Repeating the note about acceptable algorithms in the JWT spec sounds fine.
On Sat, Oct 11, 2014 at 1:54 PM, Mike Jones <[email protected]> wrote: > > From: Richard Barnes [mailto:[email protected]] > > Sent: Friday, October 10, 2014 2:37 PM > > To: Mike Jones > > Cc: The IESG; [email protected]; [email protected]; > [email protected] > > Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on > draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT) > > > > On Mon, Oct 6, 2014 at 3:54 AM, Mike Jones <[email protected]> > wrote: > > Thanks for your review, Richard. My responses are inline below... > > > > > -----Original Message----- > > > From: OAuth [mailto:[email protected]] On Behalf Of Richard > Barnes > > > Sent: Wednesday, October 01, 2014 7:57 PM > > > To: The IESG > > > Cc: [email protected]; [email protected]; > draft-ietf-oauth-json-web- > > > [email protected] > > > Subject: [OAUTH-WG] Richard Barnes' Discuss on > draft-ietf-oauth-json-web- > > > token-27: (with DISCUSS and COMMENT) > > > > > > Richard Barnes has entered the following ballot position for > > > draft-ietf-oauth-json-web-token-27: Discuss > > > > > > When responding, please keep the subject line intact and reply to all > email > > > addresses included in the To and CC lines. (Feel free to cut this > introductory > > > paragraph, however.) > > > > > > > > > Please refer to > http://www.ietf.org/iesg/statement/discuss-criteria.html > > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > > > > The document, along with other ballot positions, can be found here: > > > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ > > > > > > > > > > > > ---------------------------------------------------------------------- > > > DISCUSS: > > > ---------------------------------------------------------------------- > > > > > > Section 7. > > > In order to prevent confusion between secured and Unsecured JWTs, the > > > validation steps here need to call for the application to specify > which is required. > > > > Per my response on your JWS comments, this is already handed in a more > general way in the JWS validation steps. Specifically, the last paragraph > of Section 5.2 is: > > > > "Finally, note that it is an application decision which algorithms are > acceptable in a given context. Even if a JWS can be successfully validated, > unless the algorithm(s) used in the JWS are acceptable to the application, > it SHOULD reject the JWS." > > > > I've cleared this DISCUSS in the interest of having this fight over in > JWS thread. But I also added the following COMMENT: > > "It would be good for this document to pass on the note from JWS about > selecting which algorithms are acceptable, and in particular, whether > unsecured JWTs are acceptable." > > Thanks for clearing the DISCUSS. I'm fine repeating the note about > acceptable algorithms in the JWT spec, assuming others are. > > > I would therefore request that you likewise withdraw this DISCUSS on > that basis. > > -- Mike > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
