IETF Logo Mail Archive

[OAUTH-WG] Re: Mahesh Jethanandani's Discuss on draft-ietf-oauth-rfc7523bis-10: (with DISCUSS and COMMENT)

Brian Campbell <bcampbell@pingidentity.com> Tue, 28 April 2026 21:51 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 86471E52673F for <oauth@mail2.ietf.org>; Tue, 28 Apr 2026 14:51:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777413115; bh=/+IdIq/V1eIEKwIU8LETcoWZL4R3plH1qXIWHVna9WE=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=s/aP1PFQ26/XJcr7yEkue/89KjS+QOBHPDW4KRpv9QH7wAgpA9pyM17S1xZt3kUlM i0JXXyCCyvUzD5cRGhrnT4FYRZ9th4a9egfAeGq1MiDfTturYmdE4hAymOjRC+JQJe L8YYu/lDRKV70VBKCkHhp7h0ej3IUnDpVJQKdCbU=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUYOZYp3S2s1 for <oauth@mail2.ietf.org>; Tue, 28 Apr 2026 14:51:54 -0700 (PDT)
Received: from mail-vk1-xa2e.google.com (mail-vk1-xa2e.google.com [IPv6:2607:f8b0:4864:20::a2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id AF2D6E526646 for <oauth@ietf.org>; Tue, 28 Apr 2026 14:50:58 -0700 (PDT)
Received: by mail-vk1-xa2e.google.com with SMTP id 71dfb90a1353d-56d958880ecso4021676e0c.2 for <oauth@ietf.org>; Tue, 28 Apr 2026 14:50:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1777413058; cv=none; d=google.com; s=arc-20240605; b=Bh5fg+MMkGclsUBoXm0He3BwhM/sKvUi5GjcEjuiaocv30Ysow31r6vL6ClSc97X0M QxUIoLC39Nh5LEIagZJSkbx/N19FSH3YAmGbWOvP+lmzEjGYcfw0nCxNGKogQui2jWP8 5Ca9ogo3wcHGWnXpM3GIss6+JF/D5NEa3mBL5zHz/gBSdHJGRwKp9N8OuJfuIaO8sdCZ LQUgbFud0IzQS/1dBwaA2wwHtJxum1PBOTp3WEaucvNy9Kjw8CXE8pTFFmKwVLpO6JzH xGkueBlPRadZDyHpY2SETQr2FJ45EsexFNHrPqLX0qcTvRFUWf6WzP42BRH5GK3SjaUp 45vA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=tEAfYC8m0OuF4pEpH00562GYvBYi1wlrGQ3zt42W9cY=; fh=5jSE9O6aDk/FzRy8CSrXZifELAeXe2WAp6hIrrHZXi8=; b=XJoJk/EqSI7HxSEB8xgFg1sASK4etkloOevIb7LnP3S6/8fnf6d8AEduosRpr48kfg XMrDKPO/lQDjT50s/YfiQEnUHx5laCudQLbrKytU13gFpUz3qHVkq8pl9GVDruIbG/SA GKHcoHALiRJVqEAwAXO4uOdbrGh1bjn50PWjB5b1o212w/KBAoxexcmAsJ6yWuZSrgeZ qwmjp/FlN5ygA4hQBD7bkNv4KhAGSSDZsta79SSyKahj1AtPekFS4Pa7HoXU3L1ina7B kznEUHV/S+cb22YeUUK8bso4NtHqw2kPiDWo7CGRZ+6lfdAlSQlCMlTI85gxdlQHry1n IqYg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1777413058; x=1778017858; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tEAfYC8m0OuF4pEpH00562GYvBYi1wlrGQ3zt42W9cY=; b=MZdDOSJKEXb7R+w8BJy1hnDxyca/VrPVTOhW7K0q7vBtYaiC7GrcpoPdFPKhmU2orS qZRXh6ByLwOwXr6GMDL1K4DYk1qaMmo1a44LKS6LqYYWi+454i93XwAR2nbLksIwtdj2 1Uh6c5QSFEogM1zx3LERP5jx+J7b3Kr/2T/5Plgt7i84KVGfturup/vBgjM/sOoXvjz5 7HsVeWwo2ALAxMKsPTvkhaW2Ct7hm4BM9jgoNIx1uIMeezhPQ3cu2QaIXIJbIUG020oF 0w3vhUKgBwiOvZE/vJ0u0yAsl20ksodQFJMGO7RQLjbgvWyxCM+5ZudxTrMC6XnBvUw6 pY9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777413058; x=1778017858; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=tEAfYC8m0OuF4pEpH00562GYvBYi1wlrGQ3zt42W9cY=; b=NcojuD75bUql/CdCXLSH/rk/bK2ljNuQGYyQ/fcIorKJNzasS1sHWGMh/sEPI/N7Sb uKUSaPxUB5/qApyA2M6zjhs2IiIPbMeZn36UQojx2X5vNXL41+YSB4kEFd0Hx52nU62N J6MFDJvRgOnBI+910Rsz4vV7Nje8lWlvsf88trkUuDAMEVowdgDx/cp344l15yUIHG+o r31M2zusDux6EsArJ8sH8qO6Imfvl7YEUFapw+NIAIeffSwLSkkEbccdTBxW8O31QIWD fyYNOSkB/KszcdF3X8bjjuDqJxDZGsJCxjahTDSMSoXvJArsFysX5/mVs/Gr3RhtgNdq t2mg==
X-Forwarded-Encrypted: i=1; AFNElJ9zRFVbvH9gomyoZ7bHOXtZC7y8yw6uLwsWH/Ahq0qqUaNbXmdcmfFUwSB1EJ2JTqER6puQQQ==@ietf.org
X-Gm-Message-State: AOJu0YwumL30lvi+FHOf6IImAMZxWz4yJOZ4ex6fdAYesuUHte1sCeQu JDWj0CSD/Xy7F0r8jP8kYvaYTsLw7HqiFadRY5IO96jz1MQ9jTWP8vtBIrZqNdvVxZcEb4pj9+W xNwJALJIdIZUwpGbQ062q9MX74TQMGQnDkYlKrDvjHVSUyICqryOVjYKPhqTIov6HUS/6IB68NV eWYshPYgLB89Om0g==
X-Gm-Gg: AeBDieuLwsPltPY8hfq+mSGkSwZmYQWIzXXNikIcJmd9hGBGCxntjc670ZoHxUFWVpj Molb/yzD7X6PIkbevwyyqY4/HX378lmCfv00i6OE8uAN9PSV7GfQvhNs7oZOBLxQNPB98SRDmSa YfDWzxS82fsUIIEFFyc+Ur34JEgr7OCPizJjtFukC8exc30BQf8xXurG4EKFNs5EE9vGrqB41gI EXY9RXNLKgAh9dFhEjdgZR4reH03tTTF51uR243QQdtexojjlhJtISEtE26jiFv3A9Pq3fdccXA uca5LPjz8K5wgfeNMSK5RpTKA8fvN4X1rUK9agMJrXlBY5kgkeTVteXMhBZ9Y/eRbqPXKRdpWL7 SSBQ=
X-Received: by 2002:a05:6102:3f55:b0:611:82b:a59c with SMTP id ada2fe7eead31-6280adc116amr2511937137.21.1777413058065; Tue, 28 Apr 2026 14:50:58 -0700 (PDT)
MIME-Version: 1.0
References: <177739907009.127357.17706468945106734522@dt-datatracker-b45949c58-t72jx> <CA+k3eCTfQ3dY6+_vC7CC-VpKQfr+7FktuL69HvMGaW0nDF=jDg@mail.gmail.com> <7875D72D-7AC7-44B6-A86F-93D0F8B9E356@gmail.com>
In-Reply-To: <7875D72D-7AC7-44B6-A86F-93D0F8B9E356@gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 28 Apr 2026 15:50:31 -0600
X-Gm-Features: AVHnY4LBmmEjK4ci48T_J_z4paIoxEm_f901LbPj91Ps4G-XFb13o8ef3Iu5ehY
Message-ID: <CA+k3eCS-hEqrnuDLGLMFjzv-sFBU17xcaEvdaPAx+w0nTU=Lcg@mail.gmail.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000f20de106508c395d"
Message-ID-Hash: LOFHEY4V355EXMRJQH7BLVVY4VPPYZBJ
X-Message-ID-Hash: LOFHEY4V355EXMRJQH7BLVVY4VPPYZBJ
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, draft-ietf-oauth-rfc7523bis@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Mahesh Jethanandani's Discuss on draft-ietf-oauth-rfc7523bis-10: (with DISCUSS and COMMENT)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SmzxxtfbCrNRA8FF7cRESu5Yhc4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Thank you Mahesh, the -11 update was just posted.

On Tue, Apr 28, 2026 at 2:43 PM Mahesh Jethanandani <mjethanandani@gmail.com>
wrote:

> Hi Brian,
>
> Thanks for addressing my DISCUSS. I am good with the change and will clear
> the DISCUSS when the update is posted.
>
> Just one follow-up comment.
>
> On Apr 28, 2026, at 1:31 PM, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> Thanks Mahesh for the sharp review.
>
> The contradiction you point out in the DISCUSS is a result of a mistake
> on my part when making recent changes to some but not all of that text.
> Your guess and suggestion for the resolution are spot on. That change is in
> flight with change d03c7a2
> <https://github.com/oauth-wg/draft-ietf-oauth-rfc7523bis/pull/35/changes/d03c7a297d2fb45b61110d2213bd0a8cc9b84d0f>
> as part of this PR -11 for IESG evaluation feedback
> <https://github.com/oauth-wg/draft-ietf-oauth-rfc7523bis/pull/35>.
>
> Regarding the COMMENT, the actual risk with the authorization grant
> differs significantly in its manifestation, which is much less likely, and
> its mitigation, which the client covers by ensuring the audience of an
> assertion authorization grant (SAML or JWT) makes sense with respect to
> where it’s being sent. Minimizing breaking changes was just one part of the
> rational.  I've changed the wording in the Security Considerations a little
> bit with 3e9b69e
> <https://github.com/oauth-wg/draft-ietf-oauth-rfc7523bis/pull/35/changes/3e9b69ed26dfc5500651fea3da865b0cc3722ebf> as
> part of that same PR to try and avoid misstatements there.
>
>
> I still feel that the Security Consideration could go a little further to
> make apparent the residual risk. But it is a non-blocking comment, and I
> will let you and the authors decide whether you chose to make that change.
>
> Cheers.
>
>
> On Tue, Apr 28, 2026 at 11:58 AM Mahesh Jethanandani via Datatracker <
> noreply@ietf.org> wrote:
>
>> Mahesh Jethanandani has entered the following ballot position for
>> draft-ietf-oauth-rfc7523bis-10: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to
>> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
>> for more information about how to handle DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis/
>>
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>> I have but one DISCUSS and one COMMENT that I would like some discussion
>> around, and something that seems easy to fix.
>>
>> Section 4, paragraph 8
>> >       Client authentication JWTs SHOULD be explicitly typed by using the
>> >       typ header parameter value client-authentication+jwt or another
>> >       more specific explicit type value defined by a specification
>> >       profiling this specification.
>> >
>> >       The introduction of strong typing for JWTs (using explicit typ
>> >       values) serves as a signal to distinguish between tokens produced
>> >       in accordance with specifications published prior to these updates
>> >       and those incorporating them.  However, the primary security
>> >       protection comes from the tightened audience requirements.  The
>> >       use of explicit typing is REQUIRED for clients, enabling them to
>> >       signal their intention of sending a JWT conforming to the
>> >       requirements herein.  However, since strong typing alone does not
>> >       prevent the attacks described in [private_key_jwt.Disclosure] and
>> >       [Audience.Injection], it is NOT RECOMMENDED for servers to reject
>> >       JWTs that do not have explicit types.  Such rejection would cause
>> >       interoperability issues with clients that already conform to the
>> >       tightened audience requirements but have not yet adopted explicit
>> >       typing.  This approach balances security signaling with practical
>> >       deployment considerations, avoiding disruption to client
>> >       deployments that already conform to the tightened audience
>> >       requirements but have not yet adopted explicit typing.
>>
>> In this section, which updates Section 3.2 of RFC 7523, the following
>> two statements appear:
>>
>> - "Client authentication JWTs SHOULD be explicitly typed by using the typ
>>  header parameter value client-authentication+jwt..."
>>
>> - "The use of explicit typing is REQUIRED for clients, enabling them
>> to signal their intention of sending a JWT conforming to the requirements
>> herein."
>>
>> Per BCP 14 (RFC 2119/RFC 8174), SHOULD and REQUIRED (which is a synonym
>> for MUST) carry different normative weights. SHOULD means implementation
>> is recommended, but deviations are permissible for valid reasons;
>> REQUIRED/MUST means the implementation has no discretion. A client reading
>> this paragraph cannot determine whether it must include explicit typing or
>> merely should.
>>
>> The same contradiction appears identically in Section 5 (updating RFC
>> 9126).
>>
>> The resolution is straightforward: if the intent is SHOULD (recommended
>> but
>> not mandatory), remove the word "REQUIRED" from the explanatory prose and
>> replace it with language like "The use of explicit typing enables clients
>> to
>> signal their compliance with the requirements herein." If the intent is
>> MUST,
>> change SHOULD to MUST throughout.
>>
>> Given the -03 history of deliberately relaxing this requirement, the
>> former
>> seems correct, but the authors must confirm and fix the text explicitly.
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> Section 7, paragraph 1
>> >    This specification tightens token audience requirements to prevent
>> >    attacks that could result from exploiting audience ambiguities
>> >    previously allowed by [RFC7521], [RFC7522], [RFC7523], and [RFC9126].
>> >    These attacks are described in [private_key_jwt.Disclosure] and
>> >    [Audience.Injection].
>>
>> Section 4a of this document updates the authorization grant audience
>> requirement to:
>>
>> "An authorization server MAY be identified by either its issuer
>> identifier or its token endpoint URL."
>>
>> The document history notes that this flexibility was retained to minimize
>> breaking changes. By allowing the token endpoint URL as a valid audience
>> for
>> authorization grants, a subset of the attack surface described in the
>> referenced paper remains.
>>
>> The document does not acknowledge this residual risk. This section
>> says that "This specification tightens token audience requirements
>> to prevent attacks" — a statement that is not fully accurate for
>> the authorization grant case. The Security Considerations should
>> state explicitly that: (a) the tighter restriction applies only
>> to client authentication JWTs; (b) authorization grant audience
>> requirements were relaxed relative to what full security would
>> require, for deployment compatibility reasons, and (c) implementers
>> seeking maximum security for authorization grants SHOULD prefer
>> the issuer identifier over the token endpoint URL.
>>
>> The ARTART reviewer (Jim Fenton, thanks, Jim) touched on this
>> concern about strong typing, but the underlying grant case
>> residual risk deserves direct acknowledgment.
>>
>> No reference entries found for these items, which were mentioned in the
>> text:
>> [draft-jones-oauth-rfc7523bis-00].
>>
>>
>>
>>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>
>
> Mahesh Jethanandani
> mjethanandani@gmail.com
>
>
>
>
>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.46.0 | Report a Bug | By Email | System Status