subject:"\[OAUTH\-WG\] JSON Web Token Best Current Practices draft describing Explicit Typing"

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

2018-03-22 Thread Brian Campbell

Yeah, I think that works. Thanks.

On Thu, Mar 22, 2018 at 2:16 PM, Mike Jones 
wrote:

> I propose that the following text be added to address your comment,
> Brian.  Does this text work for you?
>
>
>
> When applying explicit typing to a Nested JWT, the "typ" header parameter
> containing the explicit type value MUST be present in the inner JWT of the
> Nested JWT (the JWT whose payload is the JWT Claims Set).  The same "typ"
> header parameter value MAY be present in the outer JWT as well, to
> explicitly type the entire Nested JWT.
>
>
>
>-- Mike
>
>
>
> *From:* Brian Campbell 
> *Sent:* Monday, July 17, 2017 10:53 AM
> *To:* Phil Hunt (IDM) 
> *Cc:* Mike Jones ; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] JSON Web Token Best Current Practices draft
> describing Explicit Typing
>
>
>
> Could some more guidance be provided around how to use the explicit typing
> with nested JWTs?
>
> I'd imagine that the "typ" header should be in the header of the JWT that
> is integrity protected by the issuer?
>
>
>
> On Tue, Jul 4, 2017 at 9:58 PM, Phil Hunt (IDM) 
> wrote:
>
> +1
>
>
>
> Thanks Mike.
>
> Phil
>
>
> On Jul 4, 2017, at 12:43 PM, Mike Jones 
> wrote:
>
> The JWT BCP draft has been updated to describe the use of explicit typing
> of JWTs as one of the ways to prevent confusion among different kinds of
> JWTs.  This is accomplished by including an explicit type for the JWT in
> the “typ” header parameter.  For instance, the Security Event Token (SET)
> specification <http://self-issued.info/?p=1709> now uses the “
> application/secevent+jwt” content type to explicitly type SETs.
>
>
>
> The specification is available at:
>
>- https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01
>
>
>
> An HTML-formatted version is also available at:
>
>- http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html
>
>
>
>-- Mike
>
>
>
> P.S.  This notice was also posted at http://self-issued.info/?p=1714 and
> as @selfissued <https://twitter.com/selfissued>.
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

2018-03-22 Thread Mike Jones

I propose that the following text be added to address your comment, Brian.  
Does this text work for you?

When applying explicit typing to a Nested JWT, the "typ" header parameter 
containing the explicit type value MUST be present in the inner JWT of the 
Nested JWT (the JWT whose payload is the JWT Claims Set).  The same "typ" 
header parameter value MAY be present in the outer JWT as well, to explicitly 
type the entire Nested JWT.

   -- Mike

From: Brian Campbell 
Sent: Monday, July 17, 2017 10:53 AM
To: Phil Hunt (IDM) 
Cc: Mike Jones ; oauth@ietf.org
Subject: Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing 
Explicit Typing

Could some more guidance be provided around how to use the explicit typing with 
nested JWTs?
I'd imagine that the "typ" header should be in the header of the JWT that is 
integrity protected by the issuer?

On Tue, Jul 4, 2017 at 9:58 PM, Phil Hunt (IDM) 
mailto:phil.h...@oracle.com>> wrote:
+1

Thanks Mike.

Phil

On Jul 4, 2017, at 12:43 PM, Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
The JWT BCP draft has been updated to describe the use of explicit typing of 
JWTs as one of the ways to prevent confusion among different kinds of JWTs.  
This is accomplished by including an explicit type for the JWT in the “typ” 
header parameter.  For instance, the Security Event Token (SET) 
specification<http://self-issued.info/?p=1709> now uses the 
“application/secevent+jwt” content type to explicitly type SETs.

The specification is available at:

  *   https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01

An HTML-formatted version is also available at:

  *   http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html

   -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1714 and as 
@selfissued<https://twitter.com/selfissued>.
___
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately by 
e-mail and delete the message and any file attachments from your computer. 
Thank you.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

2017-11-14 Thread Brian Campbell

Resurrecting the thread that had a request for more guidance around how to
use the explicit typing with nested JWTs. As discussed/requested during the
WG meeting.

