[OAUTH-WG] JWT BCP Acknowledgements (was Fwd: New Version Notification for draft-ietf-oauth-jwt-bcp-02.txt)

Brian Campbell <bcampbell@pingidentity.com> Fri, 04 May 2018 22:07 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3EC2612DA12 for <oauth@ietfa.amsl.com>; Fri, 4 May 2018 15:07:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.44
X-Spam-Status: No, score=-2.44 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id cS9kx6Niih8X for <oauth@ietfa.amsl.com>; Fri, 4 May 2018 15:07:24 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B733912708C for <oauth@ietf.org>; Fri, 4 May 2018 15:07:24 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id f21-v6so27302535iob.13 for <oauth@ietf.org>; Fri, 04 May 2018 15:07:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:from:date:message-id:subject:to:cc; bh=nK1WYplmp3i9GrHwgJgWHTBx6QX6Dgr1CO5JWUQwe7s=; b=h6YMjko6x0HqUEeVarno9jXCuVXEouHyxPZ47G/cjdVMu7yvZM9o2ZzduQu4Pq8PGm O8xw/kB/gSUDtF+ZD9CXSo0kGy3fToUgnW5MVnVJmVUqtMOpf3wWaaiial5B8cmZsVGS fShl9GZeJBeQNFHg3h6KWdqqX8VjBUsNPsqVs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=nK1WYplmp3i9GrHwgJgWHTBx6QX6Dgr1CO5JWUQwe7s=; b=TfThH95VcTUUFbTkj6KUjBLqV/a3DXL4XJKefMabrxWmj+iyiu1RBsf2sjzucnsXva wWzEZzL22DrCEvQOJDhIomomhe/i9fP2B2vP6V66Heqjv2uDe8MpQH9s+hvTbXSLgRKu nINgZsCRIwWHoxmVQXmRYXHaGIgnni1iAC/MGcjNsSHODxV3KGkioIX16j1NkLwO5EBX GpnAf+CbPvsCHuJ38GK5Z2gCXW1d/ky23mm1vb+euIU6Nddst+pr4CoXm/Fiv0qf0pLV SHicb1sp54TmesX1FIjDikKm4BQQQXayW6NZuXwbt6xQ3ZR5K7aERZnDqevcHyJVhVQV 89Jw==
X-Gm-Message-State: ALQs6tBDDrTnmF8lGnAN3/BDarcJ6b/W4pMO8oSp3yZ8nQj0jEk1Y+8W y/hq7YM+At7czh39d5ynclQV+TIciKq2ptorGkWNjCzEZnU7HS+kpkmFfV9jDkWavVFrta1UVqd kC8GWRncKdTZH94Gv
X-Google-Smtp-Source: AB8JxZpbKeWiKI1zdNNrgqfREqGOlqbexewliodmdYvNn1W9M+U7VobJrGw7fuh9NAgGo5Is8PHZ15UCQ2p673rJZfw=
X-Received: by 2002:a6b:1c06:: with SMTP id c6-v6mr33014615ioc.247.1525471643915; Fri, 04 May 2018 15:07:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP; Fri, 4 May 2018 15:06:53 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 04 May 2018 16:06:53 -0600
Message-ID: <CA+k3eCRi0eQJDVMDFLUcntL5_+8ANM0r7i5JoJHJC1zdgFX_6Q@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007372a5056b688b77"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DJ6MLA6ZExyOzGrU-CleIKVcCVY>
Subject: [OAUTH-WG] JWT BCP Acknowledgements (was Fwd: New Version Notification for draft-ietf-oauth-jwt-bcp-02.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 22:07:27 -0000

AFAIK, Tim McLean was the first to bring the HMAC/RSA switching attack to
the attention of JWS/JWT implementers -

Perhaps he should be acknowledged similar to how Antonio is for the invalid
point attack?

I've also provided a little (admittedly very little) review and feedback on
the draft...

On Wed, May 2, 2018 at 2:36 AM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

> This new version should address all WGLC comments. Please let us know if
> there's anything missing.
> Thanks,
>         Yaron
> -------- Forwarded Message --------
> Subject: New Version Notification for draft-ietf-oauth-jwt-bcp-02.txt
> Date: Wed, 02 May 2018 01:26:17 -0700
> From: internet-drafts@ietf.org
> To: Michael B. Jones <mbj@microsoft.com>, Yaron Sheffer <
> yaronf.ietf@gmail.com>, Dick Hardt <dick@amazon.com>, Michael Jones <
> mbj@microsoft.com>
> A new version of I-D, draft-ietf-oauth-jwt-bcp-02.txt
> has been successfully submitted by Yaron Sheffer and posted to the
> IETF repository.
> Name:           draft-ietf-oauth-jwt-bcp
> Revision:       02
> Title:          JSON Web Token Best Current Practices
> Document date:  2018-05-02
> Group:          oauth
> Pages:          13
> URL: https://www.ietf.org/internet-drafts/draft-ietf-oauth-jwt-bcp-02.txt
> Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/
> Htmlized:       https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-02
> Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp
> Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwt-bcp-02
> Abstract:
>    JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security
>    tokens that contain a set of claims that can be signed and/or
>    encrypted.  JWTs are being widely used and deployed as a simple
>    security token format in numerous protocols and applications, both in
>    the area of digital identity, and in other application areas.  The
>    goal of this Best Current Practices document is to provide actionable
>    guidance leading to secure implementation and deployment of JWTs.
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
> The IETF Secretariat
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._