Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard

Dick Hardt <> Wed, 26 August 2020 16:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EC6033A16C6; Wed, 26 Aug 2020 09:52:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.54
X-Spam-Status: No, score=-0.54 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aMYA7ZIR1uDX; Wed, 26 Aug 2020 09:52:39 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3FEF83A16C3; Wed, 26 Aug 2020 09:52:39 -0700 (PDT)
Received: by with SMTP id t23so3178663ljc.3; Wed, 26 Aug 2020 09:52:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nwjWryur4YNGdhTBRFDZ+5JibJos55qQFd7EsDn8WTQ=; b=RiUWg4LoSNe9Ikb5WBSSH1E0ALd50BxXL0XaIe0T2XzGYjq49S0Zpm/swxjC0BCVe7 uw7opx2Qpybobm+Wu7R2EFCj79Ej/3k277DKKbXT8mNDprmVOvW4wSBvAjYLH5tpYzOv h2ujZaVQdDrhrVpXOsO3pcaVOW3U0K6luKgojBxaE+RkmwhnPjO1YDTAwHLAr4Fpm0oH UwzYTKJmi10D9f7GN1MFMspxa/NmuJ8AVK/UvfryPSSf7KfXW53o8rJShQjc8lcnl/Yy vIEtf6rVNvdz6ff602biCZYwRwKwy9m+zXrqcK/ecOif6AMLS1eukfGG48bqy/QfyGJr Ra4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nwjWryur4YNGdhTBRFDZ+5JibJos55qQFd7EsDn8WTQ=; b=kNGTZAIcNaH6PHSRKOsjbP/UyOknAQSHdR3CclnpjItMjiSSczrzX+IQ9gLGjDtOPm GJVvSmV1D8nYnU7Y0pvGCKKDSXsrUjO04JW5REFb4uAgN7KqnXZqXxUXORFt6VeP2Ryu XTRkwAzXgyCq+wMBBNVnrzdceIBbJmb2ImLhMwR3r1i/LhlxGw5hW7zr4Q/UjR0eXhc5 MrKf5SGxbA5F4fu54d1afqxHQy+w07BiLWU0vVS3n61SjPtkToJ7qn0E+OjjQXq96vvp 0iKfvlJq0RRmdjcDWBJN7xbkXMQ0hd0g3WFgG7BuybsnNQFLKhuLf01d8JohHAGa3zxu Ur+w==
X-Gm-Message-State: AOAM5305JM12B0FlyZjJ98EWWoFvvsZ/W5XGS4lM3CV95lAvCsj19YPl nXfntqWC97feOSasgKswJrff2El+LvlyGaeJnik=
X-Google-Smtp-Source: ABdhPJxi+yYaCCrtel5BBqhWKdAx9WJeEU7eJzghDbyLalXl3UtuV9AAxXMshzxckK/FefARepkID0Th9WPfFm1rFX4=
X-Received: by 2002:a2e:b0db:: with SMTP id g27mr8073692ljl.69.1598460757035; Wed, 26 Aug 2020 09:52:37 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Dick Hardt <>
Date: Wed, 26 Aug 2020 09:52:00 -0700
Message-ID: <>
To: Torsten Lodderstedt <>
Cc: Denis <>,, oauth <>
Content-Type: multipart/alternative; boundary="0000000000009c521505adcaa520"
Archived-At: <>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Aug 2020 16:52:41 -0000

On Wed, Aug 26, 2020 at 4:37 AM Torsten Lodderstedt <torsten=> wrote:

> Hi Denis,
> > On 25. Aug 2020, at 16:55, Denis <> wrote:
> > The fact that the AS will know exactly when the introspection call has
> been made and thus be able to make sure which client
> > has attempted perform an access to that RS and at which instant of time.
> The use of this call allows an AS to track where and when
> > its clients have indeed presented an issued access token.
> That is a fact. I don’t think it is an issue per se. Please explain the
> privacy implications.

As I see it, the privacy implication is that the AS knows *when* the client
(and potentially the user) is accessing the RS, which is also an indication
of *when* the user is using the client.

I think including this implication would be important to have in a Privacy
Considerations section.