[OAUTH-WG] Re: RFC 9068

Justin Richer <jricher@mit.edu> Thu, 10 October 2024 13:48 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 744E0C14F6E3 for <oauth@ietfa.amsl.com>; Thu, 10 Oct 2024 06:48:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.606
X-Spam-Level:
X-Spam-Status: No, score=-1.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, SUBJ_ALL_CAPS=0.5, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3dUJK34UcMd4 for <oauth@ietfa.amsl.com>; Thu, 10 Oct 2024 06:48:39 -0700 (PDT)
Received: from CY3PR05CU001.outbound.protection.outlook.com (mail-westcentralusazon11023112.outbound.protection.outlook.com [40.93.201.112]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CBABC14F6B4 for <oauth@ietf.org>; Thu, 10 Oct 2024 06:48:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RqpGJx71tpialLfp1rST1TCCfmhMQnex15+Y8F13KGXbtXO2ZaJlQDMM1UrMO7R1dZNmvdfKfsLPDqU096E4a2z9uTROe1fhstKdK/TBVocfST5EycfOX+v5JNJVBxCPM8K8uiYxzNxRZ/bkFbPF52Go0zN9VkXjgFkGUhPqjhBvGrMLk68w92DTKAMP4XY2Sc8jJdcKeDfECyYNPvpzIVBWpr2iuyld4Yphn+qSTt1hruD1lihdLEx52HHBcSc4AuS9dARJFhZH+c++J464V3JmP8aDiLr6aGHBSR+R8Ij0iodZzZ9Uv/jeIenyYjUKgcCanaKn2Hi5q+o7PWmPAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vSdd0vsPl1mzzePtNen6eY7JGkEfy40KjXIxUqmpfU0=; b=x3fiEzLcydcb4+JKWorV1fPONTUpLYsZTw6U5KP2kg7NzKsz8uFe19qFZQuuUkS0In1aA4hSUMtxRb/8PY9H2plufXNIwpf3+b4J7t9BW5kWYX8aB+z/EBWyEzSFd5rLw2HBBU4il+6lcRERsgBWuY0cBBpTtVZwdweq/WX2uRoD8EVYDKC8D/ecIJEEJlOCAx8UcN1NPFBM0krspDf0XUtqpmEE56dqXkGY0duawmitcG2xG2mx67QA24SbC6mavrsKKhiQnQ369Eizp2CHNiLFiEqgGM0Ulxvz03S1TiE2EgXp5pKu9d2PvHd7kW7o0ccrYhJJGRpBUx4ixnMl9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vSdd0vsPl1mzzePtNen6eY7JGkEfy40KjXIxUqmpfU0=; b=Tfcgit1JiNfo3/CHXYTAHs6pl0ReEzQyrovlOln8v0GVsY+DLERkklTjU5SAFc5cBCxXuL+QLqaIwoj+lw2ZXkgqDlkHZeyxv/Km/dnmazip7wiaOOByXe/vjtNIOv72V7ZZ05CCsMkryIh9lpeZTNlCCdJc/i5jeGVZkkxezhA=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by PH0PR01MB6134.prod.exchangelabs.com (2603:10b6:510:13::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7982.34; Thu, 10 Oct 2024 13:48:36 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820%6]) with mapi id 15.20.7982.033; Thu, 10 Oct 2024 13:48:36 +0000
From: Justin Richer <jricher@mit.edu>
To: "Lee, Matt D" <Matt.Lee=40kbslp.cloud@dmarc.ietf.org>
Thread-Topic: [OAUTH-WG] RFC 9068
Thread-Index: AQHbGcB/55V0SnvLfEqC3lTstd9zR7KAAqaA
Date: Thu, 10 Oct 2024 13:48:36 +0000
Message-ID: <62AD7B59-29FD-4829-B744-D60AB0592D86@mit.edu>
References: <DM4PR15MB5503161F3F1BB3A66F53264F8D7E2@DM4PR15MB5503.namprd15.prod.outlook.com>
In-Reply-To: <DM4PR15MB5503161F3F1BB3A66F53264F8D7E2@DM4PR15MB5503.namprd15.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|PH0PR01MB6134:EE_
x-ms-office365-filtering-correlation-id: 0a644e4a-19aa-4a99-7958-08dce9323d14
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|4022899009|366016|38070700018;
x-microsoft-antispam-message-info: LA+AK+lU/IXU2+pYRPfBWfpd2MyqyU8BXptYNBrFXmz17b5obkCpoM1oMK2rko95TWH7BRomsJNQGuDW87sNDXCCBpsJUtHhUI+ZC3LqOU2Vtlh+j+Ce3lAOUCWn1sRxiY9Tq0XPxG5H54kpBNSy2NDLwC9Ta0D6D4jh2kCTnynxB8r+THDuqrWnPCbVgr9YGYwQY4wX25cvRLQc00iaabblpXV7XxIacm22xMMSjDiwpJ2PUjKAea320KqWaSCkXZ2im9oKEpraxaADSi+tv9VUbYoD91M08LP2gLNRnmgsLLYtUcsCJLGse7hNRPTLjiKtL3o1IrBkdLJDufE77QgfMCVGNkEV6L1wxVoe4pxjIJwZrVS0EfPsUmkBN3y2IKT2ubESkfE2N8RwCS4F9Pnti/KkgqaKntYiXtQ5pPX+IXKCFQ/jEdREGKbnlqz2da1phRhVU1NZ1CU11ksumcF4o+P5grmTDzek6c7+y2jNMZvlTvVC5sHqaSeA5J9jfZ3Xz5QgSZrL2+t/YE1DzYwCM5vbh4dE/hWVuMB4v8bIOXtHpEZJLuV3K2qs/QkkIrNNjD5JS29S9LHEa9LG9PIQkGvFKUjMtEsiM+jk9PlQ9hW/Gp0NN+aElmyRsGVXHjomOn07KFZm5d76iDKRI1/0Py3cnQJDuk7QuksY1f5MbwJSOPg6wrece4EYEseUI5fmj0qzzcSdyYD8t5T6sn0Gd4HQtg/UVwZ8oV0xJ/fHT44GFCt1AlgRdKVwDXDbiUw7gYw3AuhypFKR6AVTeBljW9ChjQpeK92zfqsFopJNly41TLboL/AdaX+hmSaq+GriSSaZbcbJcRhQesDtDVsr1IkZPF9Tva3gXQjSqzqRO/eHW03X0Pz2WXtjxi/an3lyXxKCH5vNudCZmjKfevAWLVWtaWfZn2xlyvS+ZgtuVNoHyEJIBs3FGdl8A85S4DyqXDSPU6lQrx1mJLkrBtbigjRDX/OPyQeLoRWpp4yDXIHU8HXS4bX/GwzQ/5h7uqznUDFYzWqCqWRtXryW2TSccXZfh8SlRFvEu5HDgsJq2JK/8455wWEaO3ZF5IzxqEbj8fLdRpU95txW1pK1AhfCF4mHr9o4uANyrxmdrUOSiNJ4V6Jv1mMdF889j+FsxIuMRDTrAFJXS4hB3IcIfCKVMEjd8i5k6k/b1tPUM2elVOsNEjhwd1F505efahZvccnExizyOsR1N6c042r2X/PbOIivCgkuF0QhJc/bvYzGgzBQFASuxqdBe5y2f91BH4W4dbnhSZdDQlMBbnZc5la1YL0DrOmliXYBCQV/reeYRc2vObZf65KSTpKvJQd+nogYysPEpFq9gA7t5ujOXw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR01MB8677.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(4022899009)(366016)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: xkcEWdVh5QJisSTxP0sNMXUd3+yvH/LjPcUEU+RTGYteNCCnU590F/khoSqKs154YG7x4T2/bSLBi4E4R17CjaYQHBoqOfsQy27wCBMDQtCZBJVS5ENWGXlRfWsnRWMBujf42nxDtXmaLB+jvTykC3XZFKFQs0L0+eujGwkYDwhSTGwjPb37zJXWvEkiSVeyz8RDq3fUYblsZHORBn4wl4ZPpdGZPsIm3D/oxilknjXzqyu3ox2oe00ww/EHXMotarVbcsIirzu52Nd9LTIsC6DuHY4o36NjOsGapIhda3W5OXX2V7RJ2GbTjoC7ehi/speoQb2Nq9R+jrM20epcxD4HB7i9O4Kj598jEyfhP3ld6afoZM7YEbKgcOrqGpUEZcIsr4O/vwJbjhrrpNu/AI76cQRSZiaLSiFk4ZizvGtoqN+ASnxQTi+JBXAZJ/Pc//P7wcY6g4HGNXWf70U32ivYFRNSXIoJ80MAoju8H5D+fsd3kTM8XovdbvGB07KWmTq1a1ax8shNh4mP/eVqrynjpkp+N27kfR/+oOVlmvE8RzYtMSaIScmWi6TPdhdntJ8z5rOmoyGzg4LdKWtsXw7j5t8m/mqPNn+DNxKQOFar6ODBPe062q7bMeP+HrOgke3M8re38he3NO/qDmyHMfR7mx4+2KmymJ1niN+YoFGXAFJGf/2c06n2oeVgZoJdNfYHU/5iKSRmrBXjg9zRcwkE4FFNohU3bNfykgETGyEl3Cz5UgkwPa99GozSI71JWMGp6MwhgUlvkWF2M5ERVIbj7GpJS2AC5jF8Sq35iJhgw1tNz9zwV5YG37w5gIJBJrzUDaRWBAPTVRKWJzd2YDV0kbkhh3D12wIF45PCKL5w6hvGEVPw5KAhWUygQdYVmUufQeOv/PUOjoto14hI3chAsq8LlkILYIhvscaYpSM3hXygWu6ketWOKJVI1lJj1KYKQp1Pi0DMw7o1RQVvPUlCnwYRdtOOn/739UfaqjDtBQt7PplL1xOppZhM3dNb12L6dlADH/XmQpD99Io3RaDutQR3iLE5nooECoQaexZ2xVXIDuWOobMVDxYT5R3WdgHbtkVzjUHMnlA1IkcSr4H1u7+qxCyrodmgcjlzs9keT+VW3hSG5/ek7ML8W2IjpDnWJl6TPtRdSuYp/l+Vigj+w7LSSLEvFPjbjb4v8umQaTUlKd7VFsUVBQtJWXdh62k0m9FGhXeeKGLLDlap7hXXxsVGM2BaJR0LKc5yMuEMhpSO+7B4zFOssZ7GAJclEAoScid/yJF8nfFZ1dZhgfLNv7UhQgTjZvxhhlWd8Dq0jxuED05d17ZtiFSwhDz7+lP3NGRwgeqRGK4jeAQa3jU44CD6yJCddpKfbwveBYjpbhqjStZzw5Jbdf6/iZCaKirJguh0E+FEXr+ZF1Ay4Unqrp2v0KqoxSZ2fJCe2GbLcNajKNv3S90pi8Qvcgk1N2u/AYiPvfakOtlA5LHuCcYzhbe8gJ2stOfZhaPEnG4KZUC5gQ0tIvqfk0uS7yD6zbUT1+RmavgAOeMGq84fVgXWlQtYWjTyeYRU6DNXrlwGfPHMlccoGFues/WpvZ+f
Content-Type: multipart/alternative; boundary="_000_62AD7B5929FD4829B744D60AB0592D86mitedu_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0a644e4a-19aa-4a99-7958-08dce9323d14
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Oct 2024 13:48:36.1906 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qgfqJEdPNEMcRaRigzB/jtRF8vXi1bWk6nsj9rfhLhUgrZl6b/OyuNxSUQsuY6k4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6134
Message-ID-Hash: GX3AN6AOYGTEWJHHHVQS4VRDQEJ5GYU2
X-Message-ID-Hash: GX3AN6AOYGTEWJHHHVQS4VRDQEJ5GYU2
X-MailFrom: jricher@mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [OAUTH-WG] Re: RFC 9068
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mEtFVG8DztRrfWMGHH5sv_-9K8U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Matt,

RFC6086 is published and final — there is not ongoing work on that document, because it is complete. I’m sure there is also other work happening all around about profiling JWTs for specific purposes and circumstances.

The wording of "Proposed Standard" can be confusing. It does not mean that the document is still in process. Instead, it speaks to the nature of organizations like the IETF: we can only really propose and describe standards, it’s the implementations that make those standards concrete in the real world.

With that in mind, the best way to continue the work of RFC9068 is to implement it and advocate for others to implement it as well.

 — Justin

On Oct 8, 2024, at 4:41 PM, Lee, Matt D <Matt.Lee=40kbslp.cloud@dmarc.ietf.org> wrote:

First, my sincerest condolences regarding the loss of Vittorio Bertocci, someone who had an astonishing impact on the industry and community at large.

I was reminded of this loss today as I was having a conversation with some peers about the optional nature of the sub claim in JWTs used in OAuth grants. After we searched for guidance we found this proposed standard from Vittorio that would move sub from optional to required, and wondered if anyone was picking this up now that he has passed.

Thank you

Matt Lee | KGS Enterprise Architect
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org