Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-09
Brian Campbell <bcampbell@pingidentity.com> Sat, 19 July 2014 14:09 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E5611B2833 for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 07:09:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AmUchQKychYh for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 07:09:10 -0700 (PDT)
Received: from na3sys009aog125.obsmtp.com (na3sys009aog125.obsmtp.com [74.125.149.153]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC2591B282F for <oauth@ietf.org>; Sat, 19 Jul 2014 07:09:09 -0700 (PDT)
Received: from mail-ie0-f173.google.com ([209.85.223.173]) (using TLSv1) by na3sys009aob125.postini.com ([74.125.148.12]) with SMTP ID DSNKU8p8BbHQk0EW3oPTbU3sdJbtyUJ82Ewq@postini.com; Sat, 19 Jul 2014 07:09:09 PDT
Received: by mail-ie0-f173.google.com with SMTP id tr6so5439691ieb.4 for <oauth@ietf.org>; Sat, 19 Jul 2014 07:09:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=VqUVubBbUgnYhr428kItXPbKVgW2Y4aGxoaza9zuwJg=; b=gW4I3s+B1Kkn0m3uVSgTAB+Hd93N313NTo7BRJ1D+ZM7oBNHDa+GL1DGZuUZOMuKlP Me3o2/BbhWWAEE6x25cYy6v02yWg50DwAAzPs/kvW3IyC0oGrU7PppYUMof3sv4Z8diS TxgaUTGuebPoS13wbpGW4uaDJtAJRhaOBr5bIs8vgt9Y08wCgj4c+9z8PFok+V+/C7Xl XaQQyaqFpVlec7I8HWV7yONqfBpocHV3VH9SNtkIXk8mACLGs3Tk0rXY1Z/IsWiE78Bl 45EyKvOcHff+CdFPtbDTxXcCCk0LZ49ycESfF9atYxHPn5SZO0JnIajPVNLbzRsDKpR0 AyVQ==
X-Gm-Message-State: ALoCoQlFBkHUpaqpub+qpVdcRpL1YOMFxvNCJk8L/XgX/Sdqz2cbb+kDSTpUwIfKy96nbI5hstspltzbGquD20w+JKI0F8a+mjDA8XArWRJ4Wop5AA3df0+gyf1P/yLoxshdZDNMKwx2
X-Received: by 10.50.138.72 with SMTP id qo8mr12663178igb.2.1405778948926; Sat, 19 Jul 2014 07:09:08 -0700 (PDT)
X-Received: by 10.50.138.72 with SMTP id qo8mr12663159igb.2.1405778948767; Sat, 19 Jul 2014 07:09:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.233.170 with HTTP; Sat, 19 Jul 2014 07:08:38 -0700 (PDT)
In-Reply-To: <1452B71B-DB68-477E-BFE0-0765387B2934@ve7jtb.com>
References: <CAHbuEH5NdcWNrJ1JEpdSaBfCDbz+zUZyiNf_yfJ9zTHxG0G1PQ@mail.gmail.com> <CA+k3eCQp5mkSKsHV5T509ymd4MoA=7E3WdO_94cMPn+wByZknw@mail.gmail.com> <7DDBCE8B-4B39-432E-8925-B0C6D762A54C@oracle.com> <1452B71B-DB68-477E-BFE0-0765387B2934@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sat, 19 Jul 2014 08:08:38 -0600
Message-ID: <CA+k3eCS+PHtid=HpXMSZdN8FEFbGv1d4Us4noATSfrRKTJD7Aw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a1134c792e0236604fe8c6ac1"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/d2jSUYZFlLQKmuCQcoyi1rJWcVw
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-09
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2014 14:09:12 -0000
I agree that mentioning the RS in this context is only likely to cause confusion. This draft is only about sending a JWT to the token endpoint at an AS as an authorization grant or as client authentication. On Sat, Jul 19, 2014 at 6:37 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > While a JWT might generically have many different audiences like resource > servers, this profile is about sending it to the token endpoint at an AS > for authentication or authorization. > > I think adding something about the RS will confuse people. > > I think Brian's text is fine. > > John B. > > On Jul 18, 2014, at 11:45 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > > Should that be encrypted for the intended audience (aud) of the JWT which > may be the AS and/or the resource server? > > Phil > > On Jul 18, 2014, at 21:52, Brian Campbell <bcampbell@pingidentity.com> > wrote: > > Sorry for the slow response on this Kathleen, my day job has been keeping > me busy recently. And, honestly, I was kind of hopeful someone would > volunteer some text in the meantime. But that didn't happen so how about > the following? > > A JWT may contain privacy-sensitive information and, to prevent disclosure > of such information to unintended parties, should only be transmitted over > encrypted channels, such as TLS. In cases where it’s desirable to prevent > disclosure of certain information the client, the JWT may be be encrypted > to the authorization server. > > Deployments should determine the minimum amount of information necessary > to complete the exchange and include only such claims in the JWT. In some > cases the "sub" (subject) claim can be a value representing an anonymous or > pseudonymous user as described in Section 6.3.1 of the Assertion Framework > for OAuth 2.0 Client Authentication and Authorization Grants [ > http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1]. > > > On Thu, Jul 3, 2014 at 3:26 PM, Kathleen Moriarty < > kathleen.moriarty.ietf@gmail.com> wrote: > >> >> Hello, >> >> I just read through draft-ietf-oauth-jwt-bearer-09 and it looks good. >> The only question/comment I have is that I don't see any mention of >> privacy considerations in the referenced security sections. COuld you add >> something? It is easily addressed by section 10.8 of RFC6749, but there is >> no mention of privacy considerations. I'm sure folks could generate great >> stories about who accessing what causing privacy considerations to be >> important. >> >> Thanks & have a nice weekend! >> >> -- >> >> Best regards, >> Kathleen >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] Review of draft-ietf-oauth-jwt-bearer-… Kathleen Moriarty
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Brian Campbell
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Phil Hunt
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… John Bradley
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Brian Campbell
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Kathleen Moriarty
- Re: [OAUTH-WG] Review of draft-ietf-oauth-jwt-bea… Mike Jones