[OAUTH-WG] jwk as member for both asymmetric and symmetric in proof-of-possession-02

Is there some reason that the "cnf" claim uses a member named "jwk" for both the asymmetric case where its value is a JWK with a public key and the symmetric case where its value is the JWE encrypted oct JWK (sections 3.1

[OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay?

When the JWT is itself encrypted as a JWE, would it not be reasonable to have a symmetric key be represented in the cnf claim with the jwk member as an unencrypted JSON Web Key? Is such a possibility left as an exercise to the reader? Or should it be more explicitly allowed or disallowed?

[OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?

Do folks in the WG think there'd be utility in having a way to identity the finger/thumbprint of a key in the cnf claim. A presenter might, for example, present the JWT along with a public JWK and some proof-of-possession of that JWK. And the JWK would be bound to the JWT via the thumbprint, which

Re: [OAUTH-WG] Standard URL parameter for mitigating RFC6819's threat 4.6.4?

Sorry to come in so late, and I admit that I have just skimmed the thread, but if the concern was the client C, presenting a legitimate AT (ATr), which was issued to for the client to access to a resource R, to an attacker's resource S, that can be used for S to access R, then would not having the

[OAUTH-WG] minor issue with scope and RFC 6749 ABNF in sasl-oauth

Hi all, During the shepherd review for draft-ietf-kitten-sasl-oauth-19, I noticed an old comment from Matt back in December 2013, in http://www.ietf.org/mail-archive/web/kitten/current/msg04488.html . The relevant point here is that sending a scope of "" (the empty string) during the authorizatio

[OAUTH-WG] I-D Action: draft-ietf-oauth-introspection-06.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : OAuth 2.0 Token Introspection Author : Justin Richer Filename: draft-

[OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-management-10.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : OAuth 2.0 Dynamic Client Registration Management Protocol Authors : Justin Richer

[OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-25.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : OAuth 2.0 Dynamic Client Registration Protocol Authors : Justin Richer

Re: [OAUTH-WG] 2119 abuse at the end of section 3 proof-of-possession-02

+1 2015-03-23 10:54 GMT+09:00 Brian Campbell : > At the end of section 3 > > it says, 'At least one of the "sub" and "iss" claims MUST be present in the > JWT, and in some use cases, both MUST be present.' > > Admitte

[OAUTH-WG] refs and links in proof-of-possession-02 section 3.2

In §3.2. Proof-of-Possession of a Symmetric Key it has "The rules for encrypting a JWK are found in Section 6 of the JSON Web Key [JWK] specification.", which has two issues. 1) the Section 6 link is to the same docu

[OAUTH-WG] 2119 abuse at the end of section 3 proof-of-possession-02

At the end of section 3 it says, 'At least one of the "sub" and "iss" claims MUST be present in the JWT, and in some use cases, both MUST be present.' Admittedly I've misused RFC 2119 keywords a few times myself, so I

[OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02

My brain hurt trying to parse the first sentence/paragraph from section 3 : "The presenter of a JWT declares that it possesses a particular key and that the recipient can cryptographically confirm proof-of- po

[OAUTH-WG] similar to a certificate? intro of proof-of-possession-02

It says, "The asymmetric key mechanism described above is conceptually similar to a certificate." near the end of https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-1 That kinda jumped out at me. I mean, I kinda see the point but it also seems like a pretty broad statement

[OAUTH-WG] AS in introduction of proof-of-possession-02

The introduction talks about an OAuth 2.0 authorization server as the JWT issuer, however, the term authorization server doesn’t appear anywhere else in the draft. Proof-of-possession semantics for JWT certainly can be

[OAUTH-WG] Lunch (pre-)Meeting Monday

Hi, Hannes and I would like to have a lunch meeting before the OAUTH meeting to chat about various ongoing WG activities. If you're available and interested meet us at IETF Regstration at 11:30 and we'll find a place. I expect we'll leave by 11:35 so please be prompt. -derek and hannes --

[OAUTH-WG] Request for slides for WG meeting

Hi, Can all speakers please send us your slides for the OAuth meeting. I'd prefer to receive them in PDF format. Please send them ASAP (and before lunch tomorrow). Thanks, -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Comput