[OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-jwt-bearer-10: (with DISCUSS and COMMENT)
"Richard Barnes" <rlb@ipv.sx> Thu, 16 October 2014 04:01 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EE451A0149; Wed, 15 Oct 2014 21:01:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEHkLVCQAGOU; Wed, 15 Oct 2014 21:01:22 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B71E1A0054; Wed, 15 Oct 2014 21:01:22 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Richard Barnes <rlb@ipv.sx>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.4
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20141016040122.32277.7067.idtracker@ietfa.amsl.com>
Date: Wed, 15 Oct 2014 21:01:22 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/mmZaobYDOeq146oKOxA428oHtgA
Cc: oauth-chairs@tools.ietf.org, draft-ietf-oauth-jwt-bearer@tools.ietf.org, oauth@ietf.org
Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-jwt-bearer-10: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 04:01:24 -0000
Richard Barnes has entered the following ballot position for draft-ietf-oauth-jwt-bearer-10: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bearer/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- As with draft-ietf-oauth-assertions, the requirement for an "aud" claim seems entirely unnecessary. Holding this DISCUSS point pending that discussion and its reflection in this document. "Assertions that do not identify the Authorization Server as an intended audience MUST be rejected." -- What does it mean for an assertion to "identify the Authorization Server"? Does the specified <Audience> need to match the entire URL of the relevant OAuth endpoint? Just the origin? Just the domain? Does the URL need to be canonicalized? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- "keyed message digest" -> "MAC" Both this and the SAML document could save a lot of bits by just being subsections of the -assertions document.
- [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Brian Campbell
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Brian Campbell
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes