Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-07.txt

Nat Sakimura <n-sakimura@nri.co.jp> Wed, 20 January 2016 03:02 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46D8E1A036E for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 19:02:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JnHIAZ11PsjM for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 19:02:29 -0800 (PST)
Received: from mail-qk0-f172.google.com (mail-qk0-f172.google.com [209.85.220.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A8281A036B for <oauth@ietf.org>; Tue, 19 Jan 2016 19:02:29 -0800 (PST)
Received: by mail-qk0-f172.google.com with SMTP id s5so49539316qkd.0 for <oauth@ietf.org>; Tue, 19 Jan 2016 19:02:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; bh=/U5YZ9r3Q6aZyLe+V3B1zyNhPiw+gpUuNvyqvaMB4xE=; b=d5CeGtD37h80nJZZKKDNqkJ5gyd4orByp+MlonMzlP4Q+45QiQz1B7cMe2nyzIGmOT 2bFNTAzQOvZMqxzl8/eGoNGKjfP9TK2I6zEiiSdxrxogJ7mWgp0lmx6l/aE8t1zcBAwv k/x2KI/wmZd9DEKOHrd09BfmlzAyMGA/jQZly+1IrUrUXh++diDpg0DdPKpBGNmWufUT TpKgMo52LzmwJxuGzMXxnunnUm+653sWKp1yFCJQig/i6fPA0uQadtc3zlZut78UYTfy ItbJgO8vAhzsmfkGCDo3zvq1YLi5Asu2rRASWuV5rYlfExGS7estvAmAaZjWEdOCZvtS AhFQ==
X-Gm-Message-State: ALoCoQknxmX1jsxyDF0vGezeZh+ZzCr8QZbMe/zoLk2f/sPtXl7Q338Xe0VxYmwtRy3qUpSLCDTLGWjEtpNSAFlFYOmOB65i5A==
X-Received: by 10.55.78.207 with SMTP id c198mr41862399qkb.34.1453258948579; Tue, 19 Jan 2016 19:02:28 -0800 (PST)
MIME-Version: 1.0
References: <20160119094331.7895.68438.idtracker@ietfa.amsl.com> <047501d1529f$7c7b7b40$757271c0$@nri.co.jp>
In-Reply-To: <047501d1529f$7c7b7b40$757271c0$@nri.co.jp>
From: Nat Sakimura <n-sakimura@nri.co.jp>
Date: Wed, 20 Jan 2016 03:02:19 +0000
Message-ID: <CABzCy2Due-1wDZ4tL7V_75TGbmJerT5MFR9qpcbDJS6eL9u9wA@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary=001a114a7c9c65996d0529bb37fb
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/M1XwuKIZYunPLP-aqyIDvijNLXs>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-07.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2016 03:02:32 -0000

And, here is the list of remaining issues that needs discussion.

#9: Section 3 - parameter name conflict with Proof-of-Posession.
<https://bitbucket.org/Nat/oauth-jwsreq/issues/9/section-3-parameter-name-conflict-with>

... the Authorization Request Object SHOULD contain the Claims "iss"
(issuer) and "aud" (audience) as members ...'

However, that will produce a parameter name conflict with the "aud"
parameter from OAuth 2.0 Proof-of-Possession: Authorization Server to
Client Key Distribution.

Seems like draft-ietf-oauth-pop-key-distribution will need to change its
parameter name (aud in JWT is pretty well established). And shouldn't
draft-ietf-oauth-jwsreq register some of the JWT's Registered Claim Names
(at least iss and aud but maybe exp and others) as authorization request
OAuth parameters?

(Brian Campbell)


Need to settle on what is to be done before making changes.

#8: Section 3, it is unclear whether the Request Object can be a JWE only
or if a JWS is always used
<https://bitbucket.org/Nat/oauth-jwsreq/issues/8/section-3-it-is-unclear-whether-the>

(Brian Campbell)

I think we wanted always do JWS and then JWE, but I am not sure. Please
discuss.

#7: Section 8, second paragraph: Delete the security considerations
paragraph about not using "alg":"none".
<https://bitbucket.org/Nat/oauth-jwsreq/issues/7/section-8-second-paragraph-delete-the>

Section 8, second paragraph: Delete the security considerations paragraph
about not using "alg":"none". Using an Unsecured JWS is no worse than
sending the parameters the usual way.

(Mike Jones)

Propose Reject. It is no worse, but it is better to sign. Thus, it is using
"SHOULD" but not "MUST".



2016年1月19日(火) 18:55 Nat Sakimura <n-sakimura@nri.co.jp>jp>:

> Hi.
>
> Took much longer than I anticipated but I finally applied the comments I
> received during the WGLC.
>
> When broken down, there were 44 comments that needed to be dealt with.
>
> I have accepted most of them. There are a few discussion points, and a few
> rejects.
>
> I am now making the list of those, but as I am going into a meeting now, it
> will not be available before tomorrow.
>
> For a preview, you can go and see them in
> https://bitbucket.org/Nat/oauth-jwsreq/issues?status=new&status=openopen.
> There
> are two sets of comments provided by Mike and Brian as of the time of this
> writing. They have unresolved comments. I have recorded my dispositions
> there so if you are so inclined, please have a look.
>
> I will pull out those points as separate issues in the tracker so that they
> can be individually tracked.
>
> Cheers,
>
> Nat Sakimura
>
> --
> PLEASE READ :This e-mail is confidential and intended for the
> named recipient only. If you are not an intended recipient,
> please notify the sender  and delete this e-mail.
>
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of
> internet-drafts@ietf.org
> Sent: Tuesday, January 19, 2016 6:44 PM
> To: i-d-announce@ietf.org
> Cc: oauth@ietf.org
> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-07.txt
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>  This draft is a work item of the Web Authorization Protocol Working Group
> of the IETF.
>
>         Title           : OAuth 2.0 JWT Authorization Request
>         Authors         : Nat Sakimura
>                           John Bradley
>         Filename        : draft-ietf-oauth-jwsreq-07.txt
>         Pages           : 16
>         Date            : 2016-01-19
>
> Abstract:
>    The authorization request in OAuth 2.0 [RFC6749] utilizes query
>    parameter serialization, which means that parameters are encoded in
>    the URI of the request.  This document introduces the ability to send
>    request parameters in form of a JSON Web Token (JWT) instead, which
>    allows the request to be signed and encrypted.  using JWT
>    serialization.  The request is sent by value or by reference.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-07
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-07
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>