P.S. There's a summary of the changes relative to RFC 8725 at https://www.ietf.org/archive/id/draft-ietf-oauth-rfc8725bis-02.html#name-changes-from-rfc-8725. That should help reviewers identify the changed text.
From: Michael Jones <[email protected]> Sent: Friday, November 7, 2025 6:38 PM To: [email protected] Subject: [OAUTH-WG] Next steps for draft-ietf-oauth-rfc8725bis Hi all, Those of you who were in the working group meeting today know that we ran out of time to discuss https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc8725bis/. The very short deck that I would have presented is at https://datatracker.ietf.org/meeting/124/materials/slides-124-oauth-json-web-token-best-current-practices-00. Per my extemporaneous verbal description of the status today, I believe we've described in the draft all the new JWT implementation errors that have come to light since RFC 8725 was published in 2020 and mitigations for them. On that basis, I was asking for additional reviews and then potential working group last call. At the end of our time, Brian Campbell called our attention to his comments in Madrid about how we've taken on a big job. These comments are minuted at https://datatracker.ietf.org/meeting/123/materials/minutes-123-oauth-202507251230-00. Search for "I hope you're prepared for what you're getting into" to find them. From the minutes, it seemed that Brian raised three points: 1. Coordinate with https://datatracker.ietf.org/doc/draft-ietf-jose-deprecate-none-rsa15/ 2. Coordinate with https://datatracker.ietf.org/doc/draft-ietf-jose-hpke-encrypt/ 3. The current RFC 8725 on "zip" is causing interoperability problems I understand the intent of the first two, but I'll point out that neither of these drafts have gone through a successful working group last call. There's precedent in OAuth for not holding up publishing a BCP because other developments may update the BCP later. In particular, we decided not to hold the OAuth Security BCP [RFC 9700] until we'd addressed already known vulnerabilities, including the one being addressed in rfc7523bis. Our logic was that it is better to publish the BCP in a timely fashion to get a set of useful information out to people and that the BCP will be updated when the mitigations for additional vulnerabilities are settled. As an individual I'll say that I think that precedent should also apply here. As for "zip", I would invite an issue at https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis or on the mailing list with a specific text change proposal. Then the working group can consider it. Thanks to those who agreed to review the draft! Best wishes, -- Mike
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
