Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 02 October 2014 16:59 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 883261A005D; Thu, 2 Oct 2014 09:59:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.686
X-Spam-Level:
X-Spam-Status: No, score=-2.686 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A2IjDu3-4iRh; Thu, 2 Oct 2014 09:59:50 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 6F5401A86F8; Thu, 2 Oct 2014 09:59:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C9238BE8A; Thu, 2 Oct 2014 17:59:49 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZKvZ-6GleQiw; Thu, 2 Oct 2014 17:59:48 +0100 (IST)
Received: from [10.87.48.10] (unknown [86.42.29.169]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 08314BE7D; Thu, 2 Oct 2014 17:59:48 +0100 (IST)
Message-ID: <542D8483.4030207@cs.tcd.ie>
Date: Thu, 02 Oct 2014 17:59:47 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>, Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
References: <20141001192433.1934.82385.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439BAB371E@TK5EX14MBXC288.redmond.corp.microsoft.com> <542D73E2.6080406@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739439BAB3E04@TK5EX14MBXC288.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BAB3E04@TK5EX14MBXC288.redmond.corp.microsoft.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Hj8N341iphRw9b14Z7wBFIQftqQ
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "draft-ietf-oauth-json-web-token@tools.ietf.org" <draft-ietf-oauth-json-web-token@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 16:59:57 -0000
On 02/10/14 17:25, Mike Jones wrote: > OK - I'll start prefixing my text with "Mike> ". Many thanks. S > > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > Sent: Thursday, October 02, 2014 8:49 AM > To: Mike Jones; Alissa Cooper; The IESG > Cc: oauth-chairs@tools.ietf.org; draft-ietf-oauth-json-web-token@tools.ietf.org; oauth@ietf.org > Subject: Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS) > > > Mike, > > I cannot tell which is your text and which not. > > Can you please use a better quoting style? These docs are going to be a total PITA to handle otherwise. > > Thanks, > S. > > > On 02/10/14 16:14, Mike Jones wrote: >> Responding to the DISCUSS below… >> >> >> >> -----Original Message----- >> From: Alissa Cooper [mailto:alissa@cooperw.in] >> Sent: Wednesday, October 01, 2014 12:25 PM >> To: The IESG >> Cc: oauth-chairs@tools.ietf.org; >> draft-ietf-oauth-json-web-token@tools.ietf.org >> Subject: Alissa Cooper's Discuss on >> draft-ietf-oauth-json-web-token-27: (with DISCUSS) >> >> >> >> Alissa Cooper has entered the following ballot position for >> >> draft-ietf-oauth-json-web-token-27: Discuss >> >> >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut >> this introductory paragraph, however.) >> >> >> >> >> >> Please refer to >> http://www.ietf.org/iesg/statement/discuss-criteria.html >> >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> >> >> >> The document, along with other ballot positions, can be found here: >> >> http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ >> >> >> >> >> >> >> >> ---------------------------------------------------------------------- >> >> DISCUSS: >> >> ---------------------------------------------------------------------- >> >> >> >> == Section 12 == >> >> >> >> "A JWT may contain privacy-sensitive information. When this is the >> >> case, measures must be taken to prevent disclosure of this >> >> information to unintended parties." >> >> >> >> It seems to me that this should be a normative MUST, particularly in light of the fact that claims are being defined that are meant to directly identify users (e.g., sub) and other claims defined here or later could do so as well. >> >> >> >> There seems to be debate whether a 2119 language should be used other than when describing protocol requirements. Jim Schaad (the JOSE chair) believes that they shouldn’t and these documents have followed that convention. >> >> >> >> "One way to achieve this is to use >> >> an encrypted JWT. Another way is to ensure that JWTs containing >> >> unencrypted privacy-sensitive information are only transmitted over >> >> encrypted channels or protocols, such as TLS." >> >> >> >> Since sensitive JWTs should be protected from both intermediary >> observation and from being sent to unintended recipients, I would >> >> suggest: >> >> >> >> One way to achieve this is to use an encrypted JWT and authenticate the recipient. Another way is to ensure that JWTs containing unencrypted privacy-sensitive information are only transmitted over encrypted channels or protocols that also support endpoint authentication, such as TLS. >> >> >> >> Thanks for this suggested language. We can incorporate something like that. >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >>
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Kathleen Moriarty
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Stephen Farrell
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Stephen Farrell
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Kathleen Moriarty