA3BACC2806E2C07899F6D40@DB5PR03MB1191.eurprd03.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8836 signatures=668693
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803190007
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CNoSaGnXX1tbMMgNU9fk68-STlc>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 08:58:13 -0000

This draft has similar issues to https://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01

Rather than *try* sign HTTP, a signed JWT object is more reliably returned.

Phil


> On Mar 19, 2018, at 8:25 AM, LARMIGNAT Louis <Louis.LARMIGNAT@wavestone.com> wrote:
> 
> Hi,
>  
> The draft Signing HTTP Messages <> (https://tools.ietf.org/html/draft-cavage-http-signatures-09 <https://tools.ietf.org/html/draft-cavage-http-signatures-09>) could not meet this requirement in a more generic way ?
>  
> Regards,
> Louis
>  
> De : OAuth <oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>> De la part de Brock Allen
> Envoyé : dimanche 18 mars 2018 20:40
> À : Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>>; oauth@ietf.org <mailto:oauth@ietf.org>
> Objet : Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>  
> Why is TLS to the intospection endpoint not sufficient? Are you thinking there needs to be some multi-tenancy support of some kind?
>  
> -Brock
>  
> On 3/18/2018 3:33:16 PM, Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
> 
> Hi all,
>  
> I just submitted a new draft that Vladimir Dzhuvinov and I have written. It proposes a JWT-based response type for Token Introspection. The objective is to provide resource servers with signed tokens in case they need cryptographic evidence that the AS created the token (e.g. for liability). 
>  
> I will present the new draft in the session on Wednesday.
>  
> kind regards,
> Torsten. 
> 
> 
> Anfang der weitergeleiteten Nachricht:
>  
> Von: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
> Betreff: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt
> Datum: 18. März 2018 um 20:19:37 MEZ
> An: "Vladimir Dzhuvinov" <vladimir@connect2id.com <mailto:vladimir@connect2id.com>>, "Torsten Lodderstedt" <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>>
>  
> 
> A new version of I-D, draft-lodderstedt-oauth-jwt-introspection-response-00.txt
> has been successfully submitted by Torsten Lodderstedt and posted to the
> IETF repository.
> 
> Name:           draft-lodderstedt-oauth-jwt-introspection-response
> Revision: 00
> Title:          JWT Response for OAuth Token Introspection
> Document date:  2018-03-15
> Group:          Individual Submission
> Pages:          5
> URL:            https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt <https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt>
> Status:         https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/ <https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/>
> Htmlized:       https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00 <https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00>
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response <https://datatracker..ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response>
> 
> 
> Abstract:
>   This draft proposes an additional JSON Web Token (JWT) based response
>   for OAuth 2.0 Token Introspection.
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
> 
> The IETF Secretariat
> 
>  
> The information transmitted in the present email including the attachment is intended only for the person to whom or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete all copies of the material. 
> 
> Ce message et toutes les pièces qui y sont éventuellement jointes sont confidentiels et transmis à l'intention exclusive de son destinataire. Toute modification, édition, utilisation ou diffusion par toute personne ou entité autre que le destinataire est interdite. Si vous avez reçu ce message par erreur, nous vous remercions de nous en informer immédiatement et de le supprimer ainsi que les pièces qui y sont éventuellement jointes. _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>

v2.23.0 | Report a Bug | By Email