Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce
Neil Madden <neil.madden@forgerock.com> Thu, 18 March 2021 12:07 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9FE03A2977 for <oauth@ietfa.amsl.com>; Thu, 18 Mar 2021 05:07:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pbql6VUJgPep for <oauth@ietfa.amsl.com>; Thu, 18 Mar 2021 05:07:16 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE2EA3A2976 for <oauth@ietf.org>; Thu, 18 Mar 2021 05:07:15 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id k10so3537184ejg.0 for <oauth@ietf.org>; Thu, 18 Mar 2021 05:07:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=IBUVwf8Br4zmGHwlPQGLLtRxlnB1qZECLZzUwCfjsNg=; b=JwjmqUObZSjPw2uV38Gnd3ZL3HmJvGf0aA5nX65Lm1UlrIYxc2IbD5UTGH9J7r3zJc 9S59j6yK61iJPa+oD3xAywbNA902YMzkYO625zCDLjmHlqA5FgLOGXh7qjihu+++1JQZ QgrnJOKhUKvDTRsbllino0xGPJOy9EIX1q/4Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=IBUVwf8Br4zmGHwlPQGLLtRxlnB1qZECLZzUwCfjsNg=; b=R6p3Fas2Jh8hI7Q/Wx8EHP44tO2ZC+LwI92Adb9ll8NeAqcdKvb/IZYWLkl36w0Z4Y fRF5JOy3R09WarnSuH4Ln6LCybB5GizAL2uposqmnYkwd93IpymoK+pkYVGaYF8+DPjq FDCzuazw57rwxvfdboQPkaiUjO4KD3jWBBo37+eqH77TsDkq2F8HagNLc/SeOcbraj04 Pn5u2rkE1x2g/7ltUTVySvN0UxODKIK1EQuzalaactPhpU5sztvbG/l3QjMLcjBxpc2I x4CSg5DpdXh9vdisIzzZC86UPxX4AySV7TWmwZ77vI4D7OlSKKR3iHOkUbcgRP2FH3bC 2KTw==
X-Gm-Message-State: AOAM530Vnbrlecv/XfyQ5aKlZpYV3FHUn4yB/7XYXp9Cu52s/k1uO7Ar +oXqxL7CTIHfPz8F5u5nfh/vzKdz6a8FVXLLLSVEdV1xcjiwMtRumVwstXpsfd/gs/sNJZzcgg= =
X-Google-Smtp-Source: ABdhPJy5tV2VHY+QlkJqr3ZoqycPVUEGB/tZKpjZAXsN6TdofKWaw5SZSPQ8a8Sg5Ks0+BWXmkt0yg==
X-Received: by 2002:a17:906:33da:: with SMTP id w26mr40551849eja.302.1616069233212; Thu, 18 Mar 2021 05:07:13 -0700 (PDT)
Received: from [10.0.0.6] (252.207.159.143.dyn.plus.net. [143.159.207.252]) by smtp.gmail.com with ESMTPSA id q12sm1702227ejy.91.2021.03.18.05.07.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Mar 2021 05:07:12 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <0860DA51-9C0C-49CF-8CE4-F90415CC6D0D@forgerock.com>
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Thu, 18 Mar 2021 12:07:11 +0000
In-Reply-To: <CADNypP9FTQ1-vtzuQbHakOUKwQd0gHZhOpWakUG2EWqECDxnow@mail.gmail.com>
Cc: Andrii Deinega <andrii.deinega@gmail.com>, oauth <oauth@ietf.org>, draft-ietf-oauth-jwt-introspection-response@ietf.org
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
References: <CALkShcttq5WKzJ4Zp8396hd+Dnoa6x74s0ekBGGNddWhoNqJ=g@mail.gmail.com> <D4516625-A215-4864-A893-16975A1E901D@forgerock.com> <CADNypP9FTQ1-vtzuQbHakOUKwQd0gHZhOpWakUG2EWqECDxnow@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Content-Type: multipart/alternative; boundary="Apple-Mail=_758B76AB-7E9E-4227-8782-C1DE8FFFC5A6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lMO-KuPln-dUtDi7kdnYKV8cEJM>
Subject: Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2021 12:07:19 -0000
> On 18 Mar 2021, at 11:33, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote: > > On Thu, Mar 18, 2021 at 3:45 AM Neil Madden <neil.madden@forgerock.com <mailto:neil.madden@forgerock.com>> wrote: > > >> On 18 Mar 2021, at 05:33, Andrii Deinega <andrii.deinega@gmail.com <mailto:andrii.deinega@gmail.com>> wrote: >> >> >> The Cache-Control header, even with its strongest directive "no-store", is pretty naive protection... Below is an excerpt from RFC 7234 (Hypertext Transfer Protocol: Caching). >> >> This directive is NOT a reliable or sufficient mechanism for ensuring privacy. In particular, malicious or compromised caches might not recognize or obey this directive, and communications networks might be vulnerable to eavesdropping. > > This quote is about privacy. Your concerns so far have been about replay protection. TLS protects both. > >> >> Regarding TLS, I've mentioned that we don't always have the luxury to see what is going on with the infrastructure. A bright example would be an AS implemented as a serverless application and hosted by one of the cloud providers. > > Right, but (as I’ve said before) the same reasoning applies to a JWT too. The infrastructure could just as easily “terminate JWS” as it currently terminates TLS. As I keep saying, it’s much better to spend your time ensuring end-to-end TLS than end-to-end JWT. > > That's not always possible. In some enterprises, they will have an inspection middlebox that breaks the end-to-end TLS, e.g., ZScaler. And if you use encrypted JWTs to work around that you’ll soon have inspection middleboxes that break end-to-end JWT. This isn’t a game we can win by adding more layers of the same solution. — Neil -- ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
- [OAUTH-WG] JWT Response for OAuth Token Introspec… Andrii Deinega
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Neil Madden
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Andrii Deinega
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Neil Madden
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Andrii Deinega
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Neil Madden
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Andrii Deinega
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Neil Madden
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Andrii Deinega
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Neil Madden
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Neil Madden
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Warren Parad
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Rifaat Shekh-Yusef