As a follow up to my prior follow up, Kristina's PR https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/575 has prospective changes aimed at addressing some of your comments and plans to add a few more such changes.
On Thu, May 22, 2025 at 8:51 AM Brian Campbell <[email protected]> wrote: > a follow up on just one item is > > On Tue, May 20, 2025 at 4:20 PM Brian Campbell <[email protected]> > wrote: > >> ** Section 7.1 >>> * the Issuer-signed JWT is valid, i.e., it is signed by the Issuer, >>> the signature is valid, it is not expired, it is not suspended or >>> revoked, etc., and >>> >>> Where are the validation procedures specified? Is that Section 7.2 of >>> RFC7519? >>> I’m concerned by the “etc”. >>> >> >> It's a fair concern! The two bullets at the beginning of 7.1 aren't meant >> to be comprehensive, however, rather just giving a general idea of what >> needs to happen. The full set of verification steps follows in the numbered >> list. >> > > Kristina, in this PR > https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/575/files, > suggests simply changing that bullet in 7.1 to "the Issuer-signed JWT is > valid, and" which seems like it'd be a reasonable outcome there as well. > Maybe better than reasonable. > > > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
