Thanks for your review, Stephen. I'm adding the working group to the thread so they're aware of your comments.
> -----Original Message----- > From: Stephen Farrell [mailto:[email protected]] > Sent: Thursday, October 02, 2014 4:15 AM > To: The IESG > Cc: [email protected]; [email protected] > Subject: Stephen Farrell's Discuss on draft-ietf-jose-json-web-key-33: (with > DISCUSS and COMMENT) > > Stephen Farrell has entered the following ballot position for > draft-ietf-jose-json-web-key-33: Discuss > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-key/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > > nearly a nit, but would impact code so a discuss to make sure we get it > right... > > 4.5: saying kid is case sensitive precludes use of DNS names there or > introduces > bugs if those are used. Since DNS names are the primary way we distinguish > things on the Internet, that seems odd. I don't think that you need to say > case- > insensitive here but that you might want to say that DNS names SHOULD be > [lower|upper]cased before being used in kid parameters. OK > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > 4.8: I'd prefer if sha-256 had been the default/shorter of these. But > whatever. The SHA-1 is the one that's actually in widely deployed crypto libraries, including Windows and OpenSSL, and has been in the spec pretty much the whole time. Kathleen had us add the S256 version based on its usage in SSH during her AD review. > 4.8/4.9: the disconnect with DANE and other specs that use > HASH(SPKI) as a thumbprint is a pity (but can be fixed later). How'd that > happen? The current thumbprint calculation is the one used by OpenSSL and Windows, among others. The first that this issue was raised was during Tero Kivinen's secdir review. In that discussion, I pointed out that other specs are free to define header parameter(s) to represent the HASH(SPKI) thumbprint and register them. (I even pointed him to draft-jones-jose-jwk-thumbprint-01 as an example of a spec making a similar registration that he could use as an example if he wanted to write it up.) He thought that that definition would be useful to the IoT community, so I expect that someone will do that when the need arises. > 8: "make sense" still isn't useful;-) I've noted that on the algs draft > though so > won't repeat more. Noted > C.9: Huh? Needs a ref to compact rep which isn't defined here. Agreed - thanks > As with other JOSE drafts, there was a substantial thread on the secdir review > that I didn't have time to follow but I'm ok that Kathleen's been on top of > that. Yes, she has. Thanks again, -- Mike _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
