Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Benjamin Kaduk <kaduk@mit.edu> Tue, 31 March 2020 22:13 UTC

Date: Tue, 31 Mar 2020 15:13:19 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>
Cc: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, 'oauth' <oauth@ietf.org>
Message-ID: <20200331221319.GR50174@kduck.mit.edu>
References: <01ec01d6017c$162eb2e0$428c18a0$@aueb.gr> <CAHdPCmMzRn8iYG025Vq0sQNzgZTOkQJuMJwttDgjMDLESpjptw@mail.gmail.com> <CAO_FVe5UXY4Jxd3LdG6zyXJ8B8nFKYevcHQTVJEAFSdW0ku9tg@mail.gmail.com> <52f18114-4f8e-da86-5735-4c4e8f8d2db5@aol.com> <BL0PR08MB5394CA3CB524E95EA87CD6B6AEF10@BL0PR08MB5394.namprd08.prod.outlook.com> <74da4cc3-359c-c08a-0ae5-54c8ca309f32@aol.com> <D080BE8B-BD0D-4F63-9F33-BA23C2FB42DD@amazon.com> <DM6PR08MB5402639817677AD59898CD65AECE0@DM6PR08MB5402.namprd08.prod.outlook.com> <0F95AA25-C39B-4935-99D6-F7626F670097@amazon.com> <MWHPR19MB1501B135568630478941909AAEC80@MWHPR19MB1501.namprd19.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <MWHPR19MB1501B135568630478941909AAEC80@MWHPR19MB1501.namprd19.prod.outlook.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/g2uzENG2JdpD0AFi9geIfOzu7lU>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
Precedence: list

On Tue, Mar 31, 2020 at 09:33:35PM +0000, Vittorio Bertocci wrote:
> 
> > I’ve already replied to the other thread, but I’ll note that “different strengths, different lifecycles” don’t matter much if the RS will accept both types of tokens, signed with either key.
> point taken. I applied the changes discussed on the  other thread.
> 
> >As noted, I’d support making them REQUIRED. Failing that, RECOMMENDED.
> Promoted to RECOMMENDED

I'd also prefer REQUIRED, and thanks for already moving to RECOMMENDED
(which I was going to suggest as an alternative).

-Ben

[OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile … Hannes Tschofenig
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Nikos Fotiou
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Takahiko Kawasaki
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Filip Skokan
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Nikos Fotiou
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… vittorio.bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… vittorio.bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… vittorio.bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… vittorio.bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Richard Backman, Annabelle
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Richard Backman, Annabelle
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Vittorio Bertocci
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Benjamin Kaduk
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Denis
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Denis
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Benjamin Kaduk
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Denis
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle