Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Brian Campbell <bcampbell@pingidentity.com> Thu, 16 April 2020 20:16 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F14933A086C for <oauth@ietfa.amsl.com>; Thu, 16 Apr 2020 13:16:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AuoIwG42ExUk for <oauth@ietfa.amsl.com>; Thu, 16 Apr 2020 13:16:01 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA62F3A0FCD for <oauth@ietf.org>; Thu, 16 Apr 2020 13:16:00 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id v9so9206145ljk.12 for <oauth@ietf.org>; Thu, 16 Apr 2020 13:16:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aJUYg045nw/MA0tBonuU4JBCQX2WCc+eEzxIKKpXQ6k=; b=X/+ab6QTpVwN+CFrV1C24qdqbO9HIgzLQrVFUlIDU8/vbHvM4YqO/d6267VP7lzr58 TYEc/JtyLvxIq7pES5ti/rT6IYIppogjZwST7iWUi5/b5lO9e2Jw73/iD0ipRyXtw1r3 VP+BCwaICPkcw0Kv4ZBBIpdfukOtkoCEdDzvuER99Rg+kTiPo+G3bLrynacj+Zf6k6A9 TZIcU/K9r2bncMeIMGSMx3t+Ht1uKHCbpVGrLZpUsCDIfLtEjr1iEY3EwNKa3h/iNbWm bXL9zOp4pdaExJ5bVGBANL3zF5vzrLP922+Y26YgGItwGCphGp/oPdyC+DeYRQOaDrsn t6AA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aJUYg045nw/MA0tBonuU4JBCQX2WCc+eEzxIKKpXQ6k=; b=sRG/Mon1DzxQL4EdEivQq2YcXEmkLDWJQsQ4iVqIGYYVVcpFDJ7SRAdifCjd31PzSz UX1bQ8gbGjkXecl9cCNp75F7W9IIIbs9LJPTTtsSGlLLyau0soURl5v58q6ac1lprJU7 GphHtZa84LOcLMIxU6C+tKrvyMEL4FpFbRvBdBianh0demOUiYIM4cxBFQ+dnip3eSiu /WecnWica4aEwffIHbF1sEyYMwtMojhx2xDpvsZ6NaLESdkA8Udl8Ux5seHFAQPpRWjH u5ljFDkrYIQwboadvFEs/lnqiB4jyaN6JA4W8yjKO4dLh0ESWeQgSwRtLE/EZu+W1wK/ BydA==
X-Gm-Message-State: AGi0PuYaJ7xujCjpOCiAWYGZ8xfk8qowGUeBdIP6nIPLo8bu05PO5ttQ w0fxli2BRbH/O3mJsdRgtIpqgqAgNEtZaBiALMeklgVZ7EFKSPd0bii+OfmoA7T9pLg6YEgHy3t 3dHApGK90CVdXbg==
X-Google-Smtp-Source: APiQypJ3ynie1m9UUTq/XI6szFsxNxbnfD8BGtvSkUbmvolscH7n7iQbGKE7ko+tQzNsn75hOD4Okzwd/Lw62blk1jM=
X-Received: by 2002:a2e:b0c6:: with SMTP id g6mr7489591ljl.96.1587068158736; Thu, 16 Apr 2020 13:15:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAGL6epKuHTqLrZEjm0goKV+3jaPfTkN_JSLc0jfQyPqNzeP3aA@mail.gmail.com> <CAGBSGjpBqeHxFNJ7OEXZwYQb=SG6ian=zpoNHezQ_OYwFNZNBw@mail.gmail.com> <CA+k3eCQGgnSGAcNP4KJik9riWYdRTpSOV-sgZHXMCJUWhh5U5w@mail.gmail.com> <CAGBSGjopPrTjoKxgkyV3=WwUAn8=hwWkczCPHsJtAd-2wr1ePw@mail.gmail.com>
In-Reply-To: <CAGBSGjopPrTjoKxgkyV3=WwUAn8=hwWkczCPHsJtAd-2wr1ePw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 16 Apr 2020 14:15:31 -0600
Message-ID: <CA+k3eCSM7DiJVbcHtefaY346iHah2HATAm+O7EyoXETAna1P-A@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d611cb05a36e190a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TCSTU3F-PFp3v-7MdZ4D1APlccY>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2020 20:16:04 -0000

I'll +1 that

On Thu, Apr 16, 2020 at 2:14 PM Aaron Parecki <aaron@parecki.com> wrote:

> My mistake! In that case, my request is editorial, to mention that in
> section 2.1 where it first talks about signing algorithms.
>
> ----
> Aaron Parecki
> aaronparecki.com
> @aaronpk <http://twitter.com/aaronpk>
>
>
>
> On Thu, Apr 16, 2020 at 1:12 PM Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>> sec 4 does have "The resource server MUST reject any JWT in which the
>> value of "alg" is "none".'
>>
>> On Thu, Apr 16, 2020 at 1:09 PM Aaron Parecki <aaron@parecki.com> wrote:
>>
>>> Section 2.1 says:
>>>
>>> > Although JWT access tokens can use any signing algorithm, use of
>>> > asymmetric algorithms is RECOMMENDED
>>>
>>> Can this be strengthened to disallow the `none` algorithm? Something
>>> like adding "... and MUST NOT use the "none" algorithm".
>>>
>>> Given that the JWT BCP doesn't disallow the "none" algorithm,
>>> technically someone could follow both this JWT Access Token spec and the
>>> JWT BCP spec and end up with an implementation that allows an AS to accept
>>> JWTs with the "none" algorithm.
>>>
>>> ----
>>> Aaron Parecki
>>> aaronparecki.com
>>> @aaronpk <http://twitter..com/aaronpk>
>>>
>>>
>>>
>>> On Wed, Apr 15, 2020 at 11:59 AM Rifaat Shekh-Yusef <
>>> rifaat.ietf@gmail.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>>
>>>>
>>>> This is a second working group last call for "JSON Web Token (JWT)
>>>> Profile for OAuth 2.0 Access Tokens".
>>>>
>>>>
>>>>
>>>> Here is the document:
>>>>
>>>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06
>>>>
>>>>
>>>>
>>>> Please send your comments to the OAuth mailing list by April 29, 2020.
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>>  Rifaat & Hannes
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._