On Mon, Oct 6, 2014 at 3:54 AM, Mike Jones <[email protected]> wrote:
> Thanks for your review, Richard. My responses are inline below... > > > -----Original Message----- > > From: OAuth [mailto:[email protected]] On Behalf Of Richard Barnes > > Sent: Wednesday, October 01, 2014 7:57 PM > > To: The IESG > > Cc: [email protected]; [email protected]; > draft-ietf-oauth-json-web- > > [email protected] > > Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web- > > token-27: (with DISCUSS and COMMENT) > > > > Richard Barnes has entered the following ballot position for > > draft-ietf-oauth-json-web-token-27: Discuss > > > > When responding, please keep the subject line intact and reply to all > email > > addresses included in the To and CC lines. (Feel free to cut this > introductory > > paragraph, however.) > > > > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > Section 7. > > In order to prevent confusion between secured and Unsecured JWTs, the > > validation steps here need to call for the application to specify which > is required. > > Per my response on your JWS comments, this is already handed in a more > general way in the JWS validation steps. Specifically, the last paragraph > of Section 5.2 is: > > "Finally, note that it is an application decision which algorithms are > acceptable in a given context. Even if a JWS can be successfully validated, > unless the algorithm(s) used in the JWS are acceptable to the application, > it SHOULD reject the JWS." > I've cleared this DISCUSS in the interest of having this fight over in JWS thread. But I also added the following COMMENT: "It would be good for this document to pass on the note from JWS about selecting which algorithms are acceptable, and in particular, whether unsecured JWTs are acceptable." --Richard > I would therefore request that you likewise withdraw this DISCUSS on that > basis. > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Abstract. > > Welsh is the only language I know of in which "w" is a vowel. According > to > > Wikipedia, then, "JWT" should pronounced "joot" :) > > You're not the only person with knowledge of Welsh to have made this > comment. And this is a Jones responding to you... ;-) > > > Section 2. > > It seems like "Unsecured JWT" should simply be defined as "A JWT carried > in an > > Unsigned JWS." > > It's been useful in other specifications that are applications of JWTs to > have a name for this kind of JWT, since it occurs frequently. > > > Section 4.1. > > I'm a little surprised not to see a "jwk" claim, which would basically > enable JWTs > > to sub in for certificates for many use cases. Did the WG consider this > > possibility? > > Not to my knowledge. However, I know of several applications in which > JWKs and JWK Sets are carried as claims in JWTs of various kinds - just > using claim names that are informed by the context of the particular > application. For instance, draft-ietf-oauth-dyn-reg uses a "jwks_uri" > claim to pass a JWK Set by reference and a "jwks" claim to pass a JWK Set > by value. > > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > Thanks again, > -- Mike > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
