Thanks Brian for the reminder. Will update the draft.
Yaron
On 05/05/18 01:06, Brian Campbell wrote:
AFAIK, Tim McLean was the first to bring the HMAC/RSA switching attack
to the attention of JWS/JWT implementers -
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
Perhaps he should be acknowledged similar to how Antonio is for the
invalid point attack?
I've also provided a little (admittedly very little) review and feedback
on the draft...
On Wed, May 2, 2018 at 2:36 AM, Yaron Sheffer <yaronf.i...@gmail.com
<mailto:yaronf.i...@gmail.com>> wrote:
This new version should address all WGLC comments. Please let us
know if there's anything missing.
Thanks,
Yaron
-------- Forwarded Message --------
Subject: New Version Notification for draft-ietf-oauth-jwt-bcp-02.txt
Date: Wed, 02 May 2018 01:26:17 -0700
From: internet-dra...@ietf.org <mailto:internet-dra...@ietf.org>
To: Michael B. Jones <m...@microsoft.com <mailto:m...@microsoft.com>>,
Yaron Sheffer <yaronf.i...@gmail.com
<mailto:yaronf.i...@gmail.com>>, Dick Hardt <d...@amazon.com
<mailto:d...@amazon.com>>, Michael Jones <m...@microsoft.com
<mailto:m...@microsoft.com>>
A new version of I-D, draft-ietf-oauth-jwt-bcp-02.txt
has been successfully submitted by Yaron Sheffer and posted to the
IETF repository.
Name: draft-ietf-oauth-jwt-bcp
Revision: 02
Title: JSON Web Token Best Current Practices
Document date: 2018-05-02
Group: oauth
Pages: 13
URL:
https://www.ietf.org/internet-drafts/draft-ietf-oauth-jwt-bcp-02.txt
<https://www.ietf.org/internet-drafts/draft-ietf-oauth-jwt-bcp-02.txt>
Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/
<https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/>
Htmlized: https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-02
<https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-02>
Htmlized:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp
<https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp>
Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwt-bcp-02
<https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwt-bcp-02>
Abstract:
JSON Web Tokens, also known as JWTs, are URL-safe JSON-based
security
tokens that contain a set of claims that can be signed and/or
encrypted. JWTs are being widely used and deployed as a simple
security token format in numerous protocols and applications,
both in
the area of digital identity, and in other application areas. The
goal of this Best Current Practices document is to provide
actionable
guidance leading to secure implementation and deployment of JWTs.
Please note that it may take a couple of minutes from the time of
submission
until the htmlized version and diff are available at tools.ietf.org
<http://tools.ietf.org>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
/CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged material for the sole use of the intended recipient(s). Any
review, use, distribution or disclosure by others is strictly
prohibited. If you have received this communication in error, please
notify the sender immediately by e-mail and delete the message and any
file attachments from your computer. Thank you./
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
