While a JWT might generically have many different audiences like resource servers, this profile is about sending it to the token endpoint at an AS for authentication or authorization.
I think adding something about the RS will confuse people. I think Brian's text is fine. John B. On Jul 18, 2014, at 11:45 PM, Phil Hunt <phil.h...@oracle.com> wrote: > Should that be encrypted for the intended audience (aud) of the JWT which may > be the AS and/or the resource server? > > Phil > > On Jul 18, 2014, at 21:52, Brian Campbell <bcampb...@pingidentity.com> wrote: > >> Sorry for the slow response on this Kathleen, my day job has been keeping me >> busy recently. And, honestly, I was kind of hopeful someone would volunteer >> some text in the meantime. But that didn't happen so how about the following? >> >> A JWT may contain privacy-sensitive information and, to prevent disclosure >> of such information to unintended parties, should only be transmitted over >> encrypted channels, such as TLS. In cases where it’s desirable to prevent >> disclosure of certain information the client, the JWT may be be encrypted to >> the authorization server. >> >> Deployments should determine the minimum amount of information necessary to >> complete the exchange and include only such claims in the JWT. In some cases >> the "sub" (subject) claim can be a value representing an anonymous or >> pseudonymous user as described in Section 6.3.1 of the Assertion Framework >> for OAuth 2.0 Client Authentication and Authorization Grants >> [http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1]. >> >> >> On Thu, Jul 3, 2014 at 3:26 PM, Kathleen Moriarty >> <kathleen.moriarty.i...@gmail.com> wrote: >> >> Hello, >> >> I just read through draft-ietf-oauth-jwt-bearer-09 and it looks good. The >> only question/comment I have is that I don't see any mention of privacy >> considerations in the referenced security sections. COuld you add >> something? It is easily addressed by section 10.8 of RFC6749, but there is >> no mention of privacy considerations. I'm sure folks could generate great >> stories about who accessing what causing privacy considerations to be >> important. >> >> Thanks & have a nice weekend! >> >> -- >> >> Best regards, >> Kathleen >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth