Thanks, Mike. Okay, SHA-1 was a bad example. Hannes asked in response to my earlier review as he felt this was not resolved. I read back through the most recent thread and do see the responses you and Jim provided, also referenced in my response as valid considerations. If possible, it would be great to get this settled sooner rather than later as well as for me to figure out if either approach will cause heartburn in the IESG review process. I'll proactively dig into that so we can avoid issues later. They may or may not care either way. It would be good for me to know this for this particular issue as well as possible future issues that are similar so I can help catch them earlier.
Is there a ticket on this from previous discussions to the ones started in April? Thanks! On Fri, Jun 13, 2014 at 3:26 PM, Mike Jones <[email protected]> wrote: > In no place is SHA-1 or algorithms using it MTI. You can see the set of > MTI algorithms by looking at those marked “Required” in the registries. > > > > A small set of required algorithms is present, with the choices based on a > detailed survey of what algorithms are widely deployed, to provide a basis > for implementations to interoperate. Recognizing that the set of > algorithms that will be appropriate to have as required will change over > time, Sean Turner suggested that we enable future drafts to update the > Implementation Requirements in the registries, with expert review. (So for > instance, an algorithm that might be “Required” today could be marked > “Deprecated” in the future.) We adopted Sean’s suggestion a good while ago. > > > > This is another area that was widely discussed within the JOSE working > group, and there was never consensus to remove the implementation > requirements, which have always been present. > > > > -- Mike > > > > *From:* OAuth [mailto:[email protected]] *On Behalf Of *Kathleen > Moriarty > *Sent:* Friday, June 13, 2014 12:14 PM > *To:* Hannes Tschofenig > *Cc:* [email protected] > > *Subject:* Re: [OAUTH-WG] JWT review > > > > Hi Hannes, > > > > Thank you for going through the various reviews, since the JOSE ones > should be of interest to Oauth. I'll respond in-line. > > > > On Thu, Jun 12, 2014 at 4:27 AM, Hannes Tschofenig < > [email protected]> wrote: > > Hi Kathleen, > > on the first item I have a few minor remarks: You wrote: > > " > As I read through the Algorithms (JWA) draft there are some changes that > will need to be made to avoid problems during the IESG review. This is > a pretty big change for the draft, but will help make the review and > approval faster. Typically, the lists of algorithms are handled through > a draft update as opposed to creating an IANA registry. A good example > is a recent update of a draft in the IPSECME working group so you can > see the structure and the precedence for this model. > " > > FYI - this is from the start of a long thread that has been worked out > already. I had included a link to the JWA review only for the section on > the security consideratiosn section as many of the drafts in JOSE, and at > least one in OAuth start out with the same paragraph that could use some > updating and correcting. I wanted to make sure this working group was > aware since JWT shares that same paragraph. Mike is working through new > text and has solicited help from the WG (please respond on the JOSE list). > > > The IANA registry for the algorithm serves a different purpose than a > document recommending the specific algorithms. The reference to the > IPSECME document only provides the latter. It is also important to note > that the JWA not only defines the algorithm tags for the IANA registry > but also explains how they actually work with the JOSE defined JSON > structures (which is again a difference to the mentioned IPSECME document). > > The discussion on having a registry versus a draft has been settled. > The possibility of an issue came to me through an AD and after discussion, > it is fine as it is. There were some considerations that needed to get > surfaced, so the document can remain as-is. Sorry for the confusion. I'll > file this away for the future reference. > > > Of course, the JWA document does both via the IANA registry and there is > the question about how these recommendations would then get updated and > what the consensus process is. > > In an mail to the JOSE mailing list I argued against any MTI > recommendations since JOSE is a baseline technology that will be used in > a variety of different contexts and it is super likely that the > algorithm requirements will hugely vary. > > I am just thinking about what algorithms I would recommend when using > the JOSE work in an IoT environment. My recommendations would deviate > from the currently given recommendations, which are largely impacted by > the Web community. > > Here is the mail I sent to the JOSE list: > http://www.ietf.org/mail-archive/web/jose/current/msg04032.html > > So, my recommendation is to > > 1) have no MTI requirements in the JWA spec > 2) remove the 'JOSE Implementation Requirements' column from the IANA > registry. > > > > Interesting. I do remember having these discussions with Sean and > Richard (see > http://www.ietf.org/mail-archive/web/jose/current/msg04060.html). In > Jim's opinion, (from: > http://www.ietf.org/mail-archive/web/jose/current/msg04062.html), his > view is that even the MTI in JWA can be overridden in the spec. I wonder > why you would have an MTI then? > > > > This closed out the discussion and it would be better to see it on the > JOSE list than here. If the point is to get Oauth people who are > encountering conflicts as a user of JOSE drafts to chime in, that should > happen on the JOSE list. I suspect this will be an issue for XMPP as well. > They are phasing out SHA-1, so if that's MTI for fingerprints, they may > still feel like they have to support SHA-1 for that purpose even though > their work specifies that SHA-2 should be used everywhere. > > > > Since JWA is getting closer to IESG review, I'll ask other ADs their > thoughts on how they like to see this sort of thing handled. Both Richard > and Jim raised valid points. > > > > Thank you, > > Kathleen > > > Ciao > Hannes > > > > On 06/09/2014 06:17 PM, Kathleen Moriarty wrote: > > Hello, > > > > I am in process of working through the JOSE drafts and also read the > > Oauth JWT draft last week. There is some overlap in text that may > > require some joint work to correct. > > > > 1. For JWT, the Security Considerations section starts off with the same > > text that is in several of the JOSE drafts. In my review of the JWA > > draft, I asked for some fixes that will need to be made to this draft as > > well. Here is a link to that review and it may be easier to help with > > this work in one spot where text will be reused. Mike has asked the > > JOSE WG to assist, but it make make sense for Oauth folks to help as > > well. If it makes sense, a pointer to existing text is also fine. > > > > http://www.ietf.org/mail-archive/web/jose/current/msg04064.html > > > > 2. Sections 5.1 and 5.2 are a little confusing. However, the use of > > "typ" and "cty" appear in 3 drafts (at least), so this should get > > addressed with an approach that considers the joint text to reduce > > confusion for developers. The initial descriptions are in the JOSE JWS > > draft, so that may need most of the work, but it also appears in this > > draft and the JOSE JWK draft. In my writeup for the JWK review, I > > listed out some questions and would like to see improvements across > > these drafts. This will likely require some joint work and may be best > > in response to the JWK review to keep it in one place. > > > > http://www.ietf.org/mail-archive/web/jose/current/msg04172.html > > > > Thank you! > > > > -- > > > > Best regards, > > Kathleen > > > > > > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > -- > > > > Best regards, > > Kathleen > -- Best regards, Kathleen
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
