Re: [OAUTH-WG] Call for adoption - JWT and CWT Status List

As one of the authors of this draft I support adoption. Thanks, [MATTR website] Tobias Looker MATTR +64 273 780 461 tobias.looker@mattr.global [MATTR website] [MATTR on LinkedIn]

[OAUTH-WG] IAB statement on the risks of attestation

Here is an IAB statement relevant to the work we are doing on Client Attestation: https://www.iab.org/documents/correspondence-reports-documents/2023-2/iab-statement-on-the-risks-of-attestation-of-software-and-hardware-on-the-open-internet/ You might recall that I talked about attestation at th

Re: [OAUTH-WG] Call for adoption - JWT and CWT Status List

It's unfortunate that the spec does not cite previous work, which the authors and undoubtedly aware of, the same comment was made at the microphone at the last IETF. Orie is right that we have to take prior work into account. I am saying this in response to this call for adoption but it app

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

On Mon, Oct 2, 2023, 11:56 PM Denis wrote: > > Hi Justin, > > Your premise relies on a feature of JSON that does not exist. JSON does not > provide well-defined behavior for repeated names within an object: > > When the names within an object are not > unique, the behavior of software that receiv

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

Attackers do not stick to the rules. It sounds to me like one of the security considerations for any standard that employs json, or any other structured data language, is to ensure that the input is validated to be compliant. I have been in the position of trying to enforce type checking on experie

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

Hi Watson, The word "semantics" is not present in RFC 8259. I looked for the word "unique" in RFC 8259. There are three occurrences of that word in clause 4. Objects, in particular: The names within an object SHOULD be unique There is indeed a "SHOULD", but not a "SHALL". If there w

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

From JWT RFC 7519, section-4: The Claim Names within a JWT Claims Set MUST be unique; JWT parsers MUST either reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name, as specified in Section 15.12 ("The JSON Object") of ECM

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

Hi David, I am not referring to RFC 7519 (JWT) but to RFC 8259 (JSON). I-JSON (i.e. Internet-JSON) mandates the uniqueness of claim names in an object (as well as JWT). RFC 8259 does not mandate uniqueness. Denis From JWT RFC 7519, section-4: The Claim Names within a JWT Claims Set    MUS

Re: [OAUTH-WG] Call for adoption - JWT and CWT Status List

+1 for the adoption so we can explore this as a WG document +1 to Brian's comment to consider the application to tokens in general (unless the authors have plans for JWT / CWT specific features) Vladimir Dzhuvinov On 03/10/2023 00:10, Brian Campbell wrote: I support adoption. I do think the

Re: [OAUTH-WG] Call for adoption - JWT and CWT Status List

+1 for adoption On Sat, Sep 30, 2023, 9:53 AM Rifaat Shekh-Yusef wrote: > All, > > This is an official call for adoption for the *JWT and CWT Status List* > draft: > https://datatracker.ietf.org/doc/draft-looker-oauth-jwt-cwt-status-list/ > > Please, reply *on the mailing list *and let us know i