[OAUTH-WG] Weekly github digest (OAuth Activity Summary)

Repository Activity Summary Bot Sat, 16 Nov 2024 23:45:52 -0800



Events without label "editorial"

Issues
------
* oauth-wg/oauth-identity-chaining (+1/-0/💬1)
 1 issues created:
 - Required `requested_token_type` parameter (by arndt-s)

https://github.com/oauth-wg/oauth-identity-chaining/issues/111

 1 issues received 1 new comments:
 - #111 Required `requested_token_type` parameter (1 by arndt-s)

https://github.com/oauth-wg/oauth-identity-chaining/issues/111

* oauth-wg/oauth-sd-jwt-vc (+3/-5/💬15)
 3 issues created:
 - Non-existent section referred for key binding JWT rules due to a typo (by 
georgepadayatti)

https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/274- Provide guidance on versioning (by danielfett)https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/273- Define how X509 certificate can be used as user's identifier (by cre8)https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/270

 7 issues received 15 new comments:
 - #274 Non-existent section referred for key binding JWT rules due to a typo 
(1 by bc-pi)

https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/274- #270 Define how X509 certificate can be used as user's identifier (2 by bc-pi, cre8)https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/270- #264 second-guess the choice to use .well-known for type metadata documents (3 by alenhorvat, danielfett)https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/264 [discuss]- #256 Fetch vct from URL or from registry (1 by danielfett)https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/256 [discuss]- #250 Drop all references to DIDs and DID resolution (6 by andorsk, bc-pi, decentralgabe, peacekeeper)https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/250 [discuss]- #245 Ambiguity what should happen when no `kid` parameter is present in header when DID is used as `iss` value (1 by bc-pi)https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/245- #205 defining how DID can be used as user's indetifier (1 by bc-pi)https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/205 [pending close]

 5 issues closed:

- Define how X509 certificate can be used as user's identifier https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/270- [IANA #1392244] Early review: draft-ietf-oauth-sd-jwt-vc-05 (IETF 121) https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/266- defining how DID can be used as user's indetifier https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/205 [pending close]- Ambiguity what should happen when no `kid` parameter is present in header when DID is used as `iss` value https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/245- Drop all references to DIDs and DID resolution https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/250 [discuss]

* oauth-wg/oauth-selective-disclosure-jwt (+2/-42/💬7)
 2 issues created:
 - Update of Issue #514 (new section 9.12) for the support of Post Quantum 
cryptography (by Denisthemalice)

https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/529- Comments and issues raised during the 1rst and the 2nd WGLC have not been addressed in -14 (by Denisthemalice)https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/528

 2 issues received 7 new comments:
 - #523 Hash Function Claim value case-sensitivity (6 by bc-pi, lukasjhan, 
spheroid)

https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/523- #503 The description of the SD-JWT+KB is confusing (1 by AlexHodder)https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/503

 42 issues closed:

- Hash Function Claim value case-sensitivity https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/523- Figure 1 should be corrected to take into account the existence of an End-user and to consider KB-JWT instead of KB https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/498- The term End-User should be added to the definitions https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/497- The definition of a Verifier would need to be reworded https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/496- The definition of an Holder would need to be reworded https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/495- The definition of an Issuer would need to be reworded https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/494- The definition of a "key binding JWT" would need to be reworded https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/493- The definition of "key binding" would need to be reworded https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/492- The definition of the Selectively Disclosable JWT (SD-JWT) would need to be reworded https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/491- The definition of the SD-JWT+KB structure needs to be reworded https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/490- A (KB-JWT) does not demonstrate a "proof of possession" of private key https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/489- Key binding will be ineffective unless the SD-JWT includes an additional claim that indicates the Holder characteristics: "hcahr" https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/485- What is a "facility for associating an SD-JWT with a key pair" ? https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/488- Difference between "a format extending the JWS Compact Serialization" and "an alternate format extending the JWS JSON Serialization" ? https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/487- The structure called "SD-JWT+KB" should be renamed "SD-JWT+KB-JWT" https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/486- A Holder does not present a "JWT" to a Verifier but "SD-JWT + Sel.Claims" https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/484- Indicate that "claims" refers either to object properties (name/value pairs) and to array elements https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/483- Make a difference between the Holder which is an *application* and the individual (i.e. End-User) https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/482- The last paragraph of section 10.5 (Issuer Identifier) can be removed https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/522- A new section about "Issuer anonymity" should be added https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/521- Section 10.3 (Confidentiality during Transport) should also mention integrity https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/520- Since claims always contain privacy-sensitive data section 10.2 would need to be reworded https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/519- Holders SHOULD NOT be required to store SD-JWTs "only in encrypted form" https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/518- Section 10.2 should be made more general to consider both the storage of signed and un-signed data https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/517- The term "unlinkability" is overloaded. For more clarity, the wording "End-user intrackability" should be used in addition https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/515- A new section about "End-User intrackability" should be added https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/516- A section should be added to consider the case of a presentation of claims to Verifier that have been issued by different Issuers https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/514- Section 9.5 (Key Binding) needs to be revised to consider the case of a collusion between End-Users https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/513- Section 7.3 needs to be revised to describe which data structures can be transmitted https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/512- It is important to mention the use of decoy digests and of the shuffling of the digests included in the SD-JWT payload https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/507- The requirement for an Issuer of not providing a SD-JWT+KB-JWT should be removed https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/511- Verification steps for the KB-JWT are missing in section 7.1 https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/510- Validation steps for the KB-JWT are missing https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/509- The iat time at which the Key Binding JWT was issued should not be REQUIRED https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/508- How the Holder key pair is established cannot be placed "out of the scope of this document" https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/506- Add an example of using arrays for "age_over" and "age_under" claims https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/505- It would be worth to mention that the Issuer decides which claims are always disclosed https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/504- The description of the SD-JWT+KB is confusing https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/503- The description of the SD-JWT can be improved https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/502- The benefits of the nonce and of the audience value can be made more accurate https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/501- The data elements sent to the Verifier are not correctly defined https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/500- The format used to carry both the SD-JWT and the Disclosures is unclear https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/499

* oauth-wg/oauth-v2-1 (+0/-4/💬3)
 3 issues received 3 new comments:
 - #181 Authorization Endpoint HTTP `POST` binding (1 by aaronpk)

https://github.com/oauth-wg/oauth-v2-1/issues/181- #176 Allow public clients to use the `client_credentials` grant type (1 by aaronpk)https://github.com/oauth-wg/oauth-v2-1/issues/176- #108 Should auth-param in WWW-Authenticate be optional? (1 by johakoch)https://github.com/oauth-wg/oauth-v2-1/issues/108

 4 issues closed:

- Authorization Endpoint HTTP `POST` binding https://github.com/oauth-wg/oauth-v2-1/issues/181- extension grants can allow unidentified clients https://github.com/oauth-wg/oauth-v2-1/issues/143 [ietf-116]- weird referece, but okay https://github.com/oauth-wg/oauth-v2-1/issues/186- Allow public clients to use the `client_credentials` grant type https://github.com/oauth-wg/oauth-v2-1/issues/176

* oauth-wg/draft-ietf-oauth-status-list (+2/-3/💬12)
 2 issues created:
 - IANA Registry (by c2bo)

https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/194- Q. Can I add openwallet foundation implementation for token status list in README? (by lukasjhan)https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/192

 7 issues received 12 new comments:
 - #192 Q. Can I add a link of openwallet foundation implementation for token 
status list in README? (6 by lukasjhan, paulbastian)

https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/192- #168 Support for content negotiation as denoted in the standard is limited for some CDNs and http servers (1 by paulbastian)https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/168 [ready-for-pr]- #156 Simplifying compression requirements (1 by paulbastian)https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/156- #147 Decide whether to drop the unsigned option (1 by paulbastian)https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/147 [ready-for-pr] [discuss]- #143 OP Metadata Claim for Status List JWT endpoint (1 by paulbastian)https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/143 [discuss]- #137 Set content type to optional than must (1 by paulbastian)https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/137 [discuss]- #128 Add Security Consideration on signing status list (1 by paulbastian)https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/128

 3 issues closed:

- Q. Can I add a link of openwallet foundation implementation for token status list in README? https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/192- Set content type to optional than must https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/137 [discuss]- IETF 118: Guidance for which contexts/usecases StatusList is a valuable revocation mechanism https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/84



Pull requests
-------------
* oauth-wg/oauth-transaction-tokens (+1/-0/💬0)
 1 pull requests submitted:
 - Add Batch token for asynchronous long running workloads (by ashayraut)

https://github.com/oauth-wg/oauth-transaction-tokens/pull/149

* oauth-wg/oauth-sd-jwt-vc (+4/-4/💬5)
 4 pull requests submitted:
 - Remove .well-known for vcts (by danielfett)

https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/272- Add a placeholder -07 to Document History (by bc-pi)https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/271- Add “Status” field to well-known URI registration per IANA early review (by bc-pi)https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/269- change media type from `vc+sd-jwt` to `dc+sd-jwt` (by bc-pi)https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/268

 1 pull requests received 5 new comments:
 - #251 Tightened exposition of Issuer-signed JWT Verification Key Validation 
section (Drop all references to DIDs and DID resolution while leaving the 
exensiblity point for those who want to define a profile of SD-JWT VC using 
DIDs) (5 by ThierryThevenet, alenhorvat, andorsk, bc-pi)

https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/251

 4 pull requests merged:
 - Add a placeholder -07 to Document History

https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/271- Add “Status” field to well-known URI registration per IANA early reviewhttps://github.com/oauth-wg/oauth-sd-jwt-vc/pull/269- Tightened exposition of Issuer-signed JWT Verification Key Validation sectionhttps://github.com/oauth-wg/oauth-sd-jwt-vc/pull/251- change media type from `vc+sd-jwt` to `dc+sd-jwt`https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/268

* oauth-wg/oauth-selective-disclosure-jwt (+2/-3/💬1)
 2 pull requests submitted:
 - Note that the Hash Function Claim value is case-sensitive (by bc-pi)

https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/525- Update typ in SD-JWT VC example (by bc-pi)https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/524

 1 pull requests received 1 new comments:
 - #525 Note that the Hash Function Claim value is case-sensitive (1 by bc-pi)

https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/525

 3 pull requests merged:
 - Address Denis' comments

https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/481- Note that the Hash Function Claim value is case-sensitivehttps://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/525- Update typ in SD-JWT VC examplehttps://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/524

* oauth-wg/oauth-v2-1 (+1/-2/💬2)
 1 pull requests submitted:
 - conslidate description of serialization (by aaronpk)

https://github.com/oauth-wg/oauth-v2-1/pull/190

 1 pull requests received 2 new comments:
 - #190 conslidate description of serialization (2 by aaronpk, panva)

https://github.com/oauth-wg/oauth-v2-1/pull/190

 2 pull requests merged:
 - conslidate description of serialization

https://github.com/oauth-wg/oauth-v2-1/pull/190- fix: typoshttps://github.com/oauth-wg/oauth-v2-1/pull/185

* oauth-wg/draft-ietf-oauth-status-list (+1/-1/💬0)
 1 pull requests submitted:
 - Add implementations to README (by paulbastian)

https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/193

 1 pull requests merged:
 - Add implementations to README

https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/193


Repositories tracked by this digest:
-----------------------------------
* https://github.com/oauth-wg/oauth-browser-based-apps
* https://github.com/oauth-wg/oauth-identity-chaining
* https://github.com/oauth-wg/oauth-transaction-tokens
* https://github.com/oauth-wg/oauth-sd-jwt-vc
* https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata
* https://github.com/oauth-wg/oauth-cross-device-security
* https://github.com/oauth-wg/oauth-selective-disclosure-jwt
* https://github.com/oauth-wg/oauth-v2-1
* https://github.com/oauth-wg/draft-ietf-oauth-status-list
* https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

[OAUTH-WG] Weekly github digest (OAuth Activity Summary)

Reply via email to