Hi Torsten,
Sorry for the delayed response; it seems this got buried beneath some other
things. Thanks to everyone else for contributing, and I think there's just
one point left that needs a response (inline)...
On Mon, Mar 02, 2020 at 03:19:11PM +0100, Torsten Lodderstedt wrote:
> Hi Ben,
>
>
Do you mean different requests should have the same jti value for better
security?
It is not good that RFC 7662 has chosen "jti" as a property to hold the
identifier for an access/refresh token although the format of introspection
responses is not JWT but just JSON. If the name were, for
> Am 02.03.2020 um 17:52 schrieb Takahiko Kawasaki :
>
> The requirement for "jti" described
> in draft-ietf-oauth-jwt-introspection-response-08 is problematic.
I think having different jti values for different requests is a security risk.
smime.p7s
Description: S/MIME cryptographic signature
Hi Torsten,
draft-ietf-oauth-jwt-introspection-response-08 says as follows.
*The "jti" claim is a unique identifier for the access token passed in the
introspection request. This identifier MUST be stable for all
introspection calls for a given access token.*
This requirement expects that the
Hi Ben,
>>
>>>
>>> I don't think the new semantics for "jti" in the introspection response
>>> are compatible with the RFC 7519 definition. Specifically, we say that
>>> "jti" will be tied to the input access token, but 7519 says that "jti"
>>> has to change when the contents of the JWT change
On Fri, Feb 28, 2020 at 03:44:05PM +0100, Torsten Lodderstedt wrote:
> Hi Ben,
>
> > On 25. Feb 2020, at 23:52, Benjamin Kaduk via Datatracker
> > wrote:
> >
> > Benjamin Kaduk has entered the following ballot position for
> > draft-ietf-oauth-jwt-introspection-response-08: Discuss
> >
> >
Hi Ben,
> On 25. Feb 2020, at 23:52, Benjamin Kaduk via Datatracker
> wrote:
>
> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-oauth-jwt-introspection-response-08: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses
Benjamin Kaduk has entered the following ballot position for
draft-ietf-oauth-jwt-introspection-response-08: Discuss
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)