You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Resolve issue #18: Add 'Changes from RFC 8725' section
- Add comprehensive 'Changes from RFC 8725' section before Document History
- Include major changes based on IETF 123 presentation slide titles:
1. Encryption-Signature Confusion
2. PBES2 Count Limits
3. Algorithm Verification
4. Compression DoS
5. JWT Format Confusion
- This section will be published with the RFC (unlike Document History)
- Addresses the issue that doc history section was insufficient and not published
Copy file name to clipboardExpand all lines: draft-ietf-oauth-rfc8725bis.md
+16Lines changed: 16 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -783,6 +783,22 @@ for their reviews.
783
783
784
784
--- back
785
785
786
+
# Changes from RFC 8725 {#changes-from-rfc8725}
787
+
788
+
This document obsoletes RFC 8725 and provides several significant improvements and additions:
789
+
790
+
## Major Changes
791
+
792
+
1. Encryption-Signature Confusion: Added mitigation for attacks where verifiers don't distinguish between successful decryption and successful signature validation.
793
+
794
+
2. PBES2 Count Limits: Added requirements to reject unreasonably large `p2c` (PBES2 Count) values to prevent DoS attacks.
795
+
796
+
3. Algorithm Verification: Added defensive checking to address incorrect reading of `alg` values as being case-insensitive.
797
+
798
+
4. Compression DoS: Added mitigation for DoS attacks resulting from abuse of compression in JWE.
799
+
800
+
5. JWT Format Confusion: Added mitigation for JWT serialization format confusion attacks.
801
+
786
802
# Document History
787
803
788
804
[[Note to RFC Editor: please remove before publication.]]
0 commit comments