As a co-author I also support adoption, of course. Thank you Brian for your comments. The latest editor’s copy [0] already marks this draft as “obsoletes 8725”. As usual our goal was to add some really critical material to 8725 and call it a day. As usual people will want to add some more, and we’ll have to deal with it. Yes we need a “Changes from 8725” section [1]. Thanks, Yaron [0] https://www.sheffer.org/draft-sheffer-oauth-rfc8725bis/draft-sheffer-oauth-rfc8725bis.html [1] https://github.com/yaronf/draft-sheffer-oauth-rfc8725bis/issues/18 As I said during the meeting, I am supportive of doing this work but do hope the authors have appetite for what they might be signing up for. Aaron's review points to some of the work needed. The https://datatracker.ietf.org/doc/draft-ietf-jose-deprecate-none-rsa15/ work should almost certainly be referred to. I believe the current text around compression in JWE is a bit overreaching and lacking in subtlety about when it's reasonable to use. I'm not terribly thrilled about the way explicit typing has worked in practice but I'm admittedly not sure how it could be improved at this point. I'm sure there's more once the box is opened. It seems the draft is largely a rehash of RFC8725 with some additions and likely other updates. It should probably explicitly obsolete RFC8725 and indicate that it updates BCP 225 by replacing 8725. A more formal section that describes the changes from RFC8725 would also be nice and is AFAIK common practice in such a document. Similarly it'd be good etiquette to, in the acknowledgements, distinguish between contributors to the original document and those that have contributed to the updates. I know from some github interactions, for one example, that Filip Skokan has helped guide some of the updated text but he's not mentioned at present. As also somewhat gratuitously mentioned at the meeting, a few years back I did a talk a few times on JWT vulnerabilities and tried to take a balanced look at many of the criticisms. I don't think there's anything novel or unknown in it, but I think it might provide some useful perspective. If anyone is interested in seeing that, or just helping drive the meager view count up, a recording of one instance of the talk is here https://www.youtube.com/watch?v=IgKRGS6cQWw All,
This is a call for adoption for the RFC8725bis draft that was discussed during the last IETF meeting in Madrid:
https://datatracker.ietf.org/doc/draft-sheffer-oauth-rfc8725bis/
Remember that adoption does not mean a document is finished, only that it is an acceptable starting point.
Please, reply on the mailing list and let us know if you are in favor or against adopting this draft as WG document, by August 22nd.
Regards,
Rifaat & Hannes _______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
|
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
