[OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-02-25 Thread Benjamin Kaduk via Datatracker
Benjamin Kaduk has entered the following ballot position for draft-ietf-oauth-jwt-introspection-response-08: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Ple

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-02-28 Thread Torsten Lodderstedt
Hi Ben, > On 25. Feb 2020, at 23:52, Benjamin Kaduk via Datatracker > wrote: > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-oauth-jwt-introspection-response-08: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses i

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-03-01 Thread Benjamin Kaduk
On Fri, Feb 28, 2020 at 03:44:05PM +0100, Torsten Lodderstedt wrote: > Hi Ben, > > > On 25. Feb 2020, at 23:52, Benjamin Kaduk via Datatracker > > wrote: > > > > Benjamin Kaduk has entered the following ballot position for > > draft-ietf-oauth-jwt-introspection-response-08: Discuss > > > > Wh

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-03-02 Thread Torsten Lodderstedt
Hi Ben, >> >>> >>> I don't think the new semantics for "jti" in the introspection response >>> are compatible with the RFC 7519 definition. Specifically, we say that >>> "jti" will be tied to the input access token, but 7519 says that "jti" >>> has to change when the contents of the JWT change

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-03-02 Thread Takahiko Kawasaki
Hi Torsten, draft-ietf-oauth-jwt-introspection-response-08 says as follows. *The "jti" claim is a unique identifier for the access token passed in the introspection request. This identifier MUST be stable for all introspection calls for a given access token.* This requirement expects that the

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-03-02 Thread Torsten Lodderstedt
> Am 02.03.2020 um 17:52 schrieb Takahiko Kawasaki : > > The requirement for "jti" described > in draft-ietf-oauth-jwt-introspection-response-08 is problematic. I think having different jti values for different requests is a security risk. smime.p7s Description: S/MIME cryptographic signature

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-03-02 Thread Takahiko Kawasaki
Do you mean different requests should have the same jti value for better security? It is not good that RFC 7662 has chosen "jti" as a property to hold the identifier for an access/refresh token although the format of introspection responses is not JWT but just JSON. If the name were, for instance,

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-03-15 Thread Benjamin Kaduk
Hi Torsten, Sorry for the delayed response; it seems this got buried beneath some other things. Thanks to everyone else for contributing, and I think there's just one point left that needs a response (inline)... On Mon, Mar 02, 2020 at 03:19:11PM +0100, Torsten Lodderstedt wrote: > Hi Ben, > >