Replies prefixed by "Mike>". From: Pete Resnick [mailto:[email protected]] Sent: Thursday, October 02, 2014 9:57 AM To: Mike Jones Cc: Kathleen Moriarty; [email protected]; The IESG; [email protected] Subject: Re: Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
On 10/2/14 11:42 AM, Mike Jones wrote: On 10/2/14 9:37 AM, Kathleen Moriarty wrote: On Thu, Oct 2, 2014 at 9:20 AM, Pete Resnick <[email protected]<mailto:[email protected]>> wrote: If there's anything in Section 8 that is not in 4.1.2 and needs to be, fine, move that information into 4.1.2. But TLS is not required globally. It is only required for jku. Section 8 says that TLS is required globally. AFAICT, that's not a requirement. It is also needed for "x5u" (X.509 URL), at least in some cases. It's more efficient editorially to have common text about TLS requirements for these multiple uses than to duplicate the text into multiple subsections. On the telechat, we left this one as needing the WG's help here to figure out exactly where TLS is needed and making sure the requirements are clear rather than a blanket statement. jku is one spot where it is required and the other is when there is privacy related data . Can the WG figure out the full list and then we'll update the draft as such? We could cite Section 8 from all the places that TLS is used, if you believe that that would help implementers pay attention, Pete. So long as section 8 says, "Where TLS is used, it MUST do X Y Z", and the "MUST use TLS; see section 8 for how" is in the section with jky (and x5u if needed), that's cool. Just don't say "MUST use TLS" in section 8. Mike> Sounds good. Thanks, Pete. -- Mike pr -- Pete Resnick <http://www.qualcomm.com/~presnick/><http://www.qualcomm.com/~presnick/> Qualcomm Technologies, Inc. - +1 (858)651-4478
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
