Re: [OAUTH-WG] Initial JSON Web Token Best Current Practices Draft

2018-04-25 Thread Neil Madden
Thanks Yaron, Some responses in-line. > On 23 Apr 2018, at 15:57, Yaron Sheffer wrote: > > Hi Neil, > > Thank you again for your review and the follow up. Please see my comments > in-line. > > ‏Yaron > >> Hi Mike, >> I sent this originally back in June last year, I can see some of the

Re: [OAUTH-WG] Initial JSON Web Token Best Current Practices Draft

2018-04-23 Thread Yaron Sheffer
Hi Neil, Thank you again for your review and the follow up. Please see my comments in-line. ‏Yaron Hi Mike, I sent this originally back in June last year, I can see some of these points have been addressed in -01, but not others, so I will include further comments in-line below.

Re: [OAUTH-WG] Initial JSON Web Token Best Current Practices Draft

2018-04-17 Thread Neil Madden
Hi Mike, I sent this originally back in June last year, I can see some of these points have been addressed in -01, but not others, so I will include further comments in-line below. (Apologies if I missed replies - I’ve realised a few messages from this WG have ended up in my spam folder). As a

Re: [OAUTH-WG] Initial JSON Web Token Best Current Practices Draft

2017-07-16 Thread Denis
draft-sheffer-oauth-jwt-bcp-01 has been issued, butnone of the co-author has responded to my comments. These comments are copied below. Both topics mentionned below have been presented and discussed during the OAuth workshop in Zürich on July the 13 th. Denis Comments on draft-sheffer-oa

Re: [OAUTH-WG] Initial JSON Web Token Best Current Practices Draft

2017-06-05 Thread Denis
Comments on draft-sheffer-oauth-jwt-bcp-00 1. Section 2 lists 7 known and possible threats and vulnerabilities with JWT implementations and deployments. In the OAuth Threat Model Document (RFC 6819) collusions between users located inside of a system are not mentioned but nevertheless need to b

Re: [OAUTH-WG] Initial JSON Web Token Best Current Practices Draft

2017-06-04 Thread Neil Madden
I originally set this message just to the BCP authors. As requested by Mike Jones, I am sending it here too: Hi, I've just seen this draft best-practice guide for JWTs pop up. I have a number of suggestions for improvements. Mostly, I think the advice is good but should be spelt out a bit more

[OAUTH-WG] Initial JSON Web Token Best Current Practices Draft

2017-06-04 Thread Mike Jones
JSON Web Tokens (JWTs) and the JSON Object Signing and Encryption (JOSE) functions underlying them are now being widely used in diverse sets of applications. During IETF 98 in Chicago, we discussed reports of people implementing and using JOSE and JWTs insecurely,