Hi Hannes! > -----Original Message----- > From: Hannes Tschofenig [mailto:[email protected]] > Sent: Friday, June 22, 2018 9:36 AM > To: Roman Danyliw <[email protected]>; [email protected] > Subject: "sub" and "iss" ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of- > possession-02 > > Hi Roman, > > this is also a good question: > > > (3) (Editorial) Page 4, Section 3.0, I read to the end of this section by > > which > point there has been discussion of "sub" or "iss". I was left wondering about > how to interpret the case where both are present and none are. > > Here is the text from the draft: > > " > The presenter can be identified in one of several ways by the CWT > depending upon the application requirements. If the CWT contains a > "sub" (subject) claim [CWT], the presenter is normally the subject > identified by the CWT. (In some applications, the subject identifier > will be relative to the issuer identified by the "iss" (issuer) claim > [CWT].) If the CWT contains no "sub" claim, the presenter is > normally the issuer identified by the CWT using the "iss" claim. The > case in which the presenter is the subject of the CWT is analogous to > Security Assertion Markup Language (SAML) 2.0 > [OASIS.saml-core-2.0-os] SubjectConfirmation usage. At least one of > the "sub" and "iss" claims is typically present in the CWT and some > use cases may require that both be present. > " > > The CWT PoP document does not define the subject or issuer claims. > The document also not mandate a specific set of claims to be included in a > CWT since this is application profile specific. > > Hence, I am wondering whether we could shorten the paragraph above, > which is actually a bit confusing. > > " > This specification adds a new claim to offer the proof-of-possession > functionality. > There are various claims already defined and the IANA claims registry [REF] > contains the most up-to-date list of standardized claims. Application using > the CWT functionality define what claims have to be used. > > The presenter can, if necessary, be identified in one of several ways by the > CWT > depending upon the application requirements. If the CWT contains a > "sub" (subject) claim [CWT], the presenter is the subject > identified by the CWT. In some cases, there CWT may not include a "sub" > claim, which allows the presenter to remain anonymous. > "
I like this shortened paragraph proposed above. IMO, it's simpler and more appropriate in this draft. Thanks, Roman > Ciao > Hannes > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
