[OAUTH-WG] Weekly github digest (OAuth Activity Summary)

Repository Activity Summary Bot <do_not_reply@mnot.net> Sun, 19 January 2025 07:39 UTC

Return-Path: <do_not_reply@mnot.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F886C1D52FD for <oauth@ietfa.amsl.com>; Sat, 18 Jan 2025 23:39:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.703
X-Spam-Level:
X-Spam-Status: No, score=-1.703 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=mnot.net header.b="IPWDM1R/"; dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=messagingengine.com header.b="CRT7bADJ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JrxAlCXlDItm for <oauth@ietfa.amsl.com>; Sat, 18 Jan 2025 23:39:37 -0800 (PST)
Received: from fhigh-b7-smtp.messagingengine.com (fhigh-b7-smtp.messagingengine.com [202.12.124.158]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0385C1D531B for <oauth@ietf.org>; Sat, 18 Jan 2025 23:39:37 -0800 (PST)
Received: from phl-compute-04.internal (phl-compute-04.phl.internal [10.202.2.44]) by mailfhigh.stl.internal (Postfix) with ESMTP id 3AF0E2540120 for <oauth@ietf.org>; Sun, 19 Jan 2025 02:39:37 -0500 (EST)
Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-04.internal (MEProxy); Sun, 19 Jan 2025 02:39:37 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-type:content-type:date:from:from:in-reply-to :mime-version:reply-to:subject:subject:to:to; s=fm3; t= 1737272377; x=1737358777; bh=x4VNYCxJYoukH3Pt2g4OqQUrdOZhcfZOPEm MUxFh9Ec=; b=IPWDM1R/LYQe1gvJju/juI2B0Icx8WEjV82z5hBFw6b7g3jw4XD 6G1iWoCWiBpMCClVJMFZE+LJTpmwWHItaAowaaJMekVFDC5Got1jIBjTbz0wVMhu xXwjLxaFToPNnhaLRfwmoZ29Dy4q1By0YlEAT7AtBpl6ZSawr6gySruVWXQiAKCs y6h9lxKNv4zX+9enTLMP6pyMaCwbX2Wd5osH0PQM6He9UdF37oce/lYi6Tc/bcQS chG6px9e4r/IY40V4YMZaqlb1x30CiRJNFnCWoUeY1EaEG2X7PF76WKucugpdiOn hRBoLtJlMEbFLADmzCA0FoOSrrRTiO1Y4CQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date :feedback-id:feedback-id:from:from:in-reply-to:mime-version :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; t=1737272377; x=1737358777; bh=x 4VNYCxJYoukH3Pt2g4OqQUrdOZhcfZOPEmMUxFh9Ec=; b=CRT7bADJkN7k/Az50 DQnjry61hSH7Mhp5+lGP84OFHZ0x1z00bBYe+5Z6klXChhE7LkFUdsJbmp8wJ35x IiwDSJVH7XZooqyURRyRxeGP2z1pw2em32b55AGx8ibTEQatvkmT8qHNHVMjFBLT xFdQep+OSWX1COTRF4WoxDsM5UWQS94oFlt6uteyb3RTo5dIPLVVFz4JUmQwi7Nk j1CZkqMWXZKQwMii3licwIzIA80ua3JQT/6a2EGjgevq0eFH67ytQxtEUQkf9xrC NuJhgoHU4c1ydGR1hu19axb0lOw4eleyg5eJumz5I8THBYI2Uw4gOnAG1OqMBw+5 OM0zQ==
X-ME-Sender: <xms:OKyMZ4SoZurVmntaucyCq_zIEZTi6_CJU-yOyQG-0Vc16Zk4bEkt0w> <xme:OKyMZ1x0wiLFYqk3Tp17LST4FXlA80fCH-pb8WDpF_MQnmzu5YgAHN6B1rqErkfgt fcMwyP8EG9W9lIP3A>
X-ME-Received: <xmr:OKyMZ12LhoVFoWWgqNlC2TRiDdPKpce0FjZrkW7fn-xx5JnUu36CPyOgNYt6eckKwbvp0W7NKgs1MKqzFrF9LPlz2t_66UToCtd32L9rmIK_q330ZrkzEcKmSbLguxtEZ3i_f0O4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrudeiiedguddtjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecupfhoucgurghtvgcufh hivghlugculdegledmnecujfgurheptggghffvufesrgdttdertddtjeenucfhrhhomhep tfgvphhoshhithhorhihucettghtihhvihhthicuufhumhhmrghrhicuuehothcuoeguoh gpnhhothgprhgvphhlhiesmhhnohhtrdhnvghtqeenucggtffrrghtthgvrhhnpeekfedv udetjedvfeekheeiveeugfefhfetteevgeffkefffeetffdvleehudeiteenucffohhmrg hinhepghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgepudenucfrrghrrghm pehmrghilhhfrhhomhepughopghnohhtpghrvghplhihsehmnhhothdrnhgvthdpnhgspg hrtghpthhtohepuddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepohgruhhthhes ihgvthhfrdhorhhg
X-ME-Proxy: <xmx:OKyMZ8BQHiBjJ630RJoBOu_UKAskaasR-d1q9c5c9ZmmFlFGh9hZnA> <xmx:OKyMZximuBbIwS47EBjN61e8-Ax32DXKOnEzZBkUJonynAnMzQeWmQ> <xmx:OKyMZ4rk3gC3bRZC2G-7ZTn0PijiGaAencJOP_IQdAmo_zGY5QSO0g> <xmx:OKyMZ0jcEG4UhyVRAXh1vTeEh8c_j-dAygg7PDnvSB2DGh332zv72g> <xmx:OayMZ0teOUPbDE263NNchawtOb3beAGLIT52NJpFi8EpEsXNX8M2tVil>
Feedback-ID: i1c3946f2:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <oauth@ietf.org>; Sun, 19 Jan 2025 02:39:36 -0500 (EST)
Content-Type: multipart/alternative; boundary="===============3935072033122964068=="
MIME-Version: 1.0
From: Repository Activity Summary Bot <do_not_reply@mnot.net>
To: oauth@ietf.org
Message-Id: <20250119073937.C0385C1D531B@ietfa.amsl.com>
Date: Sat, 18 Jan 2025 23:39:37 -0800
Message-ID-Hash: PKC3L54Y74X2VJHCM5QMVIIA6XL3PEYR
X-Message-ID-Hash: PKC3L54Y74X2VJHCM5QMVIIA6XL3PEYR
X-MailFrom: do_not_reply@mnot.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Weekly github digest (OAuth Activity Summary)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fq99NuPO0xd2MrWJ99SQlKdY3oQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>



Events without label "editorial"

Issues
------
* oauth-wg/oauth-browser-based-apps (+2/-6/šŸ’¬11)
  2 issues created:
  - Address SEC AD review comments (by aaronpk)
    https://github.com/oauth-wg/oauth-browser-based-apps/issues/64 
  - When can the BFF ignore "SHOULD encrypt its cookie contents"? (by aaronpk)
    https://github.com/oauth-wg/oauth-browser-based-apps/issues/63 

  6 issues received 11 new comments:
  - #64 Address SEC AD review comments (2 by aaronpk)
    https://github.com/oauth-wg/oauth-browser-based-apps/issues/64 
  - #63 When can the BFF ignore "SHOULD encrypt its cookie contents"? (5 by aaronpk, philippederyck, randomstuff)
    https://github.com/oauth-wg/oauth-browser-based-apps/issues/63 
  - #62 Using Web Workers to refresh access tokens adds implementation complexity for marginal security benefit (1 by aaronpk)
    https://github.com/oauth-wg/oauth-browser-based-apps/issues/62 
  - #58 Remove reference to TMI-BFF draft (1 by aaronpk)
    https://github.com/oauth-wg/oauth-browser-based-apps/issues/58 
  - #52 Fragments, performance, and historic notes. (1 by aaronpk)
    https://github.com/oauth-wg/oauth-browser-based-apps/issues/52 
  - #48 Add BCP references to the normative section (1 by aaronpk)
    https://github.com/oauth-wg/oauth-browser-based-apps/issues/48 

  6 issues closed:
  - Address SEC AD review comments https://github.com/oauth-wg/oauth-browser-based-apps/issues/64 
  - Using Web Workers to refresh access tokens adds implementation complexity for marginal security benefit https://github.com/oauth-wg/oauth-browser-based-apps/issues/62 
  - When can the BFF ignore "SHOULD encrypt its cookie contents"? https://github.com/oauth-wg/oauth-browser-based-apps/issues/63 
  - Remove reference to TMI-BFF draft https://github.com/oauth-wg/oauth-browser-based-apps/issues/58 
  - Fragments, performance, and historic notes. https://github.com/oauth-wg/oauth-browser-based-apps/issues/52 
  - Add BCP references to the normative section https://github.com/oauth-wg/oauth-browser-based-apps/issues/48 

* oauth-wg/oauth-transaction-tokens (+0/-2/šŸ’¬5)
  5 issues received 5 new comments:
  - #131 Can a sub_id change? (1 by gffletch)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/131 
  - #118 RAR object inside a TraT (1 by gffletch)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/118 [pre-last-call] 
  - #115 Audience, scope & purpose (1 by gffletch)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/115 
  - #111 Batch or long running processes and extending lifetime of a token (1 by gffletch)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/111 
  - #109 Key rotation guidance (1 by gffletch)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/109 

  2 issues closed:
  - Tx token lifetime guidance missing for replacement token https://github.com/oauth-wg/oauth-transaction-tokens/issues/110 
  - Azd claim name conflict with RAR https://github.com/oauth-wg/oauth-transaction-tokens/issues/119 

* oauth-wg/oauth-selective-disclosure-jwt (+0/-2/šŸ’¬1)
  1 issues received 1 new comments:
  - #530 Missing procedures for Holder to validate disclosures received from Issuer (1 by danielfett)
    https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/530 [ready-for-PR] 

  2 issues closed:
  - text for privacy considerations https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/534 
  - Missing procedures for Holder to validate disclosures received from Issuer https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/530 [has-PR] 

* oauth-wg/draft-ietf-oauth-status-list (+12/-0/šŸ’¬16)
  12 issues created:
  - Add a section to provide estimations about the size and the number of Token Status Lists (by Denisthemalice)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/229 
  - Resilience of the architecture when facing network problems ? (by Denisthemalice)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/228 
  - Which keys should be used to sign and verify Status List Tokens ? (by Denisthemalice)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/227 
  - The status list mechanism as currently described does not allow for interoperability (by Denisthemalice)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/225 
  - Interims Feedback: Explain motivation to split issuer / status list issuer / status list provider (by paulbastian)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/224 
  - Interims Feedback: Short-lived credentials (by c2bo)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/223 
  - Interims Feedback: Discussion around Suspended Status Type (by paulbastian)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/222 
  - Reduce the statuses to 2 and 1 bit (by Denisthemalice)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/221 
  - The term Issuer SHOULD NOT be used to refer to an entity acting "for all three roles" (by Denisthemalice)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/220 
  - Proposed replacement for 13.1, 13.2 and 13.3 placed under section 13 (Implementation Considerations) (by Denisthemalice)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/219 
  - Comments on section 12.5.2 Unlinkability (by Denisthemalice)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/218 
  - Comments on section 12.5.1 Unlinkability (by Denisthemalice)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/217 

  10 issues received 16 new comments:
  - #229 Add a section to provide estimations about the size and the number of Token Status Lists (1 by paulbastian)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/229 
  - #228 Resilience of the architecture when facing network problems ? (2 by Denisthemalice, paulbastian)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/228 
  - #227 Which keys should be used to sign and verify Status List Tokens ? (2 by Denisthemalice, c2bo)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/227 
  - #225 The status list mechanism as currently described does not allow for interoperability (3 by Denisthemalice, c2bo)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/225 
  - #222 Interims Feedback: Discussion around Suspended Status Type (1 by c2bo)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/222 
  - #221 Reduce the statuses to 2 and 1 bit (2 by c2bo, paulbastian)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/221 
  - #219 Proposed replacement for 13.1, 13.2 and 13.3 placed under section 13 (Implementation Considerations) (1 by paulbastian)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/219 
  - #217 Comments on section 12.5.1 Unlinkability (1 by paulbastian)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/217 
  - #216 Test vectors (2 by c2bo)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/216 
  - #83 IETF 118: Mention prior art (1 by c2bo)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/83 [discuss] 



Pull requests
-------------
* oauth-wg/oauth-sd-jwt-vc (+2/-0/šŸ’¬5)
  2 pull requests submitted:
  - ed: improved clarity on registered claims paragraph (by awoie)
    https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/296 
  - Fix #267, explain why we are not using JSON Path or JSON Pointer (by danielfett)
    https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/295 

  1 pull requests received 5 new comments:
  - #294 Make extension point for issuer key resolution more explicit (5 by awoie, bc-pi, danielfett, peacekeeper)
    https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/294 

* oauth-wg/oauth-selective-disclosure-jwt (+2/-4/šŸ’¬9)
  2 pull requests submitted:
  - Try to address Rohan's comments (by danielfett)
    https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/541 
  - Changes to linkability and data storage sections (by danielfett)
    https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/540 

  3 pull requests received 9 new comments:
  - #543 Reinsert "the standard" (2 by bc-pi, wbl)
    https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/543 
  - #541 Try to address Rohan's comments (1 by bc-pi)
    https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/541 
  - #535 add Watson Ladd's suggested text with minor adaptations (6 by Denisthemalice, danielfett, wbl)
    https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/535 

  4 pull requests merged:
  -  ISO/IEC 29100 is too private 
    https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/475 
  - add Watson Ladd's suggested text with minor adaptations
    https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/535 
  - Changes to linkability and data storage sections
    https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/540 
  - Try to address Rohan's comments
    https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/541 

* oauth-wg/draft-ietf-oauth-status-list (+1/-1/šŸ’¬0)
  1 pull requests submitted:
  - update organization (by c2bo)
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/226 

  1 pull requests merged:
  - update organization
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/226 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/oauth-wg/oauth-browser-based-apps
* https://github.com/oauth-wg/oauth-identity-chaining
* https://github.com/oauth-wg/oauth-transaction-tokens
* https://github.com/oauth-wg/oauth-sd-jwt-vc
* https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata
* https://github.com/oauth-wg/oauth-cross-device-security
* https://github.com/oauth-wg/oauth-selective-disclosure-jwt
* https://github.com/oauth-wg/oauth-v2-1
* https://github.com/oauth-wg/draft-ietf-oauth-status-list
* https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth