Should that be encrypted for the intended audience (aud) of the JWT which may be the AS and/or the resource server?
Phil > On Jul 18, 2014, at 21:52, Brian Campbell <bcampb...@pingidentity.com> wrote: > > Sorry for the slow response on this Kathleen, my day job has been keeping me > busy recently. And, honestly, I was kind of hopeful someone would volunteer > some text in the meantime. But that didn't happen so how about the following? > > A JWT may contain privacy-sensitive information and, to prevent disclosure of > such information to unintended parties, should only be transmitted over > encrypted channels, such as TLS. In cases where it’s desirable to prevent > disclosure of certain information the client, the JWT may be be encrypted to > the authorization server. > > Deployments should determine the minimum amount of information necessary to > complete the exchange and include only such claims in the JWT. In some cases > the "sub" (subject) claim can be a value representing an anonymous or > pseudonymous user as described in Section 6.3.1 of the Assertion Framework > for OAuth 2.0 Client Authentication and Authorization Grants > [http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1]. > > >> On Thu, Jul 3, 2014 at 3:26 PM, Kathleen Moriarty >> <kathleen.moriarty.i...@gmail.com> wrote: >> >> Hello, >> >> I just read through draft-ietf-oauth-jwt-bearer-09 and it looks good. The >> only question/comment I have is that I don't see any mention of privacy >> considerations in the referenced security sections. COuld you add >> something? It is easily addressed by section 10.8 of RFC6749, but there is >> no mention of privacy considerations. I'm sure folks could generate great >> stories about who accessing what causing privacy considerations to be >> important. >> >> Thanks & have a nice weekend! >> >> -- >> >> Best regards, >> Kathleen >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth