Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Aaron Parecki <aaron@parecki.com> Thu, 16 April 2020 19:09 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C9483A0DA7 for <oauth@ietfa.amsl.com>; Thu, 16 Apr 2020 12:09:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QQOB-3sea1Gz for <oauth@ietfa.amsl.com>; Thu, 16 Apr 2020 12:08:58 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F9643A0D9F for <oauth@ietf.org>; Thu, 16 Apr 2020 12:08:58 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id n10so22235937iom.3 for <oauth@ietf.org>; Thu, 16 Apr 2020 12:08:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=G/1l/Mp0R59Le6EBfxIJMJmpiRA9qMbVfXqcIcDOUgA=; b=GYq1hpBLGD43tuNHLyV97Uy7h0r5gUGLG9lNhRavIQIhPbQtJZAh3BxXwQB1droApe 6afK/V/aGpIr11/4HxMYRRbLovZXV2QytdjRRN2W4MAy5zQXi8KNIiEKFoKU5NG5YHjR yskLBVqrCSVVeJDfRmJxwldmpgF1GUdXBdIDxC2d5KvXgbNM5RDVhpyg6sJFk0pzQV4T e9rwj3I7NxtYMxVeWSe1FM7n3R+5k8yttOuIZ6lASPIczgZkT6fEAXKGOS4Ns9Twf1p0 xScHHhTI8ICmMmgns6gMKlq5Ifnc3XBTSFMqToWgcgykeoBVoCR/wktWpYB5kPxJW4z3 LWyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=G/1l/Mp0R59Le6EBfxIJMJmpiRA9qMbVfXqcIcDOUgA=; b=qs5VnrzNcY6hzM+xPTEyHbz4hQHmqUOrt8vxfxF7Q8gqgXRnZsHDuvd+a1vtGMA+CE egLk6oqJOu1dlyZGufeCylzIUKXv7P/ejgNUbp9VbwlCBC04Kts3+JGOJvj6BKMmm8D/ C4n7Oien3Rz9XNewsJzrXutaL+bc48GAvNoWSq6EY1ZDnFdfbEnk/zliAmlpejIgbnEC SsX11EYBpDVhK64WvngUcsarkBUmCVa/sS1kl2cFiJMD5mKXzzz2qq1B2GrxQqgMnS+F 1EUBkcVufjNpdxqmJomoeCbT/vvyfuedfKKs7sxVOdE6jnIoN9BPrGdgYp6Jnx0ZBSLx 7KDw==
X-Gm-Message-State: AGi0PuZzsd1fp4KdmgGRABPUaIqw3k4rP9U471d7g8nB1sfqQpySYAV8 6O6Sp10AvWxkvueZw/ivWBpUe9amxOE=
X-Google-Smtp-Source: APiQypI/Q7O7uxkYNjURz6Z5h9zJi7aux8FzrBgRSspHmVRDDF83KGoPTxBQBE/fwX7K8YHDfNZA0w==
X-Received: by 2002:a05:6638:22a:: with SMTP id f10mr32621935jaq.59.1587064136624; Thu, 16 Apr 2020 12:08:56 -0700 (PDT)
Received: from mail-io1-f53.google.com (mail-io1-f53.google.com. [209.85.166.53]) by smtp.gmail.com with ESMTPSA id h13sm6569320iom.39.2020.04.16.12.08.55 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 16 Apr 2020 12:08:55 -0700 (PDT)
Received: by mail-io1-f53.google.com with SMTP id n10so22235807iom.3 for <oauth@ietf.org>; Thu, 16 Apr 2020 12:08:55 -0700 (PDT)
X-Received: by 2002:a02:6a1a:: with SMTP id l26mr16489287jac.122.1587064134802; Thu, 16 Apr 2020 12:08:54 -0700 (PDT)
MIME-Version: 1.0
References: <CAGL6epKuHTqLrZEjm0goKV+3jaPfTkN_JSLc0jfQyPqNzeP3aA@mail.gmail.com>
In-Reply-To: <CAGL6epKuHTqLrZEjm0goKV+3jaPfTkN_JSLc0jfQyPqNzeP3aA@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Thu, 16 Apr 2020 12:08:43 -0700
X-Gmail-Original-Message-ID: <CAGBSGjpBqeHxFNJ7OEXZwYQb=SG6ian=zpoNHezQ_OYwFNZNBw@mail.gmail.com>
Message-ID: <CAGBSGjpBqeHxFNJ7OEXZwYQb=SG6ian=zpoNHezQ_OYwFNZNBw@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fda6c305a36d2920"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/m03qAPxrfuWyNmDpwVxjBVs85js>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2020 19:09:00 -0000

Section 2.1 says:

> Although JWT access tokens can use any signing algorithm, use of
> asymmetric algorithms is RECOMMENDED

Can this be strengthened to disallow the `none` algorithm? Something like
adding "... and MUST NOT use the "none" algorithm".

Given that the JWT BCP doesn't disallow the "none" algorithm, technically
someone could follow both this JWT Access Token spec and the JWT BCP spec
and end up with an implementation that allows an AS to accept JWTs with the
"none" algorithm.

----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>



On Wed, Apr 15, 2020 at 11:59 AM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
wrote:

> Hi all,
>
>
>
> This is a second working group last call for "JSON Web Token (JWT) Profile
> for OAuth 2.0 Access Tokens".
>
>
>
> Here is the document:
>
> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06
>
>
>
> Please send your comments to the OAuth mailing list by April 29, 2020.
>
>
>
> Regards,
>
>  Rifaat & Hannes
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>