Re: [OAUTH-WG] JWT BCP Acknowledgements (was Fwd: New Version Notification for draft-ietf-oauth-jwt-bcp-02.txt)
Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 05 May 2018 12:16 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF9EF126B7E for <oauth@ietfa.amsl.com>; Sat, 5 May 2018 05:16:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ua8QFQZuJWqk for <oauth@ietfa.amsl.com>; Sat, 5 May 2018 05:16:16 -0700 (PDT)
Received: from mail-wr0-x235.google.com (mail-wr0-x235.google.com [IPv6:2a00:1450:400c:c0c::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF7F3120227 for <oauth@ietf.org>; Sat, 5 May 2018 05:16:15 -0700 (PDT)
Received: by mail-wr0-x235.google.com with SMTP id q3-v6so23531836wrj.6 for <oauth@ietf.org>; Sat, 05 May 2018 05:16:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=yTvcGCOOImEBSA5lnYuQibcuurtEti77LuGtp5Y1gyY=; b=AvtHLgyytR4S/y7UB/T0LCyQgr8TmOHtCtlJQ3K2rKFAPDiRbqE8Qo+ofCYn8nMKD2 4yqIxECibNU5wCKfKwN00ofWkRPkaYc2YJSOU7dtZQHY136bbc4bReR5dOWhu/412Tk9 XtphgbHsdDb+MY32/c8ycHnDvmLy3uoEd1XzVrgDWxGeUSDgRwlUHU0xQ/jB+mXBSw33 8IIFAbz7VTGsppdu6iJ5RrbYjVv1YYc1qp+eZ5LZ/plmdVzGDMwqtmPZmnzJInblphom pNnwlR8sHF6g6weo277zRqHiPultX858ekEDwavcYQyDSFLG60wSLCcJ7MPyzZipGvRA ywsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=yTvcGCOOImEBSA5lnYuQibcuurtEti77LuGtp5Y1gyY=; b=Dl18/nHlBIMuSIHzl1/2lir92se5HKPKzh0rwuJF0xcCE0hSI+nJQkFpwIEOIhn+Io uLOmdd6KkVtZOMviRNlL+RpA7hYu6fvLNrn/LqLi0p1vBSoJpBZijY2eBMUkD/DmtyQc /N5SfdUOqHAfjRosW2s7rU++elTxAFQtSVffNUm0aC5gZOkLPu5mhx6wIocb2xnPmkLZ fso7UKktWSAu7ZiP4t7w7oHn1nBG39mnJuQiloDtQTtQW9kbBbX5rXhT6qtGP9wq3MVV 9ahGYcR6SaJ3X/nr4xQu027C4dxX1IM/D2r5umFT9aHWnLkrXC25u3hOYbaWWpYhx7Va TEyQ==
X-Gm-Message-State: ALQs6tDvG9GNIFCW+UTMMeD8qYo84bV9OnKXp+AmbbRgOBdufvMvrJue pp3Z+oGJWLjWDgVAo03sXLHFbPIS
X-Google-Smtp-Source: AB8JxZryAL+dT8Z4hcfeoeCtRqBhbVGpXsDNLMblrErNz20wN+XCSBl1UdxfhCm5F4pPU3tSH/r/Nw==
X-Received: by 2002:adf:96c2:: with SMTP id u60-v6mr24947441wrb.204.1525522574193; Sat, 05 May 2018 05:16:14 -0700 (PDT)
Received: from [10.0.0.142] (bzq-79-177-105-104.red.bezeqint.net. [79.177.105.104]) by smtp.gmail.com with ESMTPSA id x24sm2969357wmh.18.2018.05.05.05.16.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 05 May 2018 05:16:13 -0700 (PDT)
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: oauth <oauth@ietf.org>
References: <CA+k3eCRi0eQJDVMDFLUcntL5_+8ANM0r7i5JoJHJC1zdgFX_6Q@mail.gmail.com>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <51ae29af-d9b8-019c-2d43-c1ecc4694d4f@gmail.com>
Date: Sat, 05 May 2018 15:16:11 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCRi0eQJDVMDFLUcntL5_+8ANM0r7i5JoJHJC1zdgFX_6Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sRWLcefWiLbB4fDgagKOTrVtqvw>
Subject: Re: [OAUTH-WG] JWT BCP Acknowledgements (was Fwd: New Version Notification for draft-ietf-oauth-jwt-bcp-02.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 May 2018 12:16:19 -0000
Thanks Brian for the reminder. Will update the draft. Yaron On 05/05/18 01:06, Brian Campbell wrote: > AFAIK, Tim McLean was the first to bring the HMAC/RSA switching attack > to the attention of JWS/JWT implementers - > https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ > > > Perhaps he should be acknowledged similar to how Antonio is for the > invalid point attack? > > I've also provided a little (admittedly very little) review and feedback > on the draft... > > > > On Wed, May 2, 2018 at 2:36 AM, Yaron Sheffer <yaronf.ietf@gmail.com > <mailto:yaronf.ietf@gmail.com>> wrote: > > This new version should address all WGLC comments. Please let us > know if there's anything missing. > > Thanks, > Yaron > > > -------- Forwarded Message -------- > Subject: New Version Notification for draft-ietf-oauth-jwt-bcp-02.txt > Date: Wed, 02 May 2018 01:26:17 -0700 > From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> > To: Michael B. Jones <mbj@microsoft.com <mailto:mbj@microsoft.com>>, > Yaron Sheffer <yaronf.ietf@gmail.com > <mailto:yaronf.ietf@gmail.com>>, Dick Hardt <dick@amazon.com > <mailto:dick@amazon.com>>, Michael Jones <mbj@microsoft.com > <mailto:mbj@microsoft.com>> > > > A new version of I-D, draft-ietf-oauth-jwt-bcp-02.txt > has been successfully submitted by Yaron Sheffer and posted to the > IETF repository. > > Name: draft-ietf-oauth-jwt-bcp > Revision: 02 > Title: JSON Web Token Best Current Practices > Document date: 2018-05-02 > Group: oauth > Pages: 13 > URL: > https://www.ietf.org/internet-drafts/draft-ietf-oauth-jwt-bcp-02.txt > <https://www.ietf.org/internet-drafts/draft-ietf-oauth-jwt-bcp-02.txt> > Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/ > <https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/> > Htmlized: https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-02 > <https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-02> > Htmlized: > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp > <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp> > Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwt-bcp-02 > <https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwt-bcp-02> > > Abstract: > JSON Web Tokens, also known as JWTs, are URL-safe JSON-based > security > tokens that contain a set of claims that can be signed and/or > encrypted. JWTs are being widely used and deployed as a simple > security token format in numerous protocols and applications, > both in > the area of digital identity, and in other application areas. The > goal of this Best Current Practices document is to provide > actionable > guidance leading to secure implementation and deployment of JWTs. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org > <http://tools.ietf.org>. > > The IETF Secretariat > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./
- [OAUTH-WG] JWT BCP Acknowledgements (was Fwd: New… Brian Campbell
- Re: [OAUTH-WG] JWT BCP Acknowledgements (was Fwd:… Yaron Sheffer