IETF Logo Mail Archive

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Mike Jones <Michael.Jones@microsoft.com> Mon, 17 July 2017 09:55 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAE171276AF for <oauth@ietfa.amsl.com>; Mon, 17 Jul 2017 02:55:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.01
X-Spam-Level:
X-Spam-Status: No, score=-3.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DSLmUfT28Tpn for <oauth@ietfa.amsl.com>; Mon, 17 Jul 2017 02:55:20 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0096.outbound.protection.outlook.com [104.47.34.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E67B129B5B for <oauth@ietf.org>; Mon, 17 Jul 2017 02:55:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=wGLqD/LEJJKFezYEUrS8uweoqEQkVQT3/+yqGqLfnbk=; b=Fco98XXC2pztKrCyfa4GXuC4Vhe7sctMIfUKbPhLyh6fOSHpnQOkGE9NsZCL5qQRSGsIiN8dMkCe45tF1TSz7ytmB0Cwuticepx+gtIW1TcnrQbNDu24ZUAMMyIMsRfRbgPXlQFpeJPfZ9k7giBLj1WsjORiE2b22Iu5WSHy+nM=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0278.namprd21.prod.outlook.com (10.173.193.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1282.2; Mon, 17 Jul 2017 09:55:19 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1282.008; Mon, 17 Jul 2017 09:55:19 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing
Thread-Index: AdL0+iJmgqpM9UqbSgCDmYr6GQRcNAABbcaAAnio3wAAAA31QA==
Date: Mon, 17 Jul 2017 09:55:18 +0000
Message-ID: <CY4PR21MB05045E56B6AB61AE66AA3D6EF5A00@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <CY4PR21MB0504A6F0739B0F3EFA46AE54F5D70@CY4PR21MB0504.namprd21.prod.outlook.com> <4524B6AF-E350-4D58-8ACC-1554D2506191@oracle.com> <CA+k3eCSeUqE8Tnr_OA__BrRLEUXjPDpjV0qF69t5dVL_RBXnVw@mail.gmail.com>
In-Reply-To: <CA+k3eCSeUqE8Tnr_OA__BrRLEUXjPDpjV0qF69t5dVL_RBXnVw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: pingidentity.com; dkim=none (message not signed) header.d=none;pingidentity.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [31.133.131.162]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0278; 7:ZMtpRYcL4NLWhY+QsMdagOZ4VFKHttfgYBZq/ga/HjSROc9amoqEDYMQRjkMeVMUmEtP3Yryw5Fe6tr5zjw25Sbb2t2Ve+RzKc4yGZTglbrfyL1KZiXqx+j0S5v7+v7oi8FRMTbTiwIAO12H/i3fHY3Kfv2CYvD2ixVq9Rma15mqG18Zf5w1DrkDJzYPqkNv4gouSBQu8hjBU4ZGaep6hp3TQCTkAWrMtRT/fObFDkyX1kULxS1if0GrBKORsBhyKA4PSNZxJlMS23ZSpDMHlkt748OyYLszAPr2DzDJ73varbZ6dJ3jpFRkl4o+iHKxyZl7ZoJn7IDnMd2TUv/UezJ6YbCl8Ji21r+W7YTGiY02+79sFYCmpVX7eBkKiJBrSjdTbSc94IhNeY5QH+mkqs5WzUTj8cPrsx9ArngqAQ7jFf5jYmmatEI9WGFLqkcilIuofk7Rb6K3Bri3JkoALcONigJPAjKCo/2jc6Yz5g0Awmun6+WL5NCZIy2187WBHU+BQb/Iz6QFhOJGcf6O393MaXiRzbtPYt3vXyQqReFVMpgdfXp1KQ3pRqiz7FIJKYsHIf23mudhu6FbTZeGRXPd/ZXRHAK9i6lNirUkQ5GtQDPiFw3i+pFXC0+WVhOpqVXobm5UGHN2dl0Bbgs3lhn0zHRlxb6szrERHHiZt7fHix4bJ8Q1JuaXC2gkXDFeB+i3mY0ulGv8G3iKiDXH3NULLS0n4T7by36TtqArPbcXvnM5CNHDdNJvqudspMJhod2305IXEWamKqij5kMU8YkZ5FWfQetau/dxzmmURPdetI1IxmFMrh/gR3II+o5v
x-ms-office365-filtering-correlation-id: becdd67b-63dd-4791-3809-08d4ccf9eedf
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY4PR21MB0278;
x-ms-traffictypediagnostic: CY4PR21MB0278:
x-exchange-antispam-report-test: UriScan:(151999592597050)(26388249023172)(236129657087228)(192374486261705)(31418570063057)(48057245064654)(148574349560750)(21748063052155)(146099531331640)(209349559609743);
x-microsoft-antispam-prvs: <CY4PR21MB0278231E2E0D7B992EFC5C52F5A00@CY4PR21MB0278.namprd21.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(2017060910075)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123555025)(20161123558100)(20161123562025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR21MB0278; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR21MB0278;
x-forefront-prvs: 0371762FE7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39840400002)(39850400002)(39860400002)(39450400003)(39400400002)(39410400002)(209900001)(36304003)(24454002)(377454003)(2950100002)(72206003)(10090500001)(5005710100001)(66066001)(2900100001)(478600001)(3280700002)(86362001)(5890100001)(6116002)(3660700001)(14454004)(606006)(966005)(7696004)(3846002)(6506006)(19609705001)(102836003)(790700001)(54356999)(33656002)(81166006)(8676002)(2906002)(7736002)(77096006)(76176999)(189998001)(50986999)(53546010)(4326008)(25786009)(5660300001)(38730400002)(53376002)(10290500003)(229853002)(74316002)(53936002)(6246003)(8936002)(55016002)(54896002)(6436002)(99286003)(6306002)(236005)(9686003)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0278; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05045E56B6AB61AE66AA3D6EF5A00CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2017 09:55:19.0370 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0278
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RfXA5_Xg9_BzV_A0uZvfPX8ZM0E>
Subject: Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 09:55:23 -0000

Good point.  I’d had that thought as well at one point but failed to express it in the draft.  Will do.

                                                       -- Mike

From: Brian Campbell [mailto:bcampbell@pingidentity.com]
Sent: Monday, July 17, 2017 11:53 AM
To: Phil Hunt (IDM) <phil.hunt@oracle.com>
Cc: Mike Jones <Michael.Jones@microsoft.com>; oauth@ietf.org
Subject: Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Could some more guidance be provided around how to use the explicit typing with nested JWTs?
I'd imagine that the "typ" header should be in the header of the JWT that is integrity protected by the issuer?

On Tue, Jul 4, 2017 at 9:58 PM, Phil Hunt (IDM) <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:
+1

Thanks Mike.

Phil

On Jul 4, 2017, at 12:43 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
The JWT BCP draft has been updated to describe the use of explicit typing of JWTs as one of the ways to prevent confusion among different kinds of JWTs.  This is accomplished by including an explicit type for the JWT in the “typ” header parameter.  For instance, the Security Event Token (SET) specification<http://self-issued.info/?p=1709> now uses the “application/secevent+jwt” content type to explicitly type SETs.

The specification is available at:

  *   https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01

An HTML-formatted version is also available at:

  *   http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html

                                                       -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1714 and as @selfissued<https://twitter.com/selfissued>.
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email