Thanks James! If those scenarios would be an explicit target, then omitting the sub would indeed eliminate any chance of misinterpreting. However those remain fairly theoretical, and would already be pretty problematic in themselves given the need to get a new token per call in order to prevent jti based correlation- I don’t think it’s worth introducing in the spec the possibility to omit the sub, and risk not having it when it’s useful if it’s omitted by mistake in a mainstream scenario, to prevent a possible misinterpretation in a less common scenario. If you feel very strongly about this, we can complement the warning in the privacy considerations in draft-06 to highlight this scenario- but honestly that seems overkill to me :) Thanks V.
From: "Manger, James" <james.h.man...@team.telstra.com> Date: Wednesday, April 15, 2020 at 00:37 To: Vittorio Bertocci <vittorio.berto...@auth0.com>, George Fletcher <gffle...@aol.com>, Denis <denis.i...@free.fr>, "oauth@ietf.org" <oauth@ietf.org> Subject: RE: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13 > the AS could issue the 'sub' value as "urn:anonymous:<large random number>" > and create a new value with every token that is issued But it those cases it would be better to omit “sub”, instead of sending a per-token value (we have “jti” as a per-token id). That at least avoids other parties misinterpreting these unusual “sub”s as long-term ids (and, for example, creating persistent user entries for each one). -- James Manger
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth