> Am 18.03.2018 um 20:40 schrieb Brock Allen <brockal...@gmail.com>: > > Why is TLS to the intospection endpoint not sufficient?
TLS is sufficient, if AS and RS want to ensure the integrity of the token data (on transit). But there are use cases, where the RS wants evidence (== digital signature over the token) who created the token. This is for non-repudation/liability. > Are you thinking there needs to be some multi-tenancy support of some kind? With respect to what party? The draft allows every RS to choose the response type and if JWT, the algorithms to use. kind regards, Torsten. > > -Brock > >> On 3/18/2018 3:33:16 PM, Torsten Lodderstedt <tors...@lodderstedt.net> wrote: >> >> Hi all, >> >> I just submitted a new draft that Vladimir Dzhuvinov and I have written. It >> proposes a JWT-based response type for Token Introspection. The objective is >> to provide resource servers with signed tokens in case they need >> cryptographic evidence that the AS created the token (e.g. for liability). >> >> I will present the new draft in the session on Wednesday. >> >> kind regards, >> Torsten. >> >>> Anfang der weitergeleiteten Nachricht: >>> >>> Von: internet-dra...@ietf.org <mailto:internet-dra...@ietf.org> >>> Betreff: New Version Notification for >>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt >>> Datum: 18. März 2018 um 20:19:37 MEZ >>> An: "Vladimir Dzhuvinov" <vladi...@connect2id.com >>> <mailto:vladi...@connect2id.com>>, "Torsten Lodderstedt" >>> <tors...@lodderstedt.net <mailto:tors...@lodderstedt.net>> >>> >>> >>> A new version of I-D, >>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt >>> has been successfully submitted by Torsten Lodderstedt and posted to the >>> IETF repository. >>> >>> Name: draft-lodderstedt-oauth-jwt-introspection-response >>> Revision: 00 >>> Title: JWT Response for OAuth Token Introspection >>> Document date: 2018-03-15 >>> Group: Individual Submission >>> Pages: 5 >>> URL: >>> https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt >>> >>> <https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt> >>> Status: >>> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/ >>> >>> <https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/> >>> Htmlized: >>> https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00 >>> >>> <https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00> >>> Htmlized: >>> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response >>> >>> <https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response> >>> >>> >>> Abstract: >>> This draft proposes an additional JSON Web Token (JWT) based response >>> for OAuth 2.0 Token Introspection. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of submission >>> until the htmlized version and diff are available at tools.ietf.org >>> <http://tools.ietf.org/>. >>> >>> The IETF Secretariat >>> >>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
