> From: Richard Barnes [mailto:[email protected]]
> Sent: Friday, October 10, 2014 2:37 PM
> To: Mike Jones
> Cc: The IESG; [email protected]; [email protected];
> [email protected]
> Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on
> draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
>
> On Mon, Oct 6, 2014 at 3:54 AM, Mike Jones <[email protected]>
> wrote:
> Thanks for your review, Richard. My responses are inline below...
>
> > -----Original Message-----
> > From: OAuth [mailto:[email protected]] On Behalf Of Richard Barnes
> > Sent: Wednesday, October 01, 2014 7:57 PM
> > To: The IESG
> > Cc: [email protected]; [email protected]; draft-ietf-oauth-json-web-
> > [email protected]
> > Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-
> > token-27: (with DISCUSS and COMMENT)
> >
> > Richard Barnes has entered the following ballot position for
> > draft-ietf-oauth-json-web-token-27: Discuss
> >
> > When responding, please keep the subject line intact and reply to all email
> > addresses included in the To and CC lines. (Feel free to cut this
> > introductory
> > paragraph, however.)
> >
> >
> > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > Section 7.
> > In order to prevent confusion between secured and Unsecured JWTs, the
> > validation steps here need to call for the application to specify which is
> > required.
>
> Per my response on your JWS comments, this is already handed in a more
> general way in the JWS validation steps. Specifically, the last paragraph of
> Section 5.2 is:
>
> "Finally, note that it is an application decision which algorithms are
> acceptable in a given context. Even if a JWS can be successfully validated,
> unless the algorithm(s) used in the JWS are acceptable to the application, it
> SHOULD reject the JWS."
>
> I've cleared this DISCUSS in the interest of having this fight over in JWS
> thread. But I also added the following COMMENT:
> "It would be good for this document to pass on the note from JWS about
> selecting which algorithms are acceptable, and in particular, whether
> unsecured JWTs are acceptable."
Thanks for clearing the DISCUSS. I'm fine repeating the note about acceptable
algorithms in the JWT spec, assuming others are.
> I would therefore request that you likewise withdraw this DISCUSS on that
> basis.
-- Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
