Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-03-15 Thread Benjamin Kaduk
Hi Torsten, Sorry for the delayed response; it seems this got buried beneath some other things. Thanks to everyone else for contributing, and I think there's just one point left that needs a response (inline)... On Mon, Mar 02, 2020 at 03:19:11PM +0100, Torsten Lodderstedt wrote: > Hi Ben, > >

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-03-02 Thread Takahiko Kawasaki
Do you mean different requests should have the same jti value for better security? It is not good that RFC 7662 has chosen "jti" as a property to hold the identifier for an access/refresh token although the format of introspection responses is not JWT but just JSON. If the name were, for

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-03-02 Thread Torsten Lodderstedt
> Am 02.03.2020 um 17:52 schrieb Takahiko Kawasaki : > > The requirement for "jti" described > in draft-ietf-oauth-jwt-introspection-response-08 is problematic. I think having different jti values for different requests is a security risk. smime.p7s Description: S/MIME cryptographic signature

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-03-02 Thread Takahiko Kawasaki
Hi Torsten, draft-ietf-oauth-jwt-introspection-response-08 says as follows. *The "jti" claim is a unique identifier for the access token passed in the introspection request. This identifier MUST be stable for all introspection calls for a given access token.* This requirement expects that the

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-03-02 Thread Torsten Lodderstedt
Hi Ben, >> >>> >>> I don't think the new semantics for "jti" in the introspection response >>> are compatible with the RFC 7519 definition. Specifically, we say that >>> "jti" will be tied to the input access token, but 7519 says that "jti" >>> has to change when the contents of the JWT change

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-03-01 Thread Benjamin Kaduk
On Fri, Feb 28, 2020 at 03:44:05PM +0100, Torsten Lodderstedt wrote: > Hi Ben, > > > On 25. Feb 2020, at 23:52, Benjamin Kaduk via Datatracker > > wrote: > > > > Benjamin Kaduk has entered the following ballot position for > > draft-ietf-oauth-jwt-introspection-response-08: Discuss > > > >

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-02-28 Thread Torsten Lodderstedt
Hi Ben, > On 25. Feb 2020, at 23:52, Benjamin Kaduk via Datatracker > wrote: > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-oauth-jwt-introspection-response-08: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses

[OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

2020-02-25 Thread Benjamin Kaduk via Datatracker
Benjamin Kaduk has entered the following ballot position for draft-ietf-oauth-jwt-introspection-response-08: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)