[OAUTH-WG] Weekly github digest (OAuth Activity Summary)
Repository Activity Summary Bot <do_not_reply@mnot.net> Sun, 07 September 2025 07:40 UTC
Return-Path: <do_not_reply@mnot.net>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9B37F5EC1424 for <oauth@mail2.ietf.org>; Sun, 7 Sep 2025 00:40:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.397
X-Spam-Level:
X-Spam-Status: No, score=-2.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=mnot.net header.b="QLdzkBj0"; dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=messagingengine.com header.b="E8FQE8KH"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yT5ctYC35Eat for <oauth@mail2.ietf.org>; Sun, 7 Sep 2025 00:40:34 -0700 (PDT)
Received: from fhigh-a6-smtp.messagingengine.com (fhigh-a6-smtp.messagingengine.com [103.168.172.157]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 2B8EA5EC0ADC for <oauth@ietf.org>; Sun, 7 Sep 2025 00:40:04 -0700 (PDT)
Received: from phl-compute-07.internal (phl-compute-07.internal [10.202.2.47]) by mailfhigh.phl.internal (Postfix) with ESMTP id 21B0C1400098 for <oauth@ietf.org>; Sun, 7 Sep 2025 03:40:04 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-07.internal (MEProxy); Sun, 07 Sep 2025 03:40:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-type:content-type:date:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to; s=fm2; t= 1757230804; x=1757317204; bh=MRp2faTmXCyxEE2SLT4aofjQzawXspa5Qa3 j/p7+VOo=; b=QLdzkBj0QSfAF2n0OhmuSjmsTpTRbjGcyIi3nhcPyRP05ghd9gx 5gbJzTR91ridu/5m1P23+tBeab0XQusxvCwyWbZyMpDM4e7haiuwzfGJ57Wj9Wb2 q2cTB1Qz3lKAKQnMJzrTwX0mII7I6mI5O7PGNID97ViaEy/XpDIO70wItvTdYz2L eZxfcrHKaGtf2D6wMmdA/dhW2Xnf+7og9OvE5st9IYJAzog9T0gvZkV8j1bjFYDN hf0aX689b34blsBKfd/A5uDKH0+rj2iJsMNW4Reg7jQoTQPNwXdUYkCcaHwMWxII +AGO3Ov3w8zJE5GoNPJCZgc8HoXx9XO9wrg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1757230804; x= 1757317204; bh=MRp2faTmXCyxEE2SLT4aofjQzawXspa5Qa3j/p7+VOo=; b=E 8FQE8KHNGwPkDL/CH+aHBE7yj5ecmxqvluePcFbjkZubJfmc7T+vETlKHO3DnyI8 kU7KMUvN9E7IDNsFS5ZvzD4gi6r9Il+V5Juux+mejT0GtvBbOrjiM/Mqm0iIqCLH ENcsT2rZ8a99KggsxycUXQOOyuOy/V6qavdnUYLMIm9S/NA8HD1By4iciCzNV3To YF0dYM7fn0PZ930j533qGgGH44DRZJdemFQMXzcamAZdWuTaGmo9+90lVeUCUYPJ g+MG59HmuDYgXIdbEVgVm/1vTnbRh5U9Rhv0hkTIa+qf+PPZ8GxAQWv9jT9GHP+M G2mUq8/vu2/EK31Naz3Ng==
X-ME-Sender: <xms:0za9aKZ32nVBRuqzlwDT4KLasm-xP3YeH_Cvv3vTvFtZs5rIKAcHUQ> <xme:0za9aIriPL85L9hV0xupDZWrsuvtneGOn9dmDrOVpysqRHz89LVHw49cdB6nVOOoF 065iYfPPGagMPvJdg>
X-ME-Received: <xmr:0za9aFmFTEo_jGM9noZGi9lLXdnVUhd2emfD9fGh2vWSldEnkCkcuICEARVr9n1z-sos9GvmKt9_KcHOzkJ-4Z72HqhBoJeymgSIT3B4d6e8cPONXd9TCUhgJzhNCLNTVuwEGow4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddugedtjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecupfhoucgurghtvgcufhhivghlugculdegledmnecujfgurh eptggghffvufesrgdttdertddtjeenucfhrhhomheptfgvphhoshhithhorhihucettght ihhvihhthicuufhumhhmrghrhicuuehothcuoeguohgpnhhothgprhgvphhlhiesmhhnoh htrdhnvghtqeenucggtffrrghtthgvrhhnpeekfedvudetjedvfeekheeiveeugfefhfet teevgeffkefffeetffdvleehudeiteenucffohhmrghinhepghhithhhuhgsrdgtohhmne cuvehluhhsthgvrhfuihiivgepudenucfrrghrrghmpehmrghilhhfrhhomhepughopghn ohhtpghrvghplhihsehmnhhothdrnhgvthdpnhgspghrtghpthhtohepuddpmhhouggvpe hsmhhtphhouhhtpdhrtghpthhtohepohgruhhthhesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:0za9aC0okfqo5SAIEM13iRvuhaWy6bPZVZw30A0l8_Co7hwJYb1vng> <xmx:1Da9aFAK2JEMWwgSEueZxW0j6ptbIwZxGRSse5f07Cen52ffy5mzjg> <xmx:1Da9aHw5JbXRlv1GMw_GPeSl-RuW4929i93bT274psmSHNSyC9kD2g> <xmx:1Da9aLnOedpDkR9GOjefghvcFfRgIBmcZqgdt4qr9BzgNxS0Bd6qMA> <xmx:1Da9aCw3tTm-H2U0KmOOYmui4Vf7umDlWOAtNSKXNuMWQmFYkAKwTaWg>
Feedback-ID: i1c3946f2:Fastmail
Message-Id: <1757230804.243366.6A0E87C9@outbound.messagingengine.com>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <oauth@ietf.org>; Sun, 7 Sep 2025 03:40:03 -0400 (EDT)
Content-Type: multipart/alternative; boundary="===============8275115571717669526=="
MIME-Version: 1.0
From: Repository Activity Summary Bot <do_not_reply@mnot.net>
To: oauth@ietf.org
Date: Sun, 07 Sep 2025 00:40:04 -0700
Message-ID-Hash: PGNAJM2MEBZNER3AJLIBLYRXH4HUG5N7
