Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-24.txt

Tangui Le Pense <tangui.lepense@mail.ru> Wed, 01 July 2020 17:29 UTC

Return-Path: <tangui.lepense@mail.ru>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4482D3A0403; Wed, 1 Jul 2020 10:29:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mail.ru
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YqBT_OubV2Pp; Wed, 1 Jul 2020 10:29:47 -0700 (PDT)
Received: from smtp60.i.mail.ru (smtp60.i.mail.ru [217.69.128.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E63C03A0645; Wed, 1 Jul 2020 10:29:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=GFgXR/A+7f74aNi1vYvUa9LEgL3GnTFEOmbddamrS6I=; b=Ic2h3CW4S64bLVcWYAHFIz2QCp3TxRofD/5/OHo6117GCpyGjWXq1TbGqM18PLQvxYEFAmPnl/MXo0MeuEB3nFiHUMTpgasNRT7vWTtZji3KaPlhoVDOMuaDQePBmaeYKh7rragvnYvAWJTFk4wrhbkHy/jW8o2OpNrgMkTttLQ=;
Received: by smtp60.i.mail.ru with esmtpa (envelope-from <tangui.lepense@mail.ru>) id 1jqgYG-0002t7-Ns; Wed, 01 Jul 2020 20:29:41 +0300
To: oauth@ietf.org, internet-drafts@ietf.org, i-d-announce@ietf.org
References: <159360926310.29368.17616782975245600683@ietfa.amsl.com>
From: Tangui Le Pense <tangui.lepense@mail.ru>
Message-ID: <040466fc-f05b-13a7-8981-eff63552d570@mail.ru>
Date: Wed, 01 Jul 2020 20:29:40 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <159360926310.29368.17616782975245600683@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Authentication-Results: smtp60.i.mail.ru; auth=pass smtp.auth=tangui.lepense@mail.ru smtp.mailfrom=tangui.lepense@mail.ru
X-7564579A: 78E4E2B564C1792B
X-77F55803: 4F1203BC0FB41BD9AAC5A87EC32CE31E96AC8E84EC5BB5D797C056DF1623C71F182A05F538085040DB01FCB43D8A1DC02AAF93B460F3B33D6B89AFAD5FA4BABE014C54FF4B30FA2C
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE79145AB6E9E75F07EEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F79006375AC38C7EC4509C8B8638F802B75D45FF5571747095F342E8C7A0BC55FA0FE5FC6A25CCC208BB6E51AB835542AF1CCAEF4293ED7948FA8E65389733CBF5DBD5E913377AFFFEAFD269A417C69337E82CC2CC7F00164DA146DAFE8445B8C89999725571747095F342E8C26CFBAC0749D213D2E47CDBA5A9658378DA827A17800CE767883B903EA3BAEA9FA2833FD35BB23DF004C906525384303BDABC7E18AA350CD8FC6C240DEA76428AA50765F7900637CA786513AE8B4513D81D268191BDAD3DBD4B6F7A4D31EC0BD28E6F1989ABE784D81D268191BDAD3D78DA827A17800CE7A3A480E845649B12EC76A7562686271EACF85BE98DE5FEAF35872C767BF85DA29E625A9149C048EE0A3850AC1BE2E7358CCB3ED2A1DE23044AD6D5ED66289B524E70A05D1297E1BB35872C767BF85DA227C277FBC8AE2E8BEBEE3B39F980227375ECD9A6C639B01B4E70A05D1297E1BBC6867C52282FAC85D9B7C4F32B44FF57285124B2A10EEC6C00306258E7E6ABB4E4A6367B16DE6309
X-C8649E89: 271166402B797F67E7CC1FF6C31D6D5E23257B67E590DF2F94DC842EC4ADC5CBD8C9D1B39D7D4BA4
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojI/NPKmdP1NY+Wlh0O8Fg+g==
X-Mailru-Sender: 583F1D7ACE8F49BD9992EFD99BFCA825F897663E60E1B31307AB0AC95B934FEF538B242C63C5AD33A5D2D6C63D114D6383AFC63A7763B797302201EBD47025992073CDDE12DEC8CD6F486DAF1ACEF02CC676CB43868BEEFB8FF63FEAB625EE02EAB4BC95F72C04283CDA0F3B3F5B9367
X-Mras: Ok
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Frhm8o-6xl-xfDe1IlZ65Rcu_yU>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-24.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 17:29:52 -0000

Hello,

There seems to be a typo:

9.2 and 9.3: "require_signed_request_objects"

10.5: "require_signed_request_object"

Regards,

-- 

Tangui

01.07.2020 16:14, internet-drafts@ietf.org пишет:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
>          Title           : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)
>          Authors         : Nat Sakimura
>                            John Bradley
> 	Filename        : draft-ietf-oauth-jwsreq-24.txt
> 	Pages           : 33
> 	Date            : 2020-07-01
>
> Abstract:
>     The authorization request in OAuth 2.0 described in RFC 6749 utilizes
>     query parameter serialization, which means that Authorization Request
>     parameters are encoded in the URI of the request and sent through
>     user agents such as web browsers.  While it is easy to implement, it
>     means that (a) the communication through the user agents are not
>     integrity protected and thus the parameters can be tainted, and (b)
>     the source of the communication is not authenticated.  Because of
>     these weaknesses, several attacks to the protocol have now been put
>     forward.
>
>     This document introduces the ability to send request parameters in a
>     JSON Web Token (JWT) instead, which allows the request to be signed
>     with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
>     (JWE) so that the integrity, source authentication and
>     confidentiality property of the Authorization Request is attained.
>     The request can be sent by value or by reference.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-24
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-24
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-24
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth