[OAUTH-WG] JOSE/JWT Security Update Presentation
Mike Jones <Michael.Jones@microsoft.com> Wed, 29 March 2017 20:08 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8ADE12995B for <oauth@ietfa.amsl.com>; Wed, 29 Mar 2017 13:08:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.797
X-Spam-Level:
X-Spam-Status: No, score=-4.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rrk-1LR-rBAv for <oauth@ietfa.amsl.com>; Wed, 29 Mar 2017 13:08:40 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0109.outbound.protection.outlook.com [104.47.36.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B13BD1298D2 for <oauth@ietf.org>; Wed, 29 Mar 2017 13:08:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=NoM61mKMOv7YIb9ynw5Xvr/CSe9w/VUsKVteM9sj5tg=; b=gIoF4YBqNKQsw4ftkHNXHiajIhu7CeqgvEdk2LVzLLAlidir0qaCK39475dsffxMXIv8UVyx0kRd4BHF2ySryoBwm5dr4yZuodqtarCdaCpAmBY0aTnEgnWkPt3IgT0j4ASZE8NxWeLT/FZAirPNg7bUAwW/OjJZx8HnXx7nFGQ=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.0; Wed, 29 Mar 2017 20:08:38 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1019.008; Wed, 29 Mar 2017 20:08:38 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: oauth <oauth@ietf.org>
CC: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: JOSE/JWT Security Update Presentation
Thread-Index: AdKox9hGUhSH7/ucSU+mXltjus2wcQ==
Date: Wed, 29 Mar 2017 20:08:38 +0000
Message-ID: <CY4PR21MB0504F95D0B36D852BEF0AE9BF5350@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [67.98.107.27]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:+Co3HbD+NQ+/z2iQajl2qSBTRirAnXnxQKiDNhgWCjLaFaHGu1LpE9uU1T3iu25FMw4P0S150TOVgkF3lVJvL0cb75CXs/0WfiI3DaIkwtS5y4J12YJbKJ783Em+vToI7qghB5pofuO+7gqO+VTIGq46lNK4O4kYxM3JA4DRzVzBMz6k6x8vIfT/J/pa+74FDpocSrcz5jUYM0PquzuqkLldljo+RTeEJBrmVS9NuugTK9NizHrR3Fl6Fhzfylm/4q6xd9bOqtujp85lyXsxBMvDj/D92dKCQckejnQVEHKxG1zMNN3B1M5Q/4bCrdHsnp8KqcBrX8jRO5SfWfNHcnzvgLuPU1G1AXGRNJgGrBU=
x-ms-office365-filtering-correlation-id: f249ddc9-2bfc-4661-b042-08d476df635e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:CY4PR21MB0502;
x-microsoft-antispam-prvs: <CY4PR21MB0502034B1D40CDD0AFBF7540F5350@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(93006046)(93001046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406075)(20161123558025)(20161123555025)(20161123564025)(20161123560025)(20161123562025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502;
x-forefront-prvs: 0261CCEEDF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39400400002)(39840400002)(39860400002)(39410400002)(39850400002)(102836003)(3846002)(33656002)(122556002)(6916009)(6116002)(790700001)(110136004)(38730400002)(74316002)(8676002)(7110500001)(6436002)(81156014)(81166006)(189998001)(6506006)(7696004)(25786009)(8936002)(3480700004)(7736002)(39060400002)(2420400007)(77096006)(55016002)(106356001)(15650500001)(99286003)(66066001)(6306002)(54356999)(50986999)(5005710100001)(99936001)(10290500002)(54896002)(3280700002)(86612001)(53936002)(9686003)(5890100001)(4326008)(86362001)(3660700001)(2906002)(10710500007)(10090500001)(8990500004)(2900100001)(5660300001)(156073002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/mixed; boundary="_004_CY4PR21MB0504F95D0B36D852BEF0AE9BF5350CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2017 20:08:38.2046 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Tdd28m-MNgSDmiIZ3HQd3zMm9jw>
Subject: [OAUTH-WG] JOSE/JWT Security Update Presentation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 20:08:43 -0000
Yaron Sheffer had asked me to give an update on JOSE/JWT security to the SecEvent working group. As promised during our working group meeting Monday, that presentation is attached. At the microphone, Kathleen suggested that we may want to collect information about best practices for implementers and deployers and write a BCP containing them. She said that JWT is being used in many places in the IETF at this point.
-- Mike