Thanks, Richard & Mike! Sent from my iPhone
> On Oct 18, 2014, at 2:58 PM, Richard Barnes <[email protected]> wrote: > > Dude, I cleared on the 10th :) > >> On Tue, Oct 14, 2014 at 5:53 AM, Mike Jones <[email protected]> >> wrote: >> The proposed resolution below has been incorporated in the -28 draft. >> Hopefully you can clear your DISCUSS on that basis. >> >> Thanks again, >> -- Mike >> >> > -----Original Message----- >> > From: OAuth [mailto:[email protected]] On Behalf Of Mike Jones >> > Sent: Saturday, October 11, 2014 12:54 PM >> > To: Richard Barnes >> > Cc: [email protected]; oauth- >> > [email protected]; The IESG; [email protected] >> > Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on >> > draft-ietf-oauth-json-web- >> > token-27: (with DISCUSS and COMMENT) >> > >> > > From: Richard Barnes [mailto:[email protected]] >> > > Sent: Friday, October 10, 2014 2:37 PM >> > > To: Mike Jones >> > > Cc: The IESG; [email protected]; [email protected]; >> > > [email protected] >> > > Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on >> > > draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT) >> > > >> > > On Mon, Oct 6, 2014 at 3:54 AM, Mike Jones >> > <[email protected]> wrote: >> > > Thanks for your review, Richard. My responses are inline below... >> > > >> > > > -----Original Message----- >> > > > From: OAuth [mailto:[email protected]] On Behalf Of Richard >> > > > Barnes >> > > > Sent: Wednesday, October 01, 2014 7:57 PM >> > > > To: The IESG >> > > > Cc: [email protected]; [email protected]; >> > > > draft-ietf-oauth-json-web- [email protected] >> > > > Subject: [OAUTH-WG] Richard Barnes' Discuss on >> > > > draft-ietf-oauth-json-web- >> > > > token-27: (with DISCUSS and COMMENT) >> > > > >> > > > Richard Barnes has entered the following ballot position for >> > > > draft-ietf-oauth-json-web-token-27: Discuss >> > > > >> > > > When responding, please keep the subject line intact and reply to >> > > > all email addresses included in the To and CC lines. (Feel free to >> > > > cut this introductory paragraph, however.) >> > > > >> > > > >> > > > Please refer to >> > > > http://www.ietf.org/iesg/statement/discuss-criteria.html >> > > > for more information about IESG DISCUSS and COMMENT positions. >> > > > >> > > > >> > > > The document, along with other ballot positions, can be found here: >> > > > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ >> > > > >> > > > >> > > > >> > > > -------------------------------------------------------------------- >> > > > -- >> > > > DISCUSS: >> > > > -------------------------------------------------------------------- >> > > > -- >> > > > >> > > > Section 7. >> > > > In order to prevent confusion between secured and Unsecured JWTs, >> > > > the validation steps here need to call for the application to specify >> > > > which is >> > required. >> > > >> > > Per my response on your JWS comments, this is already handed in a more >> > general way in the JWS validation steps. Specifically, the last paragraph >> > of >> > Section 5.2 is: >> > > >> > > "Finally, note that it is an application decision which algorithms are >> > > acceptable >> > in a given context. Even if a JWS can be successfully validated, unless the >> > algorithm(s) used in the JWS are acceptable to the application, it SHOULD >> > reject >> > the JWS." >> > > >> > > I've cleared this DISCUSS in the interest of having this fight over in >> > > JWS thread. >> > But I also added the following COMMENT: >> > > "It would be good for this document to pass on the note from JWS about >> > selecting which algorithms are acceptable, and in particular, whether >> > unsecured >> > JWTs are acceptable." >> > >> > Thanks for clearing the DISCUSS. I'm fine repeating the note about >> > acceptable >> > algorithms in the JWT spec, assuming others are. >> > >> > > I would therefore request that you likewise withdraw this DISCUSS on that >> > basis. >> > >> > -- Mike >> > >> > _______________________________________________ >> > OAuth mailing list >> > [email protected] >> > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
