Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Brian Campbell <bcampbell@pingidentity.com> Mon, 17 July 2017 09:53 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A77EE1276AF for <oauth@ietfa.amsl.com>; Mon, 17 Jul 2017 02:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jS_OvazTww-A for <oauth@ietfa.amsl.com>; Mon, 17 Jul 2017 02:53:37 -0700 (PDT)
Received: from mail-pf0-x22e.google.com (mail-pf0-x22e.google.com [IPv6:2607:f8b0:400e:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86A0212EBFE for <oauth@ietf.org>; Mon, 17 Jul 2017 02:53:37 -0700 (PDT)
Received: by mail-pf0-x22e.google.com with SMTP id q85so74028655pfq.1 for <oauth@ietf.org>; Mon, 17 Jul 2017 02:53:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VosfnUCE+HfCXNKDHz7sccWL2QA7675TsRsOv4X+FeA=; b=IRVFkwSjg1uSPzxoF/Uo1vm+7wVcv5REoFAbIzhgvw0NcOterh4IkDX6+WEcUJox0Z lkOrC6PEUBOiRnXLkjAb0LkpmY0cTyhu7qPO5n5uJ7jsD86dKa/XUCNMg4H3s2ypVYuM LnxSaAKuLMrJ8xcLBKxIQHePD08Qfx+MrGZ0s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VosfnUCE+HfCXNKDHz7sccWL2QA7675TsRsOv4X+FeA=; b=IupX+0m7MSUwJK7U7Xq06cgNS5QcI55KuwC8hn9pjpWAU5o2ecalYBK5+lFz5nZmhN QuqhIiTdl31T8UBxq98tVFdQ2wn3B4dLqukIgWBl5y6KxKZO0V/ItTriC0lQNT0pExkv HaTMGaWMdxOpDFB+rUuyuRf1FpyxwtCQ1mowGhS9lBeaX99kGGXG4Ntd0ogP8nvqOCdn MwW6DvzbATZt09AZLMISd6r+NWA83gYBnahZYyWxh8Cruo/cbDSVqWhjpKj8uUgBMf/7 kqlfCZAJ8i4MKSXZmBLtzckjZ/qoiA+4B/uEgnezlRuiDpW68uucopoZDTa9FdSsPOFU MJFw==
X-Gm-Message-State: AIVw112dXiijhf9to2isKPSBYZmEVtO5s/XoHwUN8XMe84rvtP+pBhcE T3AZyyUmWJ5bTvr7fsihJsOc8dJjbHezSzg1QkoYKi1Gc/xJTK/uArnGo6IfFwW6nNtV8UJn3ko d0Evh
X-Received: by 10.84.194.228 with SMTP id h91mr29485629pld.46.1500285217179; Mon, 17 Jul 2017 02:53:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.145.87 with HTTP; Mon, 17 Jul 2017 02:53:06 -0700 (PDT)
In-Reply-To: <4524B6AF-E350-4D58-8ACC-1554D2506191@oracle.com>
References: <CY4PR21MB0504A6F0739B0F3EFA46AE54F5D70@CY4PR21MB0504.namprd21.prod.outlook.com> <4524B6AF-E350-4D58-8ACC-1554D2506191@oracle.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 17 Jul 2017 11:53:06 +0200
Message-ID: <CA+k3eCSeUqE8Tnr_OA__BrRLEUXjPDpjV0qF69t5dVL_RBXnVw@mail.gmail.com>
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Cc: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c18a30e6ea7810554805f6a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/m--XqYM92w-AwQVeoTqquhZSiII>
Subject: Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 09:53:40 -0000

Could some more guidance be provided around how to use the explicit typing
with nested JWTs?

I'd imagine that the "typ" header should be in the header of the JWT that
is integrity protected by the issuer?

On Tue, Jul 4, 2017 at 9:58 PM, Phil Hunt (IDM) <phil.hunt@oracle.com>
wrote:

> +1
>
> Thanks Mike.
>
> Phil
>
> On Jul 4, 2017, at 12:43 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> The JWT BCP draft has been updated to describe the use of explicit typing
> of JWTs as one of the ways to prevent confusion among different kinds of
> JWTs.  This is accomplished by including an explicit type for the JWT in
> the “typ” header parameter.  For instance, the Security Event Token (SET)
> specification <http://self-issued.info/?p=1709> now uses the “
> application/secevent+jwt” content type to explicitly type SETs.
>
>
>
> The specification is available at:
>
>    - https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01
>
>
>
> An HTML-formatted version is also available at:
>
>    - http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html
>
>
>
>                                                        -- Mike
>
>
>
> P.S.  This notice was also posted at http://self-issued.info/?p=1714 and
> as @selfissued <https://twitter.com/selfissued>.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*