Re: [secdir] Secdir last call review of draft-ietf-oauth-access-token-jwt-11

[Benjamin Kaduk <kaduk@mit.edu>]

Thanks for the review, Joe, and thanks Vittorio for the responses.

With respect to (3), I did find one spot that seems to implicitly require
bearer-token usage (we reference RFC 6750's error handling) that I
mentioned in my No Objection ballot.

-Ben

On Sun, Feb 07, 2021 at 10:48:19AM -0800, Joseph Salowey via Datatracker wrote:
> Reviewer: Joseph Salowey
> Review result: Has Issues
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> The summary of the review is the document has issues.
> 
> 1.  (Editorial) What is the relationship between this document and RFC 7523. 
> They are using JWT for different purposes, but I think it would be useful to
> clarify this in the introduction.
> 
> 2.  (Issue) The specification does not specify any mandatory to implement for
> the recommended asymmetric algorithms.  This will not help interop.  Perhaps
> specify one or both of  "RS256" and "ES256".
> 
> 3. (Question) Is it currently possible to use the JWT access token in a mode
> other than a bearer token?  For example is there a way to bind the JWT to a
> verifiable key or identifier.  If there is, there should be some discussion of
> this in the security considerations.  If not, do the authors know if there is
> any work planned in this area?
> 
> 4. Genart review pointed out a nit that should be fixed.
> 
> 
>