The proposed resolution below has been incorporated in the -28 draft.
Hopefully you can clear your DISCUSS on that basis.
Thanks again,
-- Mike
> -----Original Message-----
> From: OAuth [mailto:[email protected]] On Behalf Of Mike Jones
> Sent: Saturday, October 11, 2014 12:54 PM
> To: Richard Barnes
> Cc: [email protected]; oauth-
> [email protected]; The IESG; [email protected]
> Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-
> token-27: (with DISCUSS and COMMENT)
>
> > From: Richard Barnes [mailto:[email protected]]
> > Sent: Friday, October 10, 2014 2:37 PM
> > To: Mike Jones
> > Cc: The IESG; [email protected]; [email protected];
> > [email protected]
> > Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on
> > draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
> >
> > On Mon, Oct 6, 2014 at 3:54 AM, Mike Jones
> <[email protected]> wrote:
> > Thanks for your review, Richard. My responses are inline below...
> >
> > > -----Original Message-----
> > > From: OAuth [mailto:[email protected]] On Behalf Of Richard
> > > Barnes
> > > Sent: Wednesday, October 01, 2014 7:57 PM
> > > To: The IESG
> > > Cc: [email protected]; [email protected];
> > > draft-ietf-oauth-json-web- [email protected]
> > > Subject: [OAUTH-WG] Richard Barnes' Discuss on
> > > draft-ietf-oauth-json-web-
> > > token-27: (with DISCUSS and COMMENT)
> > >
> > > Richard Barnes has entered the following ballot position for
> > > draft-ietf-oauth-json-web-token-27: Discuss
> > >
> > > When responding, please keep the subject line intact and reply to
> > > all email addresses included in the To and CC lines. (Feel free to
> > > cut this introductory paragraph, however.)
> > >
> > >
> > > Please refer to
> > > http://www.ietf.org/iesg/statement/discuss-criteria.html
> > > for more information about IESG DISCUSS and COMMENT positions.
> > >
> > >
> > > The document, along with other ballot positions, can be found here:
> > > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > --
> > > DISCUSS:
> > > --------------------------------------------------------------------
> > > --
> > >
> > > Section 7.
> > > In order to prevent confusion between secured and Unsecured JWTs,
> > > the validation steps here need to call for the application to specify
> > > which is
> required.
> >
> > Per my response on your JWS comments, this is already handed in a more
> general way in the JWS validation steps. Specifically, the last paragraph of
> Section 5.2 is:
> >
> > "Finally, note that it is an application decision which algorithms are
> > acceptable
> in a given context. Even if a JWS can be successfully validated, unless the
> algorithm(s) used in the JWS are acceptable to the application, it SHOULD
> reject
> the JWS."
> >
> > I've cleared this DISCUSS in the interest of having this fight over in JWS
> > thread.
> But I also added the following COMMENT:
> > "It would be good for this document to pass on the note from JWS about
> selecting which algorithms are acceptable, and in particular, whether
> unsecured
> JWTs are acceptable."
>
> Thanks for clearing the DISCUSS. I'm fine repeating the note about acceptable
> algorithms in the JWT spec, assuming others are.
>
> > I would therefore request that you likewise withdraw this DISCUSS on that
> basis.
>
> -- Mike
>
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
