[Sandbox-mailoutput] [Django development] Last Call: <draft-ietf-oauth-jwsreq-30.txt> (The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)) to Proposed Standard
IETF Secretariat <ietf-secretariat-reply@ietf.org> Fri, 18 September 2020 15:38 UTC
Return-Path: <ietf-secretariat-reply@ietf.org>
X-Original-To: sandbox-mailoutput@ietfa.amsl.com
Delivered-To: sandbox-mailoutput@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC7D73A0E5F for <sandbox-mailoutput@ietfa.amsl.com>; Fri, 18 Sep 2020 08:38:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.106
X-Spam-Level:
X-Spam-Status: No, score=-1.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HjM23EVq9kns for <sandbox-mailoutput@ietfa.amsl.com>; Fri, 18 Sep 2020 08:38:47 -0700 (PDT)
Received: from mailtest.ietf.org (unknown [4.31.198.57]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D51843A0E5D for <sandbox-mailoutput@ietf.org>; Fri, 18 Sep 2020 08:38:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by sandbox.amsl.com (Postfix) with ESMTP id BF2A7604322 for <sandbox-mailoutput@ietf.org>; Fri, 18 Sep 2020 08:38:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at mailtest.ietf.org
Received: from mailtest.ietf.org ([4.31.198.57]) by localhost (mailtest.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uDBIOQABq-ZX for <sandbox-mailoutput@ietf.org>; Fri, 18 Sep 2020 08:38:43 -0700 (PDT)
Received: from sandbox.amsl.com (localhost [IPv6:::1]) by sandbox.amsl.com (Postfix) with ESMTP id 5459560386E for <sandbox-mailoutput@ietf.org>; Fri, 18 Sep 2020 08:38:43 -0700 (PDT)
Content-Type: multipart/mixed; boundary="===============0751001024358616628=="
MIME-Version: 1.0
From: IETF Secretariat <ietf-secretariat-reply@ietf.org>
To: sandbox-mailoutput@ietf.org
Message-ID: <160044352333.13013.4312528512782542109@sandbox.amsl.com>
Date: Fri, 18 Sep 2020 08:38:43 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/sandbox-mailoutput/sEb3rfzIg1CMXpD8d2a1geHwPLc>
Subject: [Sandbox-mailoutput] [Django development] Last Call: <draft-ietf-oauth-jwsreq-30.txt> (The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)) to Proposed Standard
X-BeenThere: sandbox-mailoutput@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <sandbox-mailoutput.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sandbox-mailoutput>, <mailto:sandbox-mailoutput-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sandbox-mailoutput/>
List-Post: <mailto:sandbox-mailoutput@ietf.org>
List-Help: <mailto:sandbox-mailoutput-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sandbox-mailoutput>, <mailto:sandbox-mailoutput-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 15:38:49 -0000
The attached message would have been sent, but the tracker is in development mode. It was not sent to anybody.
--- Begin Message ---The IESG has received a request from the Web Authorization Protocol WG (oauth) to consider the following document: - 'The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)' <draft-ietf-oauth-jwsreq-30.txt> as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-call@ietf.org mailing lists by 2020-10-02. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents is not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ No IPR declarations have been submitted directly on this I-D.--- End Message ---
- [Sandbox-mailoutput] [Django development] Last Ca… IETF Secretariat