Hi Stephen, Could you take a look at the text changes made and responses your DISCUSS positions in the next few days? We’re down to a week left to submit new drafts and if we need to make further changes for you, it would be good to know what they are before that.
For your DISCUSS on JWK, this text was added in http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-35#section-5.3: Some applications may include case-insensitive information in a case- sensitive value, such as including a DNS name as part of a "kid" (key ID) value. In those cases, the application may need to define a convention for the canonical case to use for representing the case- insensitive portions, such as lowercasing them, if more than one party might need to produce the same value so that they can be compared. (However if all other parties consume whatever value the producing party emitted verbatim without attempting to compare it to an independently produced value, then the case used by the producer will not matter.) For your DISCUSS on JWA about the "oth" RSA private key parameters. I'd responded to that on the list, but didn't delete it. For your (3) on JWT, I did add this text in http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-29#section-12: Of course, including only necessary privacy-sensitive information in a JWT is the most basic means of minimizing any potential privacy issues. The proposed resolutions were applied in response to your COMMENT positions too. Thanks, -- Mike -----Original Message----- From: Stephen Farrell [mailto:[email protected]] Sent: Tuesday, October 07, 2014 6:17 PM To: Mike Jones; Barry Leiba Cc: [email protected]; Jim Schaad; Ted Lemon; [email protected]; [email protected]; The IESG Subject: Re: [jose] Stephen Farrell's Discuss on draft-ietf-jose-json-web-key-33: (with DISCUSS and COMMENT) On 08/10/14 01:47, Mike Jones wrote: > The real rule is "always case sensitive unless otherwise specified". > I think the right fix is to be clear on that point. Stephen and > Barry, can I proceed on that basis and have you review the proposed > edits? I'm not clear what edits you are proposing but I do think that submitting an updated draft is fine and we can look at that and see how it maps to the various discuss/comment points more easily than fully process this many threads in parallel. That said, I don't agree that the "rule" you state above is universal - messy as it may be, reality requires dealing with both case sensitive and case insensitive identifiers as well as i18n for string comparisons. In the case of key ids, I don't think there's a generic i18n issue, but there is a real issue that DNS names will be used as part of key ids. That real issue cannot be wished away via specification language no matter how smart or subtle so any updated text that does not have some level of messiness will unfortunately likely not be fit for purpose. (If however your edits are pretty much along the lines of the text previously discussed, then as I've said, I'll be fine to clear the discuss.) S. _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
