Many thanks, Mike, for addressing my comments. Best Regards,
Ines. On Mon, Oct 23, 2023 at 7:35 AM Michael Jones <michael_b_jo...@hotmail.com> wrote: > > Thanks for taking the time to review the document and for your useful > suggestions, Ines! FYI, we published > https://www.ietf.org/archive/id/draft-ietf-cose-cwt-claims-in-headers-07.html > to address the Last Call comments received. > > I've responded to your comments inline below, with responses prefixed by > "Mike>". > > -----Original Message----- > From: Ines Robles via Datatracker <nore...@ietf.org> > Sent: Tuesday, October 17, 2023 1:45 PM > To: gen-art@ietf.org > Cc: c...@ietf.org; draft-ietf-cose-cwt-claims-in-headers....@ietf.org; > last-c...@ietf.org > Subject: Genart last call review of > draft-ietf-cose-cwt-claims-in-headers-06 > > Reviewer: Ines Robles > Review result: Ready with Issues > > I am the assigned Gen-ART reviewer for this draft. The General Area Review > Team (Gen-ART) reviews all IETF documents being processed by the IESG for > the IETF Chair. Please treat these comments just like any other last call > comments. > > For more information, please see the FAQ at > > <https://wiki.ietf.org/en/group/gen/GenArtFAQ>. > > Document: draft-ietf-cose-cwt-claims-in-headers-06 > Reviewer: Ines Robles > Review Date: 2023-10-17 > IETF LC End Date: 2023-10-20 > IESG Telechat date: Not scheduled for a telechat > > Summary: > > This document describes how to include CBOR Web Token (CWT) claims in the > header parameters of any COSE structure. > > The document is well written, I have minor issues, nits indicated below. > > Major issues: None > > Minor issues: > > 1- Section 3: "Some of the registered CWT claims may contain > privacy-sensitive information. Therefore care must be taken when expressing > CWT claims in COSE headers." --> What kind of care?, there is some specific > guidelines to follow? > could you add an example? or add some reference? > > Mike> We expanded the description in the Privacy Considerations section. > > 2- Section 4: > > Detached Signatures: The security section does not delve into the security > considerations of using detached signatures. Since detached signatures are > one focus of the functionality, it might be helpful to discuss the security > implications specific to them. > > Mike> We added a Security Consideration on detached signatures. > > Claims in Headers: Considering that some claims can be available before > decryption or without inspecting the payload, perhaps it would be nice to > discuss the risks associated with exposing claims in this manner, or add > reference? > > Mike> We added a Privacy Consideration about unencrypted claims in header > parameters. > > Data Consistency: Is there a security angle to ensuring that claims > present both in the payload and header are identical, beyond just > verification?. > > Mike> We added a Security Consideration about claims that are present in > both the payload and the header of a CWT. > > It seems that these items are not included in the security considerations > of RFC 8392, What do you think? > > Mike> See the enhanced Privacy Considerations and Security Considerations > sections. > > Nits/editorial comments: > > 3- It would be nice to expand JWT the first time of use -> JSON Web Token > (JWT) > > Mike> Done! > > 4- It would be nice to have a caption for Table 1 > > Mike> Neither of the authors could figure out how to do this. > https://thesynack.com/posts/markdown-captions/ says "The truth is that, > as of now, captions are not part of the original Markdown specifications, > nor are they part of the more modern CommonMark specifications." Once > we're working with the RFC Editor on XML source, we can add it then. > > 5- Table 1: "TBD (requested assignment 13)", the 13 was assigned to kcwt, > so maybe suggest another value? > > Mike> Now 15 > > Thanks for this document, > > Mike> You're welcome! > > Ines. > > Thanks again, > -- Mike > >
_______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www.ietf.org/mailman/listinfo/gen-art
