Merge pull request #22 from oauth-wg/ys-18

yaronf · web-flow · commit 3b0b4460cdab · 2025-09-22T17:03:44.000+03:00
New section: changes from RFC 8725
diff --git a/draft-ietf-oauth-rfc8725bis.md b/draft-ietf-oauth-rfc8725bis.md
@@ -778,6 +778,20 @@ for their reviews.
 
 --- back
 
+# Changes from RFC 8725 {#changes-from-rfc8725}
+
+This document obsoletes RFC 8725 and provides several significant improvements and additions:
+
+1. Algorithm Verification: Added defensive checking to address incorrect reading of `alg` values as being case-insensitive ({{algorithm-verification}}).
+
+2. Encryption-Signature Confusion: Added mitigation for attacks where verifiers don't distinguish between successful decryption and successful signature validation ({{preventing-confusion}}).
+
+3. PBES2 Count Limits: Added requirements to reject unreasonably large `p2c` (PBES2 Count) values to prevent DoS attacks ({{limit-iterations}}).
+
+4. JWT Format Confusion: Added mitigation for JWT serialization format confusion attacks ({{token-format}}).
+
+5. Compression DoS: Added mitigation for DoS attacks resulting from abuse of compression in JWE ({{limit-decompression}}).
+
 # Document History
 
 [[Note to RFC Editor: please remove before publication.]]
