[OAUTH-WG] oauth-selective-disclosure-jwt Pull 451 is insufficient
Watson Ladd <watsonbladd@gmail.com> Thu, 22 August 2024 17:08 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2421C14F6A3 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2024 10:08:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qq5XlL_u55Em for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2024 10:08:21 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 868D6C14F605 for <oauth@ietf.org>; Thu, 22 Aug 2024 10:08:21 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id 5b1f17b1804b1-4280ee5f1e3so8496655e9.0 for <oauth@ietf.org>; Thu, 22 Aug 2024 10:08:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1724346499; x=1724951299; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=FzZ5U0GUEbOrHTx4MNSKsmMRxaVVSHcT75BquT26j8g=; b=D+jpQ44zDaUVTRI/8UzjGUugWRspUQnLDEK61027DsjJn/35I3d2m16AxhaWHrbJGF V3uXjysYGMcpaZzxvWqbNi8OX+wDxzbh0lyCG3fchyzCkAEgcgo70HHWJaznN2oUCFGh SUO7MYBNxV60sxnIpQyNpeX1Ym6/lnnjyN8vk8U1Ey3Wl1Sd2l0k7cavRSdSxtYhwcu4 D+trvWVr9LJF+f/SEN2tQl/oU2Km+QqYb4JKUSWH/jmAuZFIw0TeowgdD23sU6VNWM6W 9Mgn/x+jj3JVkpcS2hnAXWvjU+K+ow3b0GmZ0+NdsKa8sppAyXFQV1AYrTivN0ytgwLq qt/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724346499; x=1724951299; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=FzZ5U0GUEbOrHTx4MNSKsmMRxaVVSHcT75BquT26j8g=; b=Da25vG4i+177awbUEwO2Bup7ufU7noFHDHS0THry+x/zi0VlOqxLXXRxB3jmanjRqc JybANsmY6ABRs/QHinjTCsp9t630WWhUQUkCOQL2sgOInSdi2NTCiNhjmVyFSXwiqI9L jq8q1inAyUEqGlAE05OUvCJUPWOsim1qF4rrpTOm8QIW13Om0qiq/OY80H7pskGG3jsC fs9EHhgLizIbLEYUsxau+kLJi6ydnOWzFI4YteIvS94r0ihb+Et/m055oWewpV9UvR8x 2i4gucLEIbh6ySeMMq1yGeGVkieLSc3fMGSQFRZfFJo4/0KiUoLjzwyDHZj8eYQv7rg5 i7nA==
X-Gm-Message-State: AOJu0Yzxw1w9Tf3tLIxVOflbcJWCdtajkHT9Eyh8n4wk0X6B3zHFxTxz Isqw9KvkXy+EUIfipZGpv9s4h1NsavLPPI5I17ixZH+xcFXeTgY966+aVc1CSVV7K326CR8rnsE IyMNh07b5Ct218w8SPxDcF/4A/eNEsA==
X-Google-Smtp-Source: AGHT+IEY4q23Cj11exJZmVpHE+1Cyb4Oh84VEyYc5Ys+sYMZSdywlFB/kS8kyJ6ld4QMsVtEKx9akiM4cRiIlRZHyOw=
X-Received: by 2002:a05:600c:1e1d:b0:426:614b:1a72 with SMTP id 5b1f17b1804b1-42abd21f4fcmr48262155e9.17.1724346498748; Thu, 22 Aug 2024 10:08:18 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 22 Aug 2024 10:08:06 -0700
Message-ID: <CACsn0ck2pS2dZ37Vh7+E1dGCaWiNECeMvVsQ-HY0irr3DJ7wJA@mail.gmail.com>
To: IETF oauth WG <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: 6WTB727SJAIPYPFGFJESLOMXS53PORDT
X-Message-ID-Hash: 6WTB727SJAIPYPFGFJESLOMXS53PORDT
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] oauth-selective-disclosure-jwt Pull 451 is insufficient
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zlpQAQb6QBSDQ9z2S9vXuhbIamA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hello, I would like to point out that the issuer verifier problem still remains open, even given the text in 11. The text is directionally wrong. It discusses how the issuer and verifier must be trusted, not what they can do together, and than only says that deployers must be aware and educate users. There's nothing actionable here, and user education doesn't work. Users cannot make security decisions of this nature, as we know from decades and decades of experience. Can we please get text that informs our readers what the issue is and what the risks are? Sincerely, Watson Ladd -- Astra mortemque praestare gradatim