Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-bcp-03.txt

Mike Jones <Michael.Jones@microsoft.com> Tue, 08 May 2018 19:04 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A53512D94A for <oauth@ietfa.amsl.com>; Tue, 8 May 2018 12:04:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p5qtL07doGZz for <oauth@ietfa.amsl.com>; Tue, 8 May 2018 12:04:49 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0092.outbound.protection.outlook.com [104.47.37.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA1B112D77E for <oauth@ietf.org>; Tue, 8 May 2018 12:04:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=0EquYmsmDXYkZO8tjBrslCFXvB48TzJfiE8cVlF/RIk=; b=kDq37ViwEc60H2zxDwb7WvTwS7mD8dTLfSi4/ffUDjEYsbp8cb8Ba2puhvtyG4vAM1HAKA8AmDXSwpQGzqF+mCYCHC6Do/4gOol+nX6pksQXliTpxEg6kp02DLToPMP9jqRXMlry7HXlSxFphtjpbMnoJfLYisz+Wq8SF3+f+6c=
Received: from BL0PR00MB0292.namprd00.prod.outlook.com (2603:10b6:207:1e::30) by BL0PR00MB0307.namprd00.prod.outlook.com (2603:10b6:207:1e::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.791.0; Tue, 8 May 2018 19:04:47 +0000
Received: from BL0PR00MB0292.namprd00.prod.outlook.com ([fe80::84a0:cb3c:39ec:1b01]) by BL0PR00MB0292.namprd00.prod.outlook.com ([fe80::84a0:cb3c:39ec:1b01%5]) with mapi id 15.20.0792.000; Tue, 8 May 2018 19:04:47 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-bcp-03.txt
Thread-Index: AQHT5lPQcV+KSzkdOE6+kyTB8cl2C6QlvUiAgAB0BeA=
Date: Tue, 8 May 2018 19:04:47 +0000
Message-ID: <BL0PR00MB0292DC9CD59A50241DD1CEDEF59A0@BL0PR00MB0292.namprd00.prod.outlook.com>
References: <152573253859.20101.13765310889276893523@ietfa.amsl.com> <0DA0C828-494D-42DD-B179-FEEEEC8EF717@forgerock.com>
In-Reply-To: <0DA0C828-494D-42DD-B179-FEEEEC8EF717@forgerock.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-05-08T19:04:46.2163659Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:3::291]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BL0PR00MB0307; 7:7Bt7jRq+v8zRN7JeMPLvGI5luV5zCbJfUYGm8oNTjcMgfZ4UDupiuvAuK/JQgyyJAmYK5pO/GFonJsiKQMN+fbEYXBU+pAlHKLhBTEzLVOwOCtloCTi1JyyoLWyPS1bhBQFkN+Uk4M3rmACYVtYrfXyOyT6y38H/j9898Kqp9q8wFPjmhXyURabI5UDjqPJSi+ZwMhys98AVs24KBmNqQLP/Uns0jxrVnarOUXsVHJtYNeKm1HPR1UZs6vubKZ+O; 20:l8QO6gfezOnaOGq/CUWwF/yf5msbpYNvg3f4wQF/AW0+KT3pHwPw+eGoOsDBtuUrFvLYPodYQMStSPG7ZQQbXGJHZS5ypxPMJOlCjR4J/AtE39QVzrMCNgmgk0Enfpff/a7uEQRwJ3EYqQ0jcgNh5aG1fTvlBENzoxWf0+nCZcg=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(2017052603328)(7193020); SRVR:BL0PR00MB0307;
x-ms-traffictypediagnostic: BL0PR00MB0307:
x-microsoft-antispam-prvs: <BL0PR00MB03079CCFB4E454A1F15FA8A6F59A0@BL0PR00MB0307.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(165104125076784)(65766998875637)(278428928389397)(120809045254105)(192374486261705)(131022147185803);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(5005006)(8121501046)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(3002001)(93006095)(93001095)(10201501046)(3231254)(2018427008)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(6072148)(201708071742011); SRVR:BL0PR00MB0307; BCL:0; PCL:0; RULEID:; SRVR:BL0PR00MB0307;
x-forefront-prvs: 0666E15D35
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(39860400002)(39380400002)(346002)(376002)(189003)(199004)(13464003)(377424004)(86612001)(14454004)(86362001)(446003)(11346002)(316002)(6436002)(2906002)(8990500004)(478600001)(74316002)(52396003)(6306002)(53936002)(486006)(2900100001)(476003)(9686003)(6246003)(5250100002)(46003)(97736004)(22452003)(110136005)(25786009)(229853002)(59450400001)(105586002)(55016002)(102836004)(76176011)(6346003)(6506007)(33656002)(72206003)(6116002)(68736007)(53546011)(966005)(106356001)(3280700002)(305945005)(5660300001)(7736002)(186003)(7696005)(3660700001)(99286004)(81166006)(81156014)(8676002)(10090500001)(8936002)(10290500003); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR00MB0307; H:BL0PR00MB0292.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-message-info: cXldVXaR+KkSGJluJVLi33NO0Gbv1PBVpzkz4OSxVwpJGSHCPwPta6p7qtbZ5xHqe/c8f2HUt3fPUBj6SnIAlLM4vCZyobuQkDSkYC5fhPXe/epnjImrEFwfw3Ne4FjQT5TbQUhmVMuQd3hzsu/eED42F1I3wet5XibtbtdQYXPhlGOsCjC9KcIuPacKBAp3
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 4e9aafca-95c4-4c25-f44c-08d5b516918b
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4e9aafca-95c4-4c25-f44c-08d5b516918b
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 May 2018 19:04:47.7358 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0307
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pceTXvf18zS2oBcDCNOpTWTPkg0>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-bcp-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2018 19:04:53 -0000

Thanks, Neil.  I've made a note of this so that we can update the reference the next time we're editing the spec.

				-- Mike

-----Original Message-----
From: OAuth <oauth-bounces@ietf.org> On Behalf Of Neil Madden
Sent: Tuesday, May 8, 2018 5:06 AM
To: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-bcp-03.txt

I was just checking over this latest draft and I noticed that the reference to [nist-sp-800-56a-r3] currently links to https://csrc.nist.gov/CSRC/media/Publications/sp/800-56a/rev-3/draft/documents/sp800-56ar3-draft.pdf, which is a superseded draft. The final revision 3 is available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf (or https://doi.org/10.6028/NIST.SP.800-56Ar3 might be preferable for long-term stability).

Kind regards,

— Neil

> On 7 May 2018, at 23:35, internet-drafts@ietf.org wrote:
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
> 
>        Title           : JSON Web Token Best Current Practices
>        Authors         : Yaron Sheffer
>                          Dick Hardt
>                          Michael B. Jones
> 	Filename        : draft-ietf-oauth-jwt-bcp-03.txt
> 	Pages           : 13
> 	Date            : 2018-05-07
> 
> Abstract:
>   JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security
>   tokens that contain a set of claims that can be signed and/or
>   encrypted.  JWTs are being widely used and deployed as a simple
>   security token format in numerous protocols and applications, both in
>   the area of digital identity, and in other application areas.  The
>   goal of this Best Current Practices document is to provide actionable
>   guidance leading to secure implementation and deployment of JWTs.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-03
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp-03
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwt-bcp-03
> 
> 
> Please note that it may take a couple of minutes from the time of 
> submission until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth