IETF Logo Mail Archive

[Sandbox-mailoutput] [Django development] Last Call: <draft-ietf-oauth-jwsreq-30.txt> (The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)) to Proposed Standard

IETF Secretariat <ietf-secretariat-reply@ietf.org> Fri, 18 September 2020 15:38 UTC

Return-Path: <ietf-secretariat-reply@ietf.org>
X-Original-To: sandbox-mailoutput@ietfa.amsl.com
Delivered-To: sandbox-mailoutput@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC7D73A0E5F for <sandbox-mailoutput@ietfa.amsl.com>; Fri, 18 Sep 2020 08:38:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.106
X-Spam-Level:
X-Spam-Status: No, score=-1.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HjM23EVq9kns for <sandbox-mailoutput@ietfa.amsl.com>; Fri, 18 Sep 2020 08:38:47 -0700 (PDT)
Received: from mailtest.ietf.org (unknown [4.31.198.57]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D51843A0E5D for <sandbox-mailoutput@ietf.org>; Fri, 18 Sep 2020 08:38:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by sandbox.amsl.com (Postfix) with ESMTP id BF2A7604322 for <sandbox-mailoutput@ietf.org>; Fri, 18 Sep 2020 08:38:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at mailtest.ietf.org
Received: from mailtest.ietf.org ([4.31.198.57]) by localhost (mailtest.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uDBIOQABq-ZX for <sandbox-mailoutput@ietf.org>; Fri, 18 Sep 2020 08:38:43 -0700 (PDT)
Received: from sandbox.amsl.com (localhost [IPv6:::1]) by sandbox.amsl.com (Postfix) with ESMTP id 5459560386E for <sandbox-mailoutput@ietf.org>; Fri, 18 Sep 2020 08:38:43 -0700 (PDT)
Content-Type: multipart/mixed; boundary="===============0751001024358616628=="
MIME-Version: 1.0
From: IETF Secretariat <ietf-secretariat-reply@ietf.org>
To: sandbox-mailoutput@ietf.org
Message-ID: <160044352333.13013.4312528512782542109@sandbox.amsl.com>
Date: Fri, 18 Sep 2020 08:38:43 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/sandbox-mailoutput/sEb3rfzIg1CMXpD8d2a1geHwPLc>
Subject: [Sandbox-mailoutput] [Django development] Last Call: <draft-ietf-oauth-jwsreq-30.txt> (The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)) to Proposed Standard
X-BeenThere: sandbox-mailoutput@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <sandbox-mailoutput.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sandbox-mailoutput>, <mailto:sandbox-mailoutput-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sandbox-mailoutput/>
List-Post: <mailto:sandbox-mailoutput@ietf.org>
List-Help: <mailto:sandbox-mailoutput-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sandbox-mailoutput>, <mailto:sandbox-mailoutput-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 15:38:49 -0000

The attached message would have been sent, but the tracker is in development mode.
It was not sent to anybody.
--- Begin Message --- 
The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document: - 'The OAuth 2.0 Authorization
Framework: JWT Secured Authorization
   Request (JAR)'
  <draft-ietf-oauth-jwsreq-30.txt> as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2020-10-02. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


   The authorization request in OAuth 2.0 described in RFC 6749 utilizes
   query parameter serialization, which means that Authorization Request
   parameters are encoded in the URI of the request and sent through
   user agents such as web browsers.  While it is easy to implement, it
   means that (a) the communication through the user agents is not
   integrity protected and thus the parameters can be tainted, and (b)
   the source of the communication is not authenticated.  Because of
   these weaknesses, several attacks to the protocol have now been put
   forward.

   This document introduces the ability to send request parameters in a
   JSON Web Token (JWT) instead, which allows the request to be signed
   with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
   (JWE) so that the integrity, source authentication and
   confidentiality property of the Authorization Request is attained.
   The request can be sent by value or by reference.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/



No IPR declarations have been submitted directly on this I-D.
--- End Message ---

v2.23.0 | Report a Bug | By Email