Thanks, Mike! In-line...
On Thu, Jul 3, 2014 at 4:03 PM, Mike Jones <[email protected]> wrote: > Replies inline… > > > > *From:* Kathleen Moriarty [mailto:[email protected]] > *Sent:* Thursday, July 03, 2014 11:56 AM > > *To:* Mike Jones > *Cc:* [email protected] > *Subject:* Re: [OAUTH-WG] FW: JOSE -30 and JWT -24 drafts incorporating > AD feedback on fifth spec of five > > > > Hello! > > > > Thank you for all of the updates to the JOSE drafts in the current bundle > in review. I appreciate all of the effort that went into the revisions! > As I understand it, there are a few general issues we need to work > through, then a few nits/requests are included on specific drafts. > > > > Knowing how we move forward on the following items will be necessary as > well as the shepherd/chair okay to progress the drafts to IETF last call. > As an FYI, since it was requested that the drafts progress as a set, I may > need to delay on which telechat the drafts get placed. Essentially, the > set requires a lot of reading and I'd like to give the IESG enough time to > do reviews. > > > > 1. McGrew draft (applies to JWA) > > We are waiting on an updated version so that the JWA draft can refer to > it as opposed to duplicating text from it. > > > > Mike> I’d proposed specific changes to the authors in May and David > McGrew had tentatively agreed with them and said that he’d produce an > updated draft a few weeks ago. This hasn’t happened yet. I plan to stay > engaged with this, including possibly producing a candidate draft to > propose to the authors, if necessary. (This won’t happen until sometime > between the 4th and Toronto.) > OK, thanks for the status. > > > 2. Alternate on text that applies to several of the drafts for the > following: > > Discussion on wording “or use a JSON parser that returns > > only the lexically last duplicate member name, as specified > > in Section 15.12 (The JSON Object) of ECMAScript 5.1 > [ECMAScript]”. > > > > Jim or others may have text suggestions. This was discussed on list, but > has not been resolved yet. > > > > Mike> I believe that it’s already unambiguous as worded, but would be > open to even clearer wording, if someone supplies it. > OK, let's see if there are proposals or if Jim has a suggestion. > > > 3. Use cases not met by current set of drafts > > Documents do not meet all of the use cases laid out in the Use Cases > document > > Specifically section 5.8 since there is no key management for > > MACs (5.8.1. – MAC based on ECDH-derived key) > > I'm not sure how this gets handled. If it will be addressed in other > drafts, let me know. > > > > Mike> This was issue #2 http://trac.tools.ietf.org/wg/jose/trac/ticket/2 > and was extensively discussed. A formal consensus call on this was > conducted by the chairs even prior to the attempt to re-open the issue by > filing issue #2. Jim’s resolution closing this was wontfix was “The > working group has already considered this and has determined that it will > not be addressed. Until a request for the feature comes in from a group > such as the WebCrypto? group it will not be re-considered.”. > > > > That said, it’s well understood how this could be cleanly added in a > backwards compatible way. If a concrete need for this arises, I’d be glad > to write up a quick draft, but since this is separable, I don’t believe > that the possibility of doing this work in the future needs to have any > impact on completing the drafts we already have, which intentionally > address the most commonly occurring use cases. > OK, thank you. > > > 4. I don't recall seeing any internationalization considerations, is that > something we need to worry about? > > > > Mike> None of the 5 drafts define any strings intended for consumption by > end-users, so I don’t think so. Or if you prefer, I could explicitly say > that, perhaps just in the JWT draft? Your call… > No need then, if it comes up, I have an answer and that should be all I need on this one. Thanks. > > > Nits/Comments for specific drafts: > > > > JWA: > > Security considerations section 8.2 Key Lifetimes > > Should there be a reference to NIST 800-57 to provide guidance on this > topic. If there is a better reference, that's fine too. This is something > that may get picked up on in other reviews. > > > > Mike> Will do > Thank you > > > Thanks for reducing text by referring to other drafts for a good portion > of the security considerations section. > > > > JWS: > > For typ and cty, the text could be more clear in the first paragraph > sentence 2 and 4. They read as if they are in conflict. The specific > usage is different in these sentences, but that is not made clear in the > text. It should just be a text adjustment. > > > > Mike> Will do > Thank you > > > Section 8: TLS requirements, second paragraph: > > For the second sentence, could you either include examples or a reference > to where the reader can ascertain appropriate appropriate cipher suites? > This may be tough to address, but the way the sentence is written, it > sounds like a reference or a recommendation is needed. Any ideas? > > > > Mike> I’d appreciate a specific reference. I asked the TLS chairs for > one yesterday, but haven’t heard back from them yet. > OK, thanks. > > > JWK: > > Updates look good, thanks! > > > > JWE: > > Updates look good, thank you! > > > > Oauth JWT: Sent to Oauth list > > > > Mike> Thanks again for the thorough and useful reviews, Kathleen… > > > You're welcome and thanks for the quick responses! Kathleen > -- Mike > > > > On Thu, Jul 3, 2014 at 2:31 PM, Kathleen Moriarty < > [email protected]> wrote: > > Mike, > > > > Thanks for the updated JWT draft. I just read through it again and the > changes look good. > > > > I noticed that privacy considerations were not mentioned. Should there be > any discussed for claims, claim sets, etc.? This is bound to come up in > the IESG review if it is not addressed. Sorry I didn't catch that on the > first review. > > > > On Tue, Jul 1, 2014 at 9:11 PM, Mike Jones <[email protected]> > wrote: > > > > > > *From:* Mike Jones > *Sent:* Tuesday, July 01, 2014 6:11 PM > *To:* [email protected] > *Subject:* JOSE -30 and JWT -24 drafts incorporating AD feedback on fifth > spec of five > > > > JOSE -30 and JWT -24 drafts have been posted incorporating improvements > resulting from Kathleen Moriarty’s JWE review. At this point, actions > requested in her reviews of the JWS, JWE, JWK, JWA, and JWT specifications > have all been incorporated. All changes in this release were strictly > editorial in nature. > > > > The specifications are available at: > > · http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-30 > > · > http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-30 > > · http://tools.ietf.org/html/draft-ietf-jose-json-web-key-30 > > · > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-30 > > · http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-24 > > > > HTML formatted versions are available at: > > · > http://self-issued.info/docs/draft-ietf-jose-json-web-signature-30.html > > · > http://self-issued.info/docs/draft-ietf-jose-json-web-encryption-30.html > > · > http://self-issued.info/docs/draft-ietf-jose-json-web-key-30.html > > · > http://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-30.html > > · > http://self-issued.info/docs/draft-ietf-oauth-json-web-token-24.html > > > > -- Mike > > > > P.S. This notice was also posted at http://self-issued.info/?p=1245 and > as @selfissued. > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > > > > > -- > > > > Best regards, > > Kathleen > > > > > > -- > > > > Best regards, > > Kathleen > -- Best regards, Kathleen
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
