#75: Section 3.5 - "x5u" (X.509 URL) Header Parameter A. Move the 5280 reference to before the 'or'
B. Who is the MUST requirement on for the identified resource - is this something that the consumer needs to verify is true? Is there a reason to require consumers to do the chain building so that more complicated bags may be present? What action does the consumer perform is this is not true? C. What happens if this JWK has only an x5u member in it? Is this a legal construct? How does one say that this matches the bare public key? D. The middle clause of the semi-colons should be a parenthetical on the first clause. E. There are additional requirements imposed on the representation of members in the JWK and the contents of the certificate. For example the use and alg need to be compatible. F. Need to make a trust statement about a key obtained this way. As the URL is not authenticated in any way, it cannot be used to build an association between a subject and a key. G. Need to note that the fact that a certificate chain has been returned does not mean anything about making a trust decision in the certificate. -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-jose-json-web- [email protected] | [email protected] Type: defect | Status: new Priority: major | Milestone: Component: json-web- | Version: key | Keywords: Severity: - | -------------------------+------------------------------------------------- Ticket URL: <https://grenache.tools.ietf.org/wg/jose/trac/ticket/75> jose <http://tools.ietf.org/jose/> _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
