[OAUTH-WG] New WG doc -- Update to JSON Web Token Best Current Practices
Dick Hardt <dick.hardt@gmail.com> Thu, 16 January 2025 15:45 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B8E2C14CEE4 for <oauth@ietfa.amsl.com>; Thu, 16 Jan 2025 07:45:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K6r80kx1dunA for <oauth@ietfa.amsl.com>; Thu, 16 Jan 2025 07:45:51 -0800 (PST)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFAAAC14F70C for <oauth@ietf.org>; Thu, 16 Jan 2025 07:45:51 -0800 (PST)
Received: by mail-yb1-xb2b.google.com with SMTP id 3f1490d57ef6-e549a71dd3dso2028347276.0 for <oauth@ietf.org>; Thu, 16 Jan 2025 07:45:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737042350; x=1737647150; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:mime-version:from:to:cc :subject:date:message-id:reply-to; bh=mLbQNI/2LZFl5wfzWQXHpqU104vqkizYs9stfvlQ8d4=; b=WoCYtMkT+aZDExocEM/uYdluyDjkbFd8Hd3X+svtom1ltJEdmPsRD4xJkpZdIT0lWa PTmFKkxfSQQwuLY6MzulDAbjDx+YGeu1JAHAnSX6t7Ml1cbTiwyUkwS6DC6ah9ZDozHQ mTQ7PXAH6cSwFOl1lmgoAmzN0BZFEtHkJCH+quol2hVlKglb1rhwO5LHYVOvbStePxCw E5Trc4h16tG06dwhWjUyC9dvjBvXy2ia2dMNU0DH0cpgKCoZo5dzPGXDuFOPYi15KIPy Yh+cYgpRiYrLOtvL2bXLS8WdT+TpeTXuIimEOsCWugbcjNhRCRnYORllUBHhxKTn2iAv NlHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737042350; x=1737647150; h=cc:to:subject:message-id:date:from:reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mLbQNI/2LZFl5wfzWQXHpqU104vqkizYs9stfvlQ8d4=; b=SQC7EIanyQHFvUpKivHsfa9YRrzVH8d/iX4ZQnsJlYDYGBMVGhihbETFe15HDbYlUL GXNAiF42Jk2Uty8MMIl/dlntWEYtyFKQmUmU8krBmYY5fe2RnICFpwYNQ4M8rBonxM2P QPDkcDNKxDTyYailTchk6uzZs/Td3gu4kXiSdmmMuJW80uBVCfuU3NFJHgChB0F/9n1t WViZ/iS49iW58zbCfMdf5ViTDR+TqGpz0oeAl/8c2JN3Paq4/XYTUKiJ9aHktIkoGu/M SPw/+MQ7tTI0aKGZK+du5sK/FzsBR8TjLDDuX/eq8gErENVidUd/AmqzhTElvo9/IzOk oLvQ==
X-Gm-Message-State: AOJu0Yxnfje6b6zLKfu6U6x9uXL56eTkGtvle/07VCZMDwq6gEhAIvp8 stdetFUG6jO4CfiWJ9FzaygO4SlkaPRza9HyObB3MB/wtmKSYh8lPgKbG7eqjFmRqv6s4nbn+fI JK06c6asdW392bwO5mNnAYlzwUJczoQ==
X-Gm-Gg: ASbGncs9LGVz5Vfo064M/EUAs9OqQ9BX2HqfaZLspyWwlILmu1pOIYH0jjNwGz/0eJl 5A4qVdUkXDKtJ94YFnii1KQrQwTYaMvp/REGEbQ==
X-Google-Smtp-Source: AGHT+IGBRLNE/Il2MhQVAPxRP4/iQOqH9mV+VbQ+LqR4gn+VLKmwn1LYTJEo9PaCr8DDCwYrBzta1TdaosMcQIfRwaU=
X-Received: by 2002:a25:6043:0:b0:e53:e563:92e with SMTP id 3f1490d57ef6-e54ee16389fmr18398853276.18.1737042350367; Thu, 16 Jan 2025 07:45:50 -0800 (PST)
MIME-Version: 1.0
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 16 Jan 2025 15:45:14 +0000
X-Gm-Features: AbW1kvZShBi2jl1uNv_gagWiTK2B6OVJYhCv-wmN3n0BfK9TacnvSWLrBq2ed3g
Message-ID: <CAD9ie-uzhkXcKQ3+_zhZv6qPPttA6y7pZr0LZg1_LTFr1Jf81w@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000040eebd062bd4b0c8"
Message-ID-Hash: Z7J3QHX2PYYVIWPDIUDECYCTN3HPJ56E
X-Message-ID-Hash: Z7J3QHX2PYYVIWPDIUDECYCTN3HPJ56E
X-MailFrom: dick.hardt@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Yaron Sheffer <yaronf.ietf@gmail.com>, Hannes Tschofenig <hannes.tschofenig@gmail.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: Dick.Hardt@gmail.com
Subject: [OAUTH-WG] New WG doc -- Update to JSON Web Token Best Current Practices
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kH82fejTEH6jWb82cvlfvuEvWd0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Mike, Yaron, and myself received an email reporting a number of vulnerabilities in JWT libraries (see below), and a number of suggested mitigations Yaron has filed in his repo as issues: https://github.com/yaronf/draft-sheffer-oauth-rfc8725bis/issues This has prompted us to start a new draft for a revised JWT BCP. Yaron has published an ID that is the current state of RFC8725 https://datatracker.ietf.org/doc/draft-sheffer-oauth-rfc8725bis/ that we would like to propose be adopted by the WG. We would discuss the mitigations listed and add to the document as agreed upon, and will solicit any additional best current practices that have been developed since the publication of 8725. /Dick Reference: [1]: https://nvd.nist.gov/vuln/detail/cve-2024-5037 [2]: https://github.com/kubernetes/kubernetes/pull/123540 Language Library Vulnerability Type CVE Number Python python-jose Compression Dos CVE-2024-29370 jwcrypto Billion Hashes Attack CVE-2023-6681 Compression Dos CVE-2024-28102 C latchset/jose Billion Hashes Attack CVE-2023-50967 Java jjwt Billion Hashes Attack CVE-2024-39960 jose4j Billion Hashes Attack CVE-2023-51775 Compression DoS CVE-2024-29371 nimbus-jose-jwt Billion Hashes Attack CVE-2023-52428 C# jose-jwt Sign/Encrypt Confusion CVE-2024-24238 Compression DoS CVE-2024-27663 JavaScript jose Compression DoS CVE-2024-28176 node-jose Billion Hashes Attack CVE-2024-39960 Go jose2go Billion Hashes Attack CVE-2023-50658 Compression DoS CVE-2024-28122 go-jose Compression DoS CVE-2024-28180 jwx Billion Hashes Attack CVE-2023-49290 Compression DoS CVE-2024-28122 Ruby json-jwt Sign/Encrypt Confusion CVE-2023-51774