Thanks, Mike. I've sent out a question to get the viewpoint of the current IESG members in hopes to prevent issues as we move forward. I'll post back to the discussion once I get enough input on current preferences in case anything has changed from experience, etc.
On Fri, Jun 13, 2014 at 4:04 PM, Mike Jones <[email protected]> wrote: > This was considered by the WG as issue #10 - > http://trac.tools.ietf.org/wg/jose/trac/ticket/10. > > > > In the OAuth context, I know that draft-ietf-oauth-assertions and > draft-ietf-oauth-saml2-bearer were sent to the IESG for review in 2012 and > then sent back to the OAuth working group by the IESG because they felt > that additional work needed to be done on the drafts so that they would > *actually* be interoperable – not just that it was possible for > implementations to interoperate. Stephen Farrell could perhaps speak more > to that. > > > > That clear sentiment from the IESG to the OAuth WG has also informed the > decisions for the JWT and JOSE specs to keep a small set of MTI algorithms > so that implementations would actually have a common basis to interoperate. > > > > IESG feedback on requiring interoperability was referenced by Jim Schaad > in his text closing the issue: > > The IESG has had a discussion on this issue as part of the recent charter > discussions. The chairs believe that is is clear from that discussions that > MTI algorithms are going to be required in order for the documents to > progress. For that reason we are closing this ticket. > > > > -- Mike > > > > *From:* OAuth [mailto:[email protected]] *On Behalf Of *Mike Jones > *Sent:* Friday, June 13, 2014 12:27 PM > *To:* Kathleen Moriarty; Hannes Tschofenig > > *Cc:* [email protected] > *Subject:* Re: [OAUTH-WG] JWT review > > > > In no place is SHA-1 or algorithms using it MTI. You can see the set of > MTI algorithms by looking at those marked “Required” in the registries. > > > > A small set of required algorithms is present, with the choices based on a > detailed survey of what algorithms are widely deployed, to provide a basis > for implementations to interoperate. Recognizing that the set of > algorithms that will be appropriate to have as required will change over > time, Sean Turner suggested that we enable future drafts to update the > Implementation Requirements in the registries, with expert review. (So for > instance, an algorithm that might be “Required” today could be marked > “Deprecated” in the future.) We adopted Sean’s suggestion a good while ago. > > > > This is another area that was widely discussed within the JOSE working > group, and there was never consensus to remove the implementation > requirements, which have always been present. > > > > -- Mike > > > > *From:* OAuth [mailto:[email protected] <[email protected]>] *On > Behalf Of *Kathleen Moriarty > *Sent:* Friday, June 13, 2014 12:14 PM > *To:* Hannes Tschofenig > *Cc:* [email protected] > *Subject:* Re: [OAUTH-WG] JWT review > > > > Hi Hannes, > > > > Thank you for going through the various reviews, since the JOSE ones > should be of interest to Oauth. I'll respond in-line. > > > > On Thu, Jun 12, 2014 at 4:27 AM, Hannes Tschofenig < > [email protected]> wrote: > > Hi Kathleen, > > on the first item I have a few minor remarks: You wrote: > > " > As I read through the Algorithms (JWA) draft there are some changes that > will need to be made to avoid problems during the IESG review. This is > a pretty big change for the draft, but will help make the review and > approval faster. Typically, the lists of algorithms are handled through > a draft update as opposed to creating an IANA registry. A good example > is a recent update of a draft in the IPSECME working group so you can > see the structure and the precedence for this model. > " > > FYI - this is from the start of a long thread that has been worked out > already. I had included a link to the JWA review only for the section on > the security consideratiosn section as many of the drafts in JOSE, and at > least one in OAuth start out with the same paragraph that could use some > updating and correcting. I wanted to make sure this working group was > aware since JWT shares that same paragraph. Mike is working through new > text and has solicited help from the WG (please respond on the JOSE list). > > > The IANA registry for the algorithm serves a different purpose than a > document recommending the specific algorithms. The reference to the > IPSECME document only