Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BF36C14CE3B for ; Thu, 10 Oct 2024 07:15:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.104 X-Spam-Level: X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZBjCTexp80eW for ; Thu, 10 Oct 2024 07:15:23 -0700 (PDT) Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65117C15198C for ; Thu, 10 Oct 2024 07:15:23 -0700 (PDT) Received: by mail-ot1-x32b.google.com with SMTP id 46e09a7af769-716a5c58506so232267a34.2 for ; Thu, 10 Oct 2024 07:15:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1728569722; x=1729174522; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=j+SzRuTn/HgNrhOSMCVjZU37O90PuHPVPBORxNsylnY=; b=chBn8ffgaXb2V2CBuWG0HX5gqGmzrRNzrYrMRy32bwei6AmlTokt4snWHXhkCCrqBH g0D1E45x7BhCTN+l3jro0rHpi4Zf2UGnUt4Z111lSGPh2dGkOxCEkX0kB2DGEQQISH2+ 3TSC+8GAkI/psW9Gnmnb1vEPj+m0KoHNW7IIKrzgBFw7we7YdIiuIY/umOVuP1pWbjL4 8fhNl6OKiwipFdqtaIlOSTA4fDoWF0GdoZQlxg39U8bRxIkVKP3pnoBhIAW0tLpTLiQe oJrI9enHRIGJu57txu1/utVpk/5wHtsz0QI06Pf1v4kIB3iCog+0UWLuyyGatR9VJLvZ LWcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728569722; x=1729174522; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=j+SzRuTn/HgNrhOSMCVjZU37O90PuHPVPBORxNsylnY=; b=BC6Mmf7Cqul90sXUuT421cQudwh5YZEiuV+jdtlTxLYA0tBRcUTFFuLMokPm3caRP4 +V+7Rwk2C01dpM9giDEBOm1hLts3sUzeTyH4ftRyLa11jdo3fG9Q5Oz1+pMaGQYW5On2 pqlBNhdbEKaKSyp85giHLcRt1bpZxx6tSQmkqxNSQK0X7D4yev5cMK+XxtLCQU2y31ZC tzVaxGZHCvIUroMjI2S32nVSBJ3Tq1QF/CuxveJS1looqu/dsh7Jv20dXPS4e/uUNHmK i5Ppw8jiq/uymlnW6VsUt22EbQMnzo+U+4p98sNJisU2rta8oyxW775TbxKu7laMvS/F 2MNw== X-Forwarded-Encrypted: i=1; AJvYcCWdMgCHcgGHQZW/tjSQUZlC8++J3CWSTQ8/AVn9wZIM5BLeFqJiIhyZjZq+g7Czqx+WZn8YGQ==@ietf.org X-Gm-Message-State: AOJu0YyrN55ZRkmkBUliwrzZB++0Ol99DoFPcQpuOLPIW61goyJBUwXR 3FE41JMRqmAYAQzsL7nzZp8SH4ReSWBZhWpjWmoz+HFAyrYo3Blo3YHaBgSpcsC4/loYY0IT4Nc = X-Google-Smtp-Source: AGHT+IHQAF2u2E3JSxWuDiQSKGo8Uc3vaR8V0MzNxZRKZN1A3AzDyUjXor1mNTYRG/uOEvW/kWcCOw== X-Received: by 2002:a05:6830:3c0a:b0:709:42dc:a017 with SMTP id 46e09a7af769-716a41bd5d4mr6367430a34.12.1728569722234; Thu, 10 Oct 2024 07:15:22 -0700 (PDT) Received: from mail-oo1-f44.google.com (mail-oo1-f44.google.com. [209.85.161.44]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-717d00064f0sm191162a34.53.2024.10.10.07.15.19 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 10 Oct 2024 07:15:20 -0700 (PDT) Received: by mail-oo1-f44.google.com with SMTP id 006d021491bc7-5e7ff0d4681so351514eaf.1 for ; Thu, 10 Oct 2024 07:15:19 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCVYgT6CUzduOA0Qq5cBBYQMvW1Tt/SyOZmnqm0JkBx2LnM28Rhwnd7kJAz273bI3VgTxtqCfw==@ietf.org X-Received: by 2002:a05:6358:93a6:b0:1b5:fd3f:149e with SMTP id e5c5f4694b2df-1c3080865aemr129682655d.5.1728569719308; Thu, 10 Oct 2024 07:15:19 -0700 (PDT) MIME-Version: 1.0 References: <62AD7B59-29FD-4829-B744-D60AB0592D86@mit.edu> In-Reply-To: From: Aaron Parecki Date: Thu, 10 Oct 2024 07:15:07 -0700 X-Gmail-Original-Message-ID: Message-ID: To: Pierce Gorman Content-Type: multipart/alternative; boundary="00000000000016d0c10624200048" Message-ID-Hash: UMURNKORRBDOAG2TO7UWYLU7X2GTCVGG X-Message-ID-Hash: UMURNKORRBDOAG2TO7UWYLU7X2GTCVGG X-MailFrom: aaron@parecki.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: "Lee, Matt D" , "oauth@ietf.org" X-Mailman-Version: 3.3.9rc5 Precedence: list Subject: =?utf-8?q?=5BOAUTH-WG=5D_Re=3A_RFC_9068?= List-Id: OAUTH WG Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --00000000000016d0c10624200048 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Just to be clear, RFC 9068 does say the "sub" claim is required: https://www.rfc-editor.org/rfc/rfc9068.html#section-2.2 That is the feature Matt originally asked about. That feature is in RFC 9068, so it is complete, and no update is needed. So yes, by all means, please consider "sub" to be a required claim in OAuth JWT access tokens and implement RFC 9068! Aaron On Thu, Oct 10, 2024 at 7:01=E2=80=AFAM Pierce Gorman wrote: > It might be worth reviewing how updates or changes are made available to = a > completed =E2=80=9CProposed Standard=E2=80=9D. > > > > In my experience I=E2=80=99ve seen: > > > > - Errata > - An updated version noted as RFC xxxx *bis* (where *bis* is Old Latin > for =E2=80=9Crepeat=E2=80=9D) > - A new Internet-Draft which, if promoted to =E2=80=9CProposed Standar= d=E2=80=9D may > obsolete or deprecate all or a portion of a previous RFC. > > > > I=E2=80=99m pretty sure I=E2=80=99ve mangled the part about =E2=80=9Cobso= lete=E2=80=9D and =E2=80=9Cdeprecate=E2=80=9D but > hopefully that helps some. > > > > Pierce > > > > *From:* Justin Richer > *Sent:* Thursday, October 10, 2024 8:51 AM > *To:* Lee, Matt D > *Cc:* oauth@ietf.org > *Subject:* [OAUTH-WG] Re: RFC 9068 > > > > You don't often get email from jricher@mit.edu. Learn why this is > important > > > > *EXTERNAL EMAIL* > > My apologies - I just realized that I mistakenly typed "RFC6086" on the > first part of the message, to be clear the entire comment is in fact abou= t > RFC9068. > > > > =E2=80=94 Justin > > > > On Oct 10, 2024, at 9:48=E2=80=AFAM, Justin Richer wrot= e: > > > > Hi Matt, > > > > RFC6086 is published and final =E2=80=94 there is not ongoing work on tha= t > document, because it is complete. I=E2=80=99m sure there is also other wo= rk > happening all around about profiling JWTs for specific purposes and > circumstances. > > > > The wording of "Proposed Standard" can be confusing. It does not mean tha= t > the document is still in process. Instead, it speaks to the nature of > organizations like the IETF: we can only really propose and describe > standards, it=E2=80=99s the implementations that make those standards con= crete in > the real world. > > > > With that in mind, the best way to continue the work of RFC9068 is to > implement it and advocate for others to implement it as well. > > > > =E2=80=94 Justin > > > > On Oct 8, 2024, at 4:41=E2=80=AFPM, Lee, Matt D < > Matt.Lee=3D40kbslp.cloud@dmarc.ietf.org> wrote: > > > > First, my sincerest condolences regarding the loss of Vittorio Bertocci, > someone who had an astonishing impact on the industry and community at > large. > > > > I was reminded of this loss today as I was having a conversation with som= e > peers about the optional nature of the sub claim in JWTs used in OAuth > grants. After we searched for guidance we found this proposed standard fr= om > Vittorio that would move sub from optional to required, and wondered if > anyone was picking this up now that he has passed. > > > > Thank you > > > > Matt Lee | KGS Enterprise Architect > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org > > > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org > > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org > --00000000000016d0c10624200048 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Just to be clear, RFC 9068 does say the "sub" cl= aim is required:


That is the feature Matt origina= lly asked about. That feature is in RFC 9068, so it is complete, and no upd= ate is needed.

So yes, by all means, please consid= er "sub" to be a required claim in OAuth JWT access tokens and im= plement RFC 9068!

Aaron

=
On Thu= , Oct 10, 2024 at 7:01=E2=80=AFAM Pierce Gorman <Pierce.Gorman@numeracle.com> wrote:

It might be worth reviewing how updates or chang= es are made available to a completed =E2=80=9CProposed Standard=E2=80=9D.

=C2=A0

In my experience I=E2=80=99ve seen:

=C2=A0

  • Errata
  • An updated vers= ion noted as RFC xxxx bis (where bis is Old Latin for =E2=80=9Crepeat=E2=80=9D)<= /u>
  • A new Internet-= Draft which, if promoted to =E2=80=9CProposed Standard=E2=80=9D may obsolet= e or deprecate all or a portion of a previous RFC.

=C2=A0

I=E2=80=99m pretty sure I=E2=80=99ve mangled the= part about =E2=80=9Cobsolete=E2=80=9D and =E2=80=9Cdeprecate=E2=80=9D but = hopefully that helps some.

=C2=A0

Pierce

=C2=A0

From: Justin Richer <jricher@mit.edu>
Sent: Thursday, October 10, 2024 8:51 AM
To: Lee, Matt D <Matt.Lee=3D40kbslp.cloud@dmarc.ietf.org>
Cc: oauth@ietf.o= rg
Subject: [OAUTH-WG] Re: RFC 9068

=C2=A0

You don't often get email from jricher@mit.edu. <= a href=3D"https://aka.ms/LearnAboutSenderIdentification" target=3D"_blank"> Learn why this is important

=C2=A0

=

EXTERNAL EMAIL

My apologies - I just realized that I mistakenly typ= ed "RFC6086" on the first part of the message, to be clear the en= tire comment is in fact about RFC9068.

=C2=A0

=C2=A0=E2=80=94 Justin



On Oct 10, 2024, at 9:48=E2=80=AFAM, Justin Richer <jricher@mit.edu> wrote:

=C2=A0

Hi Matt,

=C2=A0

RFC6086 is published and final =E2=80=94 there is no= t ongoing work on that document, because it is complete. I=E2=80=99m sure t= here is also other work happening all around about profiling JWTs for speci= fic purposes and circumstances.

=C2=A0

The wording of "Proposed Standard" can be = confusing. It does not mean that the document is still in process. Instead,= it speaks to the nature of organizations like the IETF: we can only really= propose and describe standards, it=E2=80=99s the implementations that make those standards concrete in the real world.

=C2=A0

With that in mind, the best way to continue the work= of RFC9068 is to implement it and advocate for others to implement it as w= ell.

=C2=A0

=C2=A0=E2=80=94 Justin



On Oct 8, 2024, at 4:41=E2=80=AFPM, Lee, Matt D <Matt.Lee=3D40kbslp.cl= oud@dmarc.ietf.org> wrote:

=C2=A0

First, my sincerest condolences regarding the loss o= f Vittorio Bertocci, someone who had an astonishing impact on the industry = and community at large.

=C2=A0

I was reminded of this loss today as I was having a = conversation with some peers about the optional nature of the sub claim in = JWTs used in OAuth grants. After we searched for guidance we found this pro= posed standard from Vittorio that would move sub from optional to required, and wondered if anyone was picki= ng this up now that he has passed.

=C2=A0

Thank you

=C2=A0

Matt Lee | KGS Enterp= rise Architect

_______________________________________________
OAuth mailing list -- o= auth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org

=C2=A0

_______________________________________________
OAuth mailing list -- o= auth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org

=C2=A0

_______________________________________________
OAuth mailing list -- o= auth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org
--00000000000016d0c10624200048--