Hi Brian! Thanks for this follow-up and PR. It addresses all of my COMMENT feedback.
Much appreciated! Roman From: Brian Campbell <bcampb...@pingidentity.com> Sent: Wednesday, