Thanks for writing the document, Neil. Here's my review comments based on reading draft-ietf-jose-deprecate-none-rsa15-02.
1.1. <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#section-1.1> The 'none' algorithm<https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#name-the-none-algorithm>: I suggest sorting the list of CVEs by date. 1.1. <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#section-1.1> The 'none' algorithm<https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#name-the-none-algorithm>: After the sentence beginning "Although there are some legitimate use-cases for Unsecured JWS", I suggest adding this text: One of the legitimate use cases for Unsecured JWSs is OpenID Connect ID Tokens secured by sending them over a TLS connection, as described in Section 2 of [OpenID.Core]. Another legitimate use is unsigned request objects, as described in Section 6.1 of [OpenID.Core]. The reference for [OpenID.Core] is: <reference anchor="OpenID.Core" target=https://openid.net/specs/openid-connect-core-1_0.html> <front> <title>OpenID Connect Core 1.0</title> <author fullname="Nat Sakimura" initials="N." surname="Sakimura"> <organization abbrev="NAT.Consulting (was at NRI)">NAT.Consulting</organization> </author> <author fullname="John Bradley" initials="J." surname="Bradley"> <organization abbrev="Yubico (was at Ping Identity)">Yubico</organization> </author> <author fullname="Michael B. Jones" initials="M.B." surname="Jones"> <organization abbrev="Self-Issued Consulting (was at Microsoft)">Self-Issued Consulting</organization> </author> <author fullname="Breno de Medeiros" initials="B." surname="de Medeiros"> <organization abbrev="Google">Google</organization> </author> <author fullname="Chuck Mortimore" initials="C." surname="Mortimore"> <organization abbrev="Disney (was at Salesforce)">Disney</organization> </author> <date day="15" month="December" year="2023"/> </front> </reference> 4.2. <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#section-4.2> Updated Review Instructions for Designated Experts<https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#name-updated-review-instructions>: I suggest changing the somewhat inaccessible phrase "reasonably conjectured" to "believed". 4.2. <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#section-4.2> Updated Review Instructions for Designated Experts<https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#name-updated-review-instructions>: Capitalize "section" in references to section numbers and likewise capitalize "chapter". (I believe the RFC Editor will do this to follow IETF style guidelines, so you might as well do it now.) Appendix A. <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#appendix-A> Acknowledgments<https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#name-acknowledgments>: Please change "Michael Jones" to "Michael B. Jones". I use my middle initial in professional contexts because there are so many people in the world who share my name. Thanks! -- Mike
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
