Hi Kathleen, on the first item I have a few minor remarks: You wrote:
" As I read through the Algorithms (JWA) draft there are some changes that will need to be made to avoid problems during the IESG review. This is a pretty big change for the draft, but will help make the review and approval faster. Typically, the lists of algorithms are handled through a draft update as opposed to creating an IANA registry. A good example is a recent update of a draft in the IPSECME working group so you can see the structure and the precedence for this model. " The IANA registry for the algorithm serves a different purpose than a document recommending the specific algorithms. The reference to the IPSECME document only provides the latter. It is also important to note that the JWA not only defines the algorithm tags for the IANA registry but also explains how they actually work with the JOSE defined JSON structures (which is again a difference to the mentioned IPSECME document). Of course, the JWA document does both via the IANA registry and there is the question about how these recommendations would then get updated and what the consensus process is. In an mail to the JOSE mailing list I argued against any MTI recommendations since JOSE is a baseline technology that will be used in a variety of different contexts and it is super likely that the algorithm requirements will hugely vary. I am just thinking about what algorithms I would recommend when using the JOSE work in an IoT environment. My recommendations would deviate from the currently given recommendations, which are largely impacted by the Web community. Here is the mail I sent to the JOSE list: http://www.ietf.org/mail-archive/web/jose/current/msg04032.html So, my recommendation is to 1) have no MTI requirements in the JWA spec 2) remove the 'JOSE Implementation Requirements' column from the IANA registry. Ciao Hannes On 06/09/2014 06:17 PM, Kathleen Moriarty wrote: > Hello, > > I am in process of working through the JOSE drafts and also read the > Oauth JWT draft last week. There is some overlap in text that may > require some joint work to correct. > > 1. For JWT, the Security Considerations section starts off with the same > text that is in several of the JOSE drafts. In my review of the JWA > draft, I asked for some fixes that will need to be made to this draft as > well. Here is a link to that review and it may be easier to help with > this work in one spot where text will be reused. Mike has asked the > JOSE WG to assist, but it make make sense for Oauth folks to help as > well. If it makes sense, a pointer to existing text is also fine. > > http://www.ietf.org/mail-archive/web/jose/current/msg04064.html > > 2. Sections 5.1 and 5.2 are a little confusing. However, the use of > "typ" and "cty" appear in 3 drafts (at least), so this should get > addressed with an approach that considers the joint text to reduce > confusion for developers. The initial descriptions are in the JOSE JWS > draft, so that may need most of the work, but it also appears in this > draft and the JOSE JWK draft. In my writeup for the JWK review, I > listed out some questions and would like to see improvements across > these drafts. This will likely require some joint work and may be best > in response to the JWK review to keep it in one place. > > http://www.ietf.org/mail-archive/web/jose/current/msg04172.html > > Thank you! > > -- > > Best regards, > Kathleen > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