X-Message-ID-Hash: PGNAJM2MEBZNER3AJLIBLYRXH4HUG5N7
X-MailFrom: do_not_reply@mnot.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Weekly github digest (OAuth Activity Summary)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lq_4THJ29MdwOPqe1qK0OG-ugPU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Events without label "editorial"
Issues
------
* oauth-wg/oauth-identity-chaining (+1/-0/š¬3)
1 issues created:
- (WGLC 2 of ?) claims/token transcription/rewrite security (by bc-pi)
https://github.com/oauth-wg/oauth-identity-chaining/issues/170
2 issues received 3 new comments:
- #139 Updates to reflect changes to RFC7523 (jwt_privatekey attack) (2 by bc-pi)
https://github.com/oauth-wg/oauth-identity-chaining/issues/139
- #111 Required `requested_token_type` parameter (1 by bc-pi)
https://github.com/oauth-wg/oauth-identity-chaining/issues/111
* oauth-wg/oauth-transaction-tokens (+1/-0/š¬14)
1 issues created:
- Consistency Pass Needed (by PieterKas)
https://github.com/oauth-wg/oauth-transaction-tokens/issues/243
7 issues received 14 new comments:
- #235 Empty Type Parameter (1 by bc-pi)
https://github.com/oauth-wg/oauth-transaction-tokens/issues/235 [WGLC Feedback]
- #234 TTS Configuration (1 by PieterKas)
https://github.com/oauth-wg/oauth-transaction-tokens/issues/234 [WGLC Feedback]
- #233 Logical vs Physical TTS (1 by PieterKas)
https://github.com/oauth-wg/oauth-transaction-tokens/issues/233 [WGLC Feedback]
- #218 Reference WIMSE WIT (1 by dagdagdag83)
https://github.com/oauth-wg/oauth-transaction-tokens/issues/218 [WGLC Feedback]
- #212 Create internally initiated example (1 by jsalowey)
https://github.com/oauth-wg/oauth-transaction-tokens/issues/212 [WGLC Feedback]
- #194 Reconsider 'purp' claim scope (8 by PieterKas, bc-pi, dagdagdag83, tulshi)
https://github.com/oauth-wg/oauth-transaction-tokens/issues/194 [WGLC Feedback]
- #189 Allow Gateways to issue Tx-token to self without using RFC8693 (1 by dagdagdag83)
https://github.com/oauth-wg/oauth-transaction-tokens/issues/189 [WGLC Feedback]
* oauth-wg/oauth-sd-jwt-vc (+1/-5/š¬7)
1 issues created:
- Remove JSON schema from Type Metadata (by bc-pi)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/342
5 issues received 7 new comments:
- #342 Remove JSON schema from Type Metadata (3 by adeinega, cre8)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/342
- #334 Remove Type Metadata Glue Documents (1 by bc-pi)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/334
- #331 Type Metadata documents in the unprotected header of the JWS (1 by bc-pi)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/331
- #247 Potential Privacy implications of verifier knowing display information (1 by bc-pi)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/247 [pending close] [blocked]
- #223 I18N for Metadata (1 by bc-pi)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/223 [discuss] [metadata] [PRIO] [wg-05]
5 issues closed:
- Add security consideration: Extending a type doesn't imply authorization to issue the type https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/302 [HAS PR]
- Type Metadata documents in the unprotected header of the JWS https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/331
- Remove Type Metadata Glue Documents https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/334
- Why vct is not selectively disclosable, but vct#integrity is not? https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/258 [Ready-for-PR]
- mandate JWT when ietf status list is used (there is also cwt) https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/333 [HAS PR]
* oauth-wg/draft-ietf-oauth-status-list (+1/-2/š¬4)
1 issues created:
- Clarification : Status List Token (in CWT) to the HTTP Response (by babisRoutis)
https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/302
3 issues received 4 new comments:
- #302 Clarification : Status List Token (in CWT) to the HTTP Response (2 by babisRoutis, paulbastian)
https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/302
- #301 the maximum size of a Status List (1 by tplooker)