On Mon, Jul 17, 2017 at 5:55 PM, Mike Jones 
wrote:

> Good point.  I’d had that thought as well at one point but failed to
> express it in the draft.  Will do.
>
>
>
>-- Mike
>
>
>
> *From:* Brian Campbell [mailto:bcampb...@pingidentity.com]
> *Sent:* Monday, July 17, 2017 11:53 AM
> *To:* Phil Hunt (IDM) 
> *Cc:* Mike Jones ; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] JSON Web Token Best Current Practices draft
> describing Explicit Typing
>
>
>
> Could some more guidance be provided around how to use the explicit typing
> with nested JWTs?
>
> I'd imagine that the "typ" header should be in the header of the JWT that
> is integrity protected by the issuer?
>
>
>
> On Tue, Jul 4, 2017 at 9:58 PM, Phil Hunt (IDM) 
> wrote:
>
> +1
>
>
>
> Thanks Mike.
>
> Phil
>
>
> On Jul 4, 2017, at 12:43 PM, Mike Jones 
> wrote:
>
> The JWT BCP draft has been updated to describe the use of explicit typing
> of JWTs as one of the ways to prevent confusion among different kinds of
> JWTs.  This is accomplished by including an explicit type for the JWT in
> the “typ” header parameter.  For instance, the Security Event Token (SET)
> specification <http://self-issued.info/?p=1709> now uses the “
> application/secevent+jwt” content type to explicitly type SETs.
>
>
>
> The specification is available at:
>
>- https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01
>
>
>
> An HTML-formatted version is also available at:
>
>- http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html
>
>
>
>-- Mike
>
>
>
> P.S.  This notice was also posted at http://self-issued.info/?p=1714 and
> as @selfissued <https://twitter.com/selfissued>.
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

2017-07-19 Thread Dick Hardt

Thanks for the feedback Justin. Do you have any specific wording?

On Tue, Jul 18, 2017 at 6:34 PM Justin Richer  wrote:

> Mike et al,
>
> Overall, this document has some really great advice for people who have
> chosen to use JWT in various situations. It’s a needed draft and I’d like
> to see it go forward. I have some suggestions on how it can be improved.
>
> In this draft, I’d like to see some more discussion about privacy and
> security issues around choosing JWTs to begin with. Namely, putting things
> like subject identifiers and scope/permission information into the JWT
> structure could potentially leak information about the end user to the
> client, if the JWT isn’t encrypted, and to multiple RS’s, if the JWT is
> encrypted with a shared key. It basically amounts to “anyone who can read
> the JWT can see what’s in it”, which on the one hand is obvious, but on the
> other hand it’s not always considered by implementers. Since the audience
> of an access token JWT is the RS and not the client, and the token is
> opaque to the client, it’s easy to assume that the client *won’t* read the
> token. However, that doesn’t mean that it *can’t* read the token. It’s a
> tradeoff in design space with other solutions.
>
> I’d also like to see a discussion on expiration and revocation of
> self-contained JWT access tokens. Again, this is targeting the decision
> space of whether or not a self-contained token is an appropriate solution
> in the first place. If I’m issuing JWTs that are completely self-contained,
> I can’t revoke them once they’re on the wire. Yes, that’s an acceptable
> risk to many and that’s fine — but I would like this document to encourage
> that thought and discussion.
>
> Thanks,
>  — Justin
>
> On Jul 4, 2017, at 3:43 PM, Mike Jones 
> wrote:
>
> The JWT BCP draft has been updated to describe the use of explicit typing
> of JWTs as one of the ways to prevent confusion among different kinds of
> JWTs.  This is accomplished by including an explicit type for the JWT in
> the “typ” header parameter.  For instance, the Security Event Token (SET)
> specification  now uses the “
> application/secevent+jwt” content type to explicitly type SETs.
>
> The specification is available at:
>
>- https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01
>
>
> An HTML-formatted version is also available at:
>
>- http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html
>
>
>-- Mike
>
> P.S.  This notice was also posted at http://self-issued.info/?p=1714 and
> as @selfissued .
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
Subscribe to the HARDTWARE  mail list to learn about
projects I am working on!
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

2017-07-18 Thread Justin Richer

Mike et al,

Overall, this document has some really great advice for people who have chosen 
to use JWT in various situations. It’s a needed draft and I’d like to see it go 
forward. I have some suggestions on how it can be improved.

In this draft, I’d like to see some more discussion about privacy and security 
issues around choosing JWTs to begin with. Namely, putting things like subject 
identifiers and scope/permission information into the JWT structure could 
potentially leak information about the end user to the client, if the JWT isn’t 
encrypted, and to multiple RS’s, if the JWT is encrypted with a shared key. It 
basically amounts to “anyone who can read the JWT can see what’s in it”, which 
on the one hand is obvious, but on the other hand it’s not always considered by 
implementers. Since the audience of an access token JWT is the RS and not the 
client, and the token is opaque to the client, it’s easy to assume that the 
client *won’t* read the token. However, that doesn’t mean that it *can’t* read 
the token. It’s a tradeoff in design space with other solutions.

I’d also like to see a discussion on expiration and revocation of 
self-contained JWT access tokens. Again, this is targeting the decision space 
of whether or not a self-contained token is an appropriate solution in the 
first place. If I’m issuing JWTs that are completely self-contained, I can’t 
revoke them once they’re on the wire. Yes, that’s an acceptable risk to many 
and that’s fine — but I would like this document to encourage that thought and 
discussion. 