provides the latter. It is also important to note > that the JWA not only defines the algorithm tags for the IANA registry > but also explains how they actually work with the JOSE defined JSON > structures (which is again a difference to the mentioned IPSECME document). > > The discussion on having a registry versus a draft has been settled. > The possibility of an issue came to me through an AD and after discussion, > it is fine as it is. There were some considerations that needed to get > surfaced, so the document can remain as-is. Sorry for the confusion. I'll > file this away for the future reference. > > > Of course, the JWA document does both via the IANA registry and there is > the question about how these recommendations would then get updated and > what the consensus process is. > > In an mail to the JOSE mailing list I argued against any MTI > recommendations since JOSE is a baseline technology that will be used in > a variety of different contexts and it is super likely that the > algorithm requirements will hugely vary. > > I am just thinking about what algorithms I would recommend when using > the JOSE work in an IoT environment. My recommendations would deviate > from the currently given recommendations, which are largely impacted by > the Web community. > > Here is the mail I sent to the JOSE list: > http://www.ietf.org/mail-archive/web/jose/current/msg04032.html > > So, my recommendation is to > > 1) have no MTI requirements in the JWA spec > 2) remove the 'JOSE Implementation Requirements' column from the IANA > registry. > > > > Interesting. I do remember having these discussions with Sean and > Richard (see > http://www.ietf.org/mail-archive/web/jose/current/msg04060.html). In > Jim's opinion, (from: > http://www.ietf.org/mail-archive/web/jose/current/msg04062.html), his > view is that even the MTI in JWA can be overridden in the spec. I wonder > why you would have an MTI then? > > > > This closed out the discussion and it would be better to see it on the > JOSE list than here. If the point is to get Oauth people who are > encountering conflicts as a user of JOSE drafts to chime in, that should > happen on the JOSE list. I suspect this will be an issue for XMPP as well. > They are phasing out SHA-1, so if that's MTI for fingerprints, they may > still feel like they have to support SHA-1 for that purpose even though > their work specifies that SHA-2 should be used everywhere. > > > > Since JWA is getting closer to IESG review, I'll ask other ADs their > thoughts on how they like to see this sort of thing handled. Both Richard > and Jim raised valid points. > > > > Thank you, > > Kathleen > > > Ciao > Hannes > > > > On 06/09/2014 06:17 PM, Kathleen Moriarty wrote: > > Hello, > > > > I am in process of working through the JOSE drafts and also read the > > Oauth JWT draft last week. There is some overlap in text that may > > require some joint work to correct. > > > > 1. For JWT, the Security Considerations section starts off with the same > > text that is in several of the JOSE drafts. In my review of the JWA > > draft, I asked for some fixes that will need to be made to this draft as > > well. Here is a link to that review and it may be easier to help with > > this work in one spot where text will be reused. Mike has asked the > > JOSE WG to assist, but it make make sense for Oauth folks to help as > > well. If it makes sense, a pointer to existing text is also fine. > > > > http://www.ietf.org/mail-archive/web/jose/current/msg04064.html > > > > 2. Sections 5.1 and 5.2 are a little confusing. However, the use of > > "typ" and "cty" appear in 3 drafts (at least), so this should get > > addressed with an approach that considers the joint text to reduce > > confusion for developers. The initial descriptions are in the JOSE JWS > > draft, so that may need most of the work, but it also appears in this > > draft and the JOSE JWK draft. In my writeup for the JWK review, I > > listed out some questions and would like to see improvements across > > these drafts. This will likely require some joint work and may be best > > in response to the JWK review to keep it in one place. > > > > http://www.ietf.org/mail-archive/web/jose/current/msg04172.html > > > > Thank you! > > > > -- > > > > Best regards, > > Kathleen > > > > > > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > -- > > > > Best regards, > > Kathleen > -- Best regards, Kathleen
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
