Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Brian Campbell <> Thu, 13 August 2020 21:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BE8FC3A05A7 for <>; Thu, 13 Aug 2020 14:01:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QozjS7_nhw6U for <>; Thu, 13 Aug 2020 14:01:01 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 32FEC3A0593 for <>; Thu, 13 Aug 2020 14:01:01 -0700 (PDT)
Received: by with SMTP id f26so7692944ljc.8 for <>; Thu, 13 Aug 2020 14:01:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DkDCNfr6dEiFmeBiQsqGfwFDU4Fm7kXTx4fnIhh9Fjs=; b=aCDgVvBS6zI/0aIFzhpKRcHHOvyAx8U93Ddnhv0kmYnCF7LOIdwvgLV3Mt6F2dWKki OA1ysJn32TsEz4JXIGRZgtrAju4kbxYSOgwi+mb8Ml1gGaPtQANgjjRr1d/FHpYvTv// Y8kufCtZWX15af1JaXroyM1L+hv79waJXog1J2QgmtCvMo52gnthkzIQ3dvT3K3JeeCV NNV+MCvIU/3Lm6JV+YjAbIiUUwO/2ML24aS74TgUSOqHaal0i7zuIASPEcTfgX8uEZY9 cY5090wDiSKM+o4emb8DdhGb84P86UTjbxEvS33gNytk9Qd/pvoc4LmWJFv6Wdt1jYVX x35w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DkDCNfr6dEiFmeBiQsqGfwFDU4Fm7kXTx4fnIhh9Fjs=; b=YHV6VtYsGFPK3biFr2MN8pLUJtTAknVDJHj9ZMmYhwLAJnV41VPbYlIh/t08gMYabi PgI8ryqk/pm4P+UA7dQaPNpscx4c98fhOEFQ9CEZiXR6OZnsyKV7JEwPa9NqWsKllRuf wT5S8mUMl3HYmylgeM9Y07ZQ36uoAWkH5e5f7Zc+RKsz3JGdzwxLrbt67CV7sBgD5prh RxZeYcBDKUErMImjFetgNBnOBpBSKEzDnOZi/UMLQqKiZl+wH30XLnXlzkwgPys9uykb aAYX50818sg7B2PL1fl3xiR4XZb9S2yTkYOLJMM7bh8d9P3i0DG1b/4S3RADM9J0ZghE GE8g==
X-Gm-Message-State: AOAM532JZugZnsaIFlzlIl5Uo8KBKTOrTiRiK6vAWVtuOh1fQofHP4dw vb3kEcL484QtGWhMSFwqpagBu5WuMwquq8MNYN/HcNfS937bZY+Bny7Rzft89bpJG7WecWPvkDl P7lB6wShVGg+meQ==
X-Google-Smtp-Source: ABdhPJxaVJwJSxJl1j54AU7Yd9cDacKjbeD5+fP/Zwlmc82INX+6V0tICXFWMcImNo/MAH9jQFdX9S3A3If+z7/DzSU=
X-Received: by 2002:a2e:83d5:: with SMTP id s21mr2379722ljh.280.1597352459333; Thu, 13 Aug 2020 14:00:59 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Thu, 13 Aug 2020 15:00:33 -0600
Message-ID: <>
To: Benjamin Kaduk <>
Cc: The IESG <>, oauth <>,,
Content-Type: multipart/alternative; boundary="000000000000eb940f05acc899db"
Archived-At: <>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Aug 2020 21:01:06 -0000

While some discussion of why explicit typing was not used might be useful
to have, that thread started with a request for security considerations
prohibiting use of the "sub" with a client ID value. Because such a request
JWT could be repurposed for JWT client authentication. And explicit typing
wouldn't help in that situation.

On Tue, Aug 11, 2020 at 2:50 PM Benjamin Kaduk via Datatracker <> wrote:

> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> [updated to note that, per
> and the JWT BCP (RFC 8725), some discussion of why explicit typing is not
> used would be in order]

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._