Reviewer: Joseph Salowey
Review result: Ready
Thank you authors. This version addresses all my comments.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
I had expected that we would use the existing member name “at_hash” for the
access token hash value, rather than the new name “ath”, since there’s already
precedent for using it. Could we change to the standard name for this when we
publish the next version?
Hi Mike,
Also inline...
On Thu, Apr 08, 2021 at 04:45:15AM +, Mike Jones wrote:
> Thanks for your review, Ben. We've published
> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-33 to address your and
> other IESG comments.
>
> Responses are inline below, prefixed by "Mike>".
>
>
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-34 incorporates the fixes
you suggested.
Thanks again,
-- Mike
-Original Message-
From: Mike Jones
Sent: Thursday, April 8, 2021 6:49 AM
To: Francesca Palombini ; i...@iet
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-34 incorporates the fixes
you suggested.
Thanks again!
-- Mike
-Original Message-
From: Mike Jones
Sent: Thursday, April 8, 2021 6:46 AM
To: Murray Kucherawy ; The IESG
C
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : The OAuth 2.0 Authorization Framework: JWT Secured
Authorization Request (JAR)
Authors : Nat Saki
Hi Roberto,
On Fri, Apr 02, 2021 at 11:55:27AM +0200, Roberto Polli wrote:
> Hi Vittorio et al,
>
> some considerations on oauth access token jwt follows.
> You can see them here too
> https://docs.google.com/document/d/1XsvBzGvhcY0N6vJNgLx6G1dJ5trvgwYRJA9F_NCakbU/edit
>
> An example with client
On Thu, Apr 01, 2021 at 01:32:08PM -0700, Martin Duke via Datatracker wrote:
> Martin Duke has entered the following ballot position for
> draft-ietf-oauth-access-token-jwt-12: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the
All,
Today, the IESG has approved the *JWT Secured Authorization Request (JAR)*
and *JWT Profile for Access Token* documents.
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/
Congratulations to the authors and thanks to
Hi George,
client impersonation is covered extensively in RFC6749 already, with
further recommendations in RFC6819. The basics of this attack have not
changed since public clients where introduced, but, as you mention, on
mobile operating systems we see new mechanics for authenticating clients
(or
Thanks for sweating the details, Francesca. I'll plan to publish an updated
draft after the telechat making the error handling for the case when the key
isn't associated with the client clearer.
Thanks again,
-- Mike
-Original
Thanks for your review, Murray. My replies are inline, prefixed by "Mike>".
-Original Message-
From: Murray Kucherawy via Datatracker
Sent: Wednesday, April 7, 2021 11:43 PM
To: The IESG
Cc: draft-ietf-oauth-jws...@ietf.org; oauth-cha...@ietf.org; oauth@ietf.org;
hannes.tschofe...@gmx
Hi Mike!
Thanks for the quick reply. It looks good to me, just one answer to point 4. :
4. -
specified in the "alg" Header Parameter. If a "kid" Header Parameter
is present, the key identified MUST be the key used, and MUST be a
key associated with the client. Algo
13 matches
Mail list logo