Thanks,
 — Justin

> On Jul 4, 2017, at 3:43 PM, Mike Jones  wrote:
> 
> The JWT BCP draft has been updated to describe the use of explicit typing of 
> JWTs as one of the ways to prevent confusion among different kinds of JWTs.  
> This is accomplished by including an explicit type for the JWT in the “typ” 
> header parameter.  For instance, the Security Event Token (SET) specification 
>  now uses the “application/secevent+jwt” 
> content type to explicitly type SETs.
>  
> The specification is available at:
> https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01 
> 
>  
> An HTML-formatted version is also available at:
> http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html 
> 
>  
>-- Mike
>  
> P.S.  This notice was also posted at http://self-issued.info/?p=1714 
>  and as @selfissued 
> .
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

2017-07-17 Thread Mike Jones

Good point.  I’d had that thought as well at one point but failed to express it 
in the draft.  Will do.

   -- Mike

From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Monday, July 17, 2017 11:53 AM
To: Phil Hunt (IDM) 
Cc: Mike Jones ; oauth@ietf.org
Subject: Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing 
Explicit Typing

Could some more guidance be provided around how to use the explicit typing with 
nested JWTs?
I'd imagine that the "typ" header should be in the header of the JWT that is 
integrity protected by the issuer?

On Tue, Jul 4, 2017 at 9:58 PM, Phil Hunt (IDM) 
mailto:phil.h...@oracle.com>> wrote:
+1

Thanks Mike.

Phil

On Jul 4, 2017, at 12:43 PM, Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
The JWT BCP draft has been updated to describe the use of explicit typing of 
JWTs as one of the ways to prevent confusion among different kinds of JWTs.  
This is accomplished by including an explicit type for the JWT in the “typ” 
header parameter.  For instance, the Security Event Token (SET) 
specification<http://self-issued.info/?p=1709> now uses the 
“application/secevent+jwt” content type to explicitly type SETs.

The specification is available at:

  *   https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01

An HTML-formatted version is also available at:

  *   http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html

   -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1714 and as 
@selfissued<https://twitter.com/selfissued>.
___
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately by 
e-mail and delete the message and any file attachments from your computer. 
Thank you.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

2017-07-17 Thread Brian Campbell

Could some more guidance be provided around how to use the explicit typing
with nested JWTs?

I'd imagine that the "typ" header should be in the header of the JWT that
is integrity protected by the issuer?

On Tue, Jul 4, 2017 at 9:58 PM, Phil Hunt (IDM) 
wrote:

> +1
>
> Thanks Mike.
>
> Phil
>
> On Jul 4, 2017, at 12:43 PM, Mike Jones 
> wrote:
>
> The JWT BCP draft has been updated to describe the use of explicit typing
> of JWTs as one of the ways to prevent confusion among different kinds of
> JWTs.  This is accomplished by including an explicit type for the JWT in
> the “typ” header parameter.  For instance, the Security Event Token (SET)
> specification  now uses the “
> application/secevent+jwt” content type to explicitly type SETs.
>
>
>
> The specification is available at:
>
>- https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01
>
>
>
> An HTML-formatted version is also available at:
>
>- http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html
>
>
>
>-- Mike
>
>
>
> P.S.  This notice was also posted at http://self-issued.info/?p=1714 and
> as @selfissued .
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

2017-07-04 Thread Phil Hunt (IDM)

+1

Thanks Mike. 

Phil

> On Jul 4, 2017, at 12:43 PM, Mike Jones  wrote:
> 
> The JWT BCP draft has been updated to describe the use of explicit typing of 
> JWTs as one of the ways to prevent confusion among different kinds of JWTs.  
> This is accomplished by including an explicit type for the JWT in the “typ” 
> header parameter.  For instance, the Security Event Token (SET) specification 
> now uses the “application/secevent+jwt” content type to explicitly type SETs.
>  
> The specification is available at:
> https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01
>  
> An HTML-formatted version is also available at:
> http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html
>  
>-- Mike
>  
> P.S.  This notice was also posted at http://self-issued.info/?p=1714 and as 
> @selfissued.
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

2017-07-04 Thread Mike Jones

The JWT BCP draft has been updated to describe the use of explicit typing of 
JWTs as one of the ways to prevent confusion among different kinds of JWTs.  
This is accomplished by including an explicit type for the JWT in the "typ" 
header parameter.  For instance, the Security Event Token (SET) 
specification now uses the 
"application/secevent+jwt" content type to explicitly type SETs.

The specification is available at:

  *   https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01

An HTML-formatted version is also available at:

  *   http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html

   -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1714 and as 
@selfissued.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

[OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

9 matches

Site Navigation

Mail list logo

Footer information