Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

On Thu, Oct 26, 2023 at 5:26 PM Brian Campbell wrote: > > I think you might underestimate the difficulty in > creating/changing/establishing such a registry and overestimate its > effectiveness and usefulness. And I think the selective disclosability > treatment of many claims is ultimately cont

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

Thanks Neil! Appreciate the productive discussion. Some more responses below (while also attempting to snip out and declutter the message). On Thu, Oct 26, 2023 at 7:03 AM Neil Madden wrote: On 25 Oct 2023, at 22:00, Brian Campbell wrote: > > The draft currently says that second-preimage r

Re: [OAUTH-WG] sub_id in draft for Transaction tokens

Hi Kai, Thanks for this and other feedback you have provided. The primary reason for using "sub_id" was to enable a format that can be more expressive than the "sub", which is always a string. I can see the benefit of having either "sub" or "sub_id" in the Transaction Tokens spec. "sub" will allo

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

On 25 Oct 2023, at 22:00, Brian Campbell wrote:Thanks for the comments and questions Neil. With the help of the draft co-authors, I've tried to reply (probably inadequately!) inline below. Thanks. Some responses below. On Tue, Oct 24, 2023 at 3:48 AM Neil Madden wrote:I

[OAUTH-WG] Canceled Webex meeting: OAuth WG Virtual Office Hours

BEGIN:VCALENDAR PRODID:-//Microsoft Corporation//Outlook 10.0 MIMEDIR//EN VERSION:2.0 METHOD:CANCEL BEGIN:VTIMEZONE TZID:America/New_York LAST-MODIFIED:20221105T024526Z TZURL:https://www.tzurl.org/zoneinfo-outlook/America/New_York X-LIC-LOCATION:America/New_York BEGIN:DAYLIGHT TZNAME:EDT TZOFFSETFR

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier

Hi All, Section 11.6. is about "Key Binding" which is indeed an important security feature. However, in the context of "selective disclosure" while this feature is essential, it is insufficient. Let us take an example: If a Token indicates that an individual has the nationality X, in case of

[OAUTH-WG] sub_id in draft for Transaction tokens

Hi all, I very much like the draft. We have a similar token mechanism implemented for our service infrastructure. I am not quite sure about the reasoning behind using “sub_id” for the subject identifier instead of using “sub” as used across OAuth technology. The referenced draft for SubjectIde