Hello!
Thank you for all of the updates to the JOSE drafts in the current bundle
in review. I appreciate all of the effort that went into the revisions!
As I understand it, there are a few general issues we need to work
through, then a few nits/requests are included on specific drafts.
Knowing how we move forward on the following items will be necessary as
well as the shepherd/chair okay to progress the drafts to IETF last call.
As an FYI, since it was requested that the drafts progress as a set, I may
need to delay on which telechat the drafts get placed. Essentially, the
set requires a lot of reading and I'd like to give the IESG enough time to
do reviews.
1. McGrew draft (applies to JWA)
We are waiting on an updated version so that the JWA draft can refer to
it as opposed to duplicating text from it.
2. Alternate on text that applies to several of the drafts for the
following:
Discussion on wording “or use a JSON parser that returns
only the lexically last duplicate member name, as specified
in Section 15.12 (The JSON Object) of ECMAScript 5.1
[ECMAScript]”.
Jim or others may have text suggestions. This was discussed on list, but
has not been resolved yet.
3. Use cases not met by current set of drafts
Documents do not meet all of the use cases laid out in the Use Cases
document
Specifically section 5.8 since there is no key management for
MACs (5.8.1. – MAC based on ECDH-derived key)
I'm not sure how this gets handled. If it will be addressed in other
drafts, let me know.
4. I don't recall seeing any internationalization considerations, is that
something we need to worry about?
Nits/Comments for specific drafts:
JWA:
Security considerations section 8.2 Key Lifetimes
Should there be a reference to NIST 800-57 to provide guidance on this
topic. If there is a better reference, that's fine too. This is something
that may get picked up on in other reviews.
Thanks for reducing text by referring to other drafts for a good portion of
the security considerations section.
JWS:
For typ and cty, the text could be more clear in the first paragraph
sentence 2 and 4. They read as if they are in conflict. The specific
usage is different in these sentences, but that is not made clear in the
text. It should just be a text adjustment.
Section 8: TLS requirements, second paragraph:
For the second sentence, could you either include examples or a reference
to where the reader can ascertain appropriate appropriate cipher suites?
This may be tough to address, but the way the sentence is written, it
sounds like a reference or a recommendation is needed. Any ideas?
JWK:
Updates look good, thanks!
JWE:
Updates look good, thank you!
Oauth JWT: Sent to Oauth list
On Thu, Jul 3, 2014 at 2:31 PM, Kathleen Moriarty <
[email protected]> wrote:
> Mike,
>
> Thanks for the updated JWT draft. I just read through it again and the
> changes look good.
>
> I noticed that privacy considerations were not mentioned. Should there be
> any discussed for claims, claim sets, etc.? This is bound to come up in
> the IESG review if it is not addressed. Sorry I didn't catch that on the
> first review.
>
>
> On Tue, Jul 1, 2014 at 9:11 PM, Mike Jones <[email protected]>
> wrote:
>
>>
>>
>>
>>
>> *From:* Mike Jones
>> *Sent:* Tuesday, July 01, 2014 6:11 PM
>> *To:* [email protected]
>> *Subject:* JOSE -30 and JWT -24 drafts incorporating AD feedback on
>> fifth spec of five
>>
>>
>>
>> JOSE -30 and JWT -24 drafts have been posted incorporating improvements
>> resulting from Kathleen Moriarty’s JWE review. At this point, actions
>> requested in her reviews of the JWS, JWE, JWK, JWA, and JWT specifications
>> have all been incorporated. All changes in this release were strictly
>> editorial in nature.
>>
>>
>>
>> The specifications are available at:
>>
>> ·
>> http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-30
>>
>> ·
>> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-30
>>
>> · http://tools.ietf.org/html/draft-ietf-jose-json-web-key-30
>>
>> ·
>> http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-30
>>
>> · http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-24
>>
>>
>>
>> HTML formatted versions are available at:
>>
>> ·
>> http://self-issued.info/docs/draft-ietf-jose-json-web-signature-30.html
>>
>> ·
>> http://self-issued.info/docs/draft-ietf-jose-json-web-encryption-30.html
>>
>> ·
>> http://self-issued.info/docs/draft-ietf-jose-json-web-key-30.html
>>
>> ·
>> http://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-30.html
>>
>> ·
>> http://self-issued.info/docs/draft-ietf-oauth-json-web-token-24.html
>>
>>
>>
>> -- Mike
>>
>>
>>
>> P.S. This notice was also posted at http://self-issued.info/?p=1245 and
>> as @selfissued.
>>
>> _______________________________________________
>> OAuth mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>
> --
>
> Best regards,
> Kathleen
>
--
Best regards,
Kathleen
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
