I agree that mentioning the RS in this context is only likely to cause confusion.
This draft is only about sending a JWT to the token endpoint at an AS as an authorization grant or as client authentication. On Sat, Jul 19, 2014 at 6:37 AM, John Bradley <ve7...@ve7jtb.com> wrote: > While a JWT might generically have many different audiences like resource > servers, this profile is about sending it to the token endpoint at an AS > for authentication or authorization. > > I think adding something about the RS will confuse people. > > I think Brian's text is fine. > > John B. > > On Jul 18, 2014, at 11:45 PM, Phil Hunt <phil.h...@oracle.com> wrote: > > Should that be encrypted for the intended audience (aud) of the JWT which > may be the AS and/or the resource server? > > Phil > > On Jul 18, 2014, at 21:52, Brian Campbell <bcampb...@pingidentity.com> > wrote: > > Sorry for the slow response on this Kathleen, my day job has been keeping > me busy recently. And, honestly, I was kind of hopeful someone would > volunteer some text in the meantime. But that didn't happen so how about > the following? > > A JWT may contain privacy-sensitive information and, to prevent disclosure > of such information to unintended parties, should only be transmitted over > encrypted channels, such as TLS. In cases where it’s desirable to prevent > disclosure of certain information the client, the JWT may be be encrypted > to the authorization server. > > Deployments should determine the minimum amount of information necessary > to complete the exchange and include only such claims in the JWT. In some > cases the "sub" (subject) claim can be a value representing an anonymous or > pseudonymous user as described in Section 6.3.1 of the Assertion Framework > for OAuth 2.0 Client Authentication and Authorization Grants [ > http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1]. > > > On Thu, Jul 3, 2014 at 3:26 PM, Kathleen Moriarty < > kathleen.moriarty.i...@gmail.com> wrote: > >> >> Hello, >> >> I just read through draft-ietf-oauth-jwt-bearer-09 and it looks good. >> The only question/comment I have is that I don't see any mention of >> privacy considerations in the referenced security sections. COuld you add >> something? It is easily addressed by section 10.8 of RFC6749, but there is >> no mention of privacy considerations. I'm sure folks could generate great >> stories about who accessing what causing privacy considerations to be >> important. >> >> Thanks & have a nice weekend! >> >> -- >> >> Best regards, >> Kathleen >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth