Replies inline…
From: Kathleen Moriarty [mailto:[email protected]]
Sent: Thursday, July 03, 2014 11:56 AM
To: Mike Jones
Cc: [email protected]
Subject: Re: [OAUTH-WG] FW: JOSE -30 and JWT -24 drafts incorporating AD
feedback on fifth spec of five
Hello!
Thank you for all of the updates to the JOSE drafts in the current bundle in
review. I appreciate all of the effort that went into the revisions! As I
understand it, there are a few general issues we need to work through, then a
few nits/requests are included on specific drafts.
Knowing how we move forward on the following items will be necessary as well as
the shepherd/chair okay to progress the drafts to IETF last call. As an FYI,
since it was requested that the drafts progress as a set, I may need to delay
on which telechat the drafts get placed. Essentially, the set requires a lot
of reading and I'd like to give the IESG enough time to do reviews.
1. McGrew draft (applies to JWA)
We are waiting on an updated version so that the JWA draft can refer to it
as opposed to duplicating text from it.
Mike> I’d proposed specific changes to the authors in May and David McGrew had
tentatively agreed with them and said that he’d produce an updated draft a few
weeks ago. This hasn’t happened yet. I plan to stay engaged with this,
including possibly producing a candidate draft to propose to the authors, if
necessary. (This won’t happen until sometime between the 4th and Toronto.)
2. Alternate on text that applies to several of the drafts for the following:
Discussion on wording “or use a JSON parser that returns
only the lexically last duplicate member name, as specified
in Section 15.12 (The JSON Object) of ECMAScript 5.1 [ECMAScript]”.
Jim or others may have text suggestions. This was discussed on list, but has
not been resolved yet.
Mike> I believe that it’s already unambiguous as worded, but would be open to
even clearer wording, if someone supplies it.
3. Use cases not met by current set of drafts
Documents do not meet all of the use cases laid out in the Use Cases
document
Specifically section 5.8 since there is no key management for
MACs (5.8.1. – MAC based on ECDH-derived key)
I'm not sure how this gets handled. If it will be addressed in other drafts,
let me know.
Mike> This was issue #2 http://trac.tools.ietf.org/wg/jose/trac/ticket/2 and
was extensively discussed. A formal consensus call on this was conducted by
the chairs even prior to the attempt to re-open the issue by filing issue #2.
Jim’s resolution closing this was wontfix was “The working group has already
considered this and has determined that it will not be addressed. Until a
request for the feature comes in from a group such as the WebCrypto? group it
will not be re-considered.”.
That said, it’s well understood how this could be cleanly added in a backwards
compatible way. If a concrete need for this arises, I’d be glad to write up a
quick draft, but since this is separable, I don’t believe that the possibility
of doing this work in the future needs to have any impact on completing the
drafts we already have, which intentionally address the most commonly occurring
use cases.
4. I don't recall seeing any internationalization considerations, is that
something we need to worry about?
Mike> None of the 5 drafts define any strings intended for consumption by
end-users, so I don’t think so. Or if you prefer, I could explicitly say that,
perhaps just in the JWT draft? Your call…
Nits/Comments for specific drafts:
JWA:
Security considerations section 8.2 Key Lifetimes
Should there be a reference to NIST 800-57 to provide guidance on this topic.
If there is a better reference, that's fine too. This is something that may
get picked up on in other reviews.
Mike> Will do
Thanks for reducing text by referring to other drafts for a good portion of the
security considerations section.
JWS:
For typ and cty, the text could be more clear in the first paragraph sentence 2
and 4. They read as if they are in conflict. The specific usage is different
in these sentences, but that is not made clear in the text. It should just be
a text adjustment.
Mike> Will do
Section 8: TLS requirements, second paragraph:
For the second sentence, could you either include examples or a reference to
where the reader can ascertain appropriate appropriate cipher suites? This may
be tough to address, but the way the sentence is written, it sounds like a
reference or a recommendation is needed. Any ideas?
Mike> I’d appreciate a specific reference. I asked the TLS chairs for one
yesterday, but haven’t heard back from them yet.
JWK:
Updates look good, thanks!
JWE:
Updates look good, thank you!
Oauth JWT: Sent to Oauth list
Mike> Thanks again for the thorough and useful reviews, Kathleen…
-- Mike
On Thu, Jul 3, 2014 at 2:31 PM, Kathleen Moriarty
<[email protected]<mailto:[email protected]>>
wrote:
Mike,
Thanks for the updated JWT draft. I just read through it again and the changes
look good.
I noticed that privacy considerations were not mentioned. Should there be any
discussed for claims, claim sets, etc.? This is bound to come up in the IESG
review if it is not addressed. Sorry I didn't catch that on the first review.
On Tue, Jul 1, 2014 at 9:11 PM, Mike Jones
<[email protected]<mailto:[email protected]>> wrote:
From: Mike Jones
Sent: Tuesday, July 01, 2014 6:11 PM
To: [email protected]<mailto:[email protected]>
Subject: JOSE -30 and JWT -24 drafts incorporating AD feedback on fifth spec of
five
JOSE -30 and JWT -24 drafts have been posted incorporating improvements
resulting from Kathleen Moriarty’s JWE review. At this point, actions
requested in her reviews of the JWS, JWE, JWK, JWA, and JWT specifications have
all been incorporated. All changes in this release were strictly editorial in
nature.
The specifications are available at:
• http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-30
• http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-30
• http://tools.ietf.org/html/draft-ietf-jose-json-web-key-30
• http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-30
• http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-24
HTML formatted versions are available at:
•
http://self-issued.info/docs/draft-ietf-jose-json-web-signature-30.html
•
http://self-issued.info/docs/draft-ietf-jose-json-web-encryption-30.html
• http://self-issued.info/docs/draft-ietf-jose-json-web-key-30.html
•
http://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-30.html
• http://self-issued.info/docs/draft-ietf-oauth-json-web-token-24.html
-- Mike
P.S. This notice was also posted at http://self-issued.info/?p=1245 and as
@selfissued.
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
--
Best regards,
Kathleen
--
Best regards,
Kathleen
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
