Thanks for your review, Richard. My responses are inline below... > -----Original Message----- > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Richard Barnes > Sent: Wednesday, October 01, 2014 7:57 PM > To: The IESG > Cc: oauth-cha...@tools.ietf.org; oauth@ietf.org; draft-ietf-oauth-json-web- > to...@tools.ietf.org > Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web- > token-27: (with DISCUSS and COMMENT) > > Richard Barnes has entered the following ballot position for > draft-ietf-oauth-json-web-token-27: Discuss > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Section 7. > In order to prevent confusion between secured and Unsecured JWTs, the > validation steps here need to call for the application to specify which is > required.
Per my response on your JWS comments, this is already handed in a more general way in the JWS validation steps. Specifically, the last paragraph of Section 5.2 is: "Finally, note that it is an application decision which algorithms are acceptable in a given context. Even if a JWS can be successfully validated, unless the algorithm(s) used in the JWS are acceptable to the application, it SHOULD reject the JWS." I would therefore request that you likewise withdraw this DISCUSS on that basis. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Abstract. > Welsh is the only language I know of in which "w" is a vowel. According to > Wikipedia, then, "JWT" should pronounced "joot" :) You're not the only person with knowledge of Welsh to have made this comment. And this is a Jones responding to you... ;-) > Section 2. > It seems like "Unsecured JWT" should simply be defined as "A JWT carried in an > Unsigned JWS." It's been useful in other specifications that are applications of JWTs to have a name for this kind of JWT, since it occurs frequently. > Section 4.1. > I'm a little surprised not to see a "jwk" claim, which would basically enable > JWTs > to sub in for certificates for many use cases. Did the WG consider this > possibility? Not to my knowledge. However, I know of several applications in which JWKs and JWK Sets are carried as claims in JWTs of various kinds - just using claim names that are informed by the context of the particular application. For instance, draft-ietf-oauth-dyn-reg uses a "jwks_uri" claim to pass a JWK Set by reference and a "jwks" claim to pass a JWK Set by value. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth Thanks again, -- Mike _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth