Last Call Review of draft-ietf-oauth-access-token-jwt-11

Request Review of draft-ietf-oauth-access-token-jwt
Requested rev. no specific revision (document currently at 12)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2021-02-09
Requested 2021-01-26
Authors Vittorio Bertocci
Draft last updated 2021-02-07
Completed reviews Genart Last Call review of -11 by Roni Even (diff)
Secdir Last Call review of -11 by Joseph Salowey (diff)
Secdir Telechat review of -12 by Joseph Salowey
Assignment Reviewer Joseph Salowey 
State Completed
Review review-ietf-oauth-access-token-jwt-11-secdir-lc-salowey-2021-02-07
Posted at
Reviewed rev. 11 (document currently at 12)
Review result Has Issues
Review completed: 2021-02-07


I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

The summary of the review is the document has issues.

1.  (Editorial) What is the relationship between this document and RFC 7523.  They are using JWT for different purposes, but I think it would be useful to clarify this in the introduction.  

2.  (Issue) The specification does not specify any mandatory to implement for the recommended asymmetric algorithms.  This will not help interop.  Perhaps specify one or both of  "RS256" and "ES256". 

3. (Question) Is it currently possible to use the JWT access token in a mode other than a bearer token?  For example is there a way to bind the JWT to a verifiable key or identifier.  If there is, there should be some discussion of this in the security considerations.  If not, do the authors know if there is any work planned in this area?

4. Genart review pointed out a nit that should be fixed.