2013/8/2 Phil Hunt
> Yes. Forking is bad. This is not a fork.
>
> It isn't like OIDF membership hasn't been aware of the issue and hasn't
> had time to respond (over a year now). The clear message was Connect is too
> far along to consider changes.
>
You are grossly misrepresenting it here. You
Hi Nat,
I think your are going in the right direction. Here are my
comments:
- Authentication and attribute providing can be treated
separately. I therefore would recommend you move the claim stuff into a
separate specification, which includes standard claims, respective scope
values, user i
I thought I remembered that text from RFC 6749, section 3.1 as saying that
a *public* client MAY use the "client_id" request parameter to identify
itself...
Apparently that's not what it says. But I believe that was the intent - hat
a client with no means of authentication could identify itself by
Yes, it is a Token.
No, it does not have to be signed.
As to be a token or not to be a token question, it has been discussed in
the WG before, and if I remember correctly, Microsoft argued for token
saying that it is just base64 decoding and I lost there.
Nat
On Aug 1, 2013, at 14:24, Anthony N
This solves a real and common problem with public client implementations. I
certainly would like to see it move forward. Thanks for publishing it Nat.
Cheers,
Morteza
From: Nat Sakimura mailto:sakim...@gmail.com>>
Date: Tuesday, July 30, 2013 11:58 AM
To: oauth mailto:oauth@ietf.org>>
Subject:
This thread is about the proposed change to JWT. Further discussion of the
risks of "alg":"none" will be on the JOSE list.
--Richard
On Thu, Aug 1, 2013 at 2:26 PM, Mike Jones wrote:
> You prevent downgrade attacks by having your application reject
> algorithms that don’t meet their securit
You prevent downgrade attacks by having your application reject algorithms that
don't meet their security requirements. Unless your application explicitly
chooses to accept "alg":"none", the same code that would reject "alg":"rot13"
would reject "alg":"none".
If your application isn't rejectin
You don't view downgrade attacks as a compelling reason?
I look forward to your attempt to get this through SECDIR review.
On Thu, Aug 1, 2013 at 2:20 PM, Mike Jones wrote:
> This is useful because it means that you can pass both unsigned and
> signed content using the same syntax, with no spe
This is useful because it means that you can pass both unsigned and signed
content using the same syntax, with no special parsing required. This is used
in practice, for instance, to enable both unsigned and signed request objects,
signed and unsigned ID Tokens, etc.
This is already in wides
Hmm allowing sending the client_id even if there is no authentication was
intended to mitigate cases where the client presenting the code or
refresh_token was not the one that requested it, and for logging.
I don't think the intention was to allow the client_id to be sent twice.
If it were my
It has come to my attention that JWT is using "alg":"none" to create
"Plaintext JWTs". Some of us in JOSE believe that this "alg" value should
be removed, because of a risk of downgrade attacks. In order to do that, a
suggested revision to JWT is below. To summarize:
-- Plaintext JWTs are not JW
That is what we are doing for connect. If other applications like Persona wind
up using the same claims that ids fine as long as the semantics are the same.
On 2013-08-01, at 1:29 PM, Torsten Lodderstedt wrote:
> Hi Mike,
>
> thank you for your quick answer. Using the registry works for my use
Life is full of surprises and bountiful experiences
From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Thursday, August 1, 2013 12:35 AM
To: Anthony Nadalin
Cc: Hannes Tschofenig; oauth mailing list
Subject: Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00
I wasn't concerne
I wasn't concerned about the exercise but rather with having to spend that
much more time with you.
On Thu, Aug 1, 2013 at 9:14 AM, Anthony Nadalin wrote:
> It’s called exercise or take the S7, this also give you a culture
> experience of getting away from the hotel and IETF crowd.
>
> ** *
After about the 5th or 6th beer, the concern about Tony not wanting to take a
cab starts to go away.
Phil
@independentid
www.independentid.com
phil.h...@oracle.com
On 2013-08-01, at 9:14 AM, Anthony Nadalin wrote:
> It’s called exercise or take the S7, this also give you a culture experi
It's called exercise or take the S7, this also give you a culture experience of
getting away from the hotel and IETF crowd.
From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Thursday, August 1, 2013 12:10 AM
To: Anthony Nadalin
Cc: Hannes Tschofenig; oauth mailing list
Subject: Re: [
That's a 35 minute walk each way. Will MSFT be providing transportation?
On Thu, Aug 1, 2013 at 8:52 AM, Anthony Nadalin wrote:
> How about http://www.zollpackhof.de/english/restaurant/terrassen.html
>
>
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org
17 matches
Mail list logo