https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/301 [pending-close]
- #300 Brotli vs Zlib (1 by paulbastian)
https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/300 [pending-close]
2 issues closed:
- the maximum size of a Status List https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/301 [pending-close]
- Brotli vs Zlib https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/300 [pending-close]
* oauth-wg/draft-ietf-oauth-attestation-based-client-auth (+0/-0/š¬3)
2 issues received 3 new comments:
- #140 Feedback from mailing list (1 by paulbastian)
https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/140
- #70 Register AS and client metadata for algorithm negotiation of attestations and pops (2 by panva, paulbastian)
https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/70
Pull requests
-------------
* oauth-wg/oauth-identity-chaining (+1/-1/š¬0)
1 pull requests submitted:
- DRAFT prospective changes from WGLC review (by bc-pi)
https://github.com/oauth-wg/oauth-identity-chaining/pull/171
1 pull requests merged:
- Use IANA.media-types so the tooling can find the media types registry without an explicit target
https://github.com/oauth-wg/oauth-identity-chaining/pull/167
* oauth-wg/oauth-transaction-tokens (+3/-1/š¬1)
3 pull requests submitted:
- Multiple TTS Instances (by PieterKas)
https://github.com/oauth-wg/oauth-transaction-tokens/pull/242
- Clarify why the Type: field is empty (by PieterKas)
https://github.com/oauth-wg/oauth-transaction-tokens/pull/241
- added internal flow (by jsalowey)
https://github.com/oauth-wg/oauth-transaction-tokens/pull/240
1 pull requests received 1 new comments:
- #240 added internal flow (1 by bc-pi)
https://github.com/oauth-wg/oauth-transaction-tokens/pull/240
1 pull requests merged:
- Proposed change to definition of authorization context
https://github.com/oauth-wg/oauth-transaction-tokens/pull/237
* oauth-wg/oauth-sd-jwt-vc (+0/-3/š¬2)
1 pull requests received 2 new comments:
- #337 fix: add extend for claim metadata (2 by babisRoutis, cre8)
https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/337
3 pull requests merged:
- fix: add security consideration for issuer authorization.
https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/338
- Set vct:integrity to the list of attribute to not selectively disclosed
https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/336
- Status List Token has to be a JWT
https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/339
* oauth-wg/draft-ietf-oauth-attestation-based-client-auth (+5/-0/š¬0)
5 pull requests submitted:
- Pb clarify refresh token binding (by paulbastian)
https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/145
- check client_id at PAR endpoint (by paulbastian)
https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/144
- make draft standards track and update Paul's affiliation (by paulbastian)
https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/143
- 70 register as and client metadata for algorithm negotiation of attestations and pops (by paulbastian)
https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/142
- remove restrictions to not allow MAC-based algorithms (by paulbastian)
https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/141
Repositories tracked by this digest:
-----------------------------------
* https://github.com/oauth-wg/oauth-browser-based-apps
* https://github.com/oauth-wg/oauth-identity-chaining
* https://github.com/oauth-wg/oauth-transaction-tokens
* https://github.com/oauth-wg/oauth-sd-jwt-vc
* https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata
* https://github.com/oauth-wg/oauth-cross-device-security
* https://github.com/oauth-wg/oauth-selective-disclosure-jwt
* https://github.com/oauth-wg/oauth-v2-1
* https://github.com/oauth-wg/draft-ietf-oauth-status-list
* https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth
--
To have a summary like this sent to your list, see: https://github.com/ietf-github-services/activity-summary
- [OAUTH-WG] Weekly github digest (OAuth Activity S⦠Repository Activity Summary Bot