I’ve added the working group to this thread so they're aware of your comments. Replies are inline below…
-----Original Message----- From: Barry Leiba [mailto:[email protected]] Sent: Thursday, September 25, 2014 7:33 AM To: The IESG Cc: [email protected]; [email protected] Subject: Barry Leiba's No Objection on draft-ietf-jose-json-web-algorithms-32: (with COMMENT) Barry Leiba has entered the following ballot position for draft-ietf-jose-json-web-algorithms-32: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-algorithms/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I have one comment. I'm making it non-blocking, but I think it really does need to be clarified, so please chat with me about it: -- Section 7.1 -- The implementation requirements of an algorithm MAY be changed over time by the Designated Experts(s) as the cryptographic landscape evolves, for instance, to change the status of an algorithm to Deprecated, or to change the status of an algorithm from Optional to Recommended+ or Required. Changes of implementation requirements are only permitted on a Specification Required basis, with the new specification defining the revised implementation requirements level. 1 (minor). The "MAY" does not refer to a protocol option, and I think it should not be a 2119 key word. Agreed 2 (the real point). I don't understand how the two sentences relate to each other. The first sentence seems to say that the DE(s) can change implementation requirements on their own. The second says it has to be done using Specification Required (which doesn't really need to be said, as that's the policy for the registry anyway). Which is it? If it's Specification Required, then anyone can propose a change, using a specification, and the DE(s) will review that as they do any other registration request. The intent is for both to be required – that a specification be written proposing the change and the designated experts approve the change. I can look into a wording change to make this clearer when the document is next revised. This comment also applies to Sections 7.4 and 7.6. Noted. -- Mike
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
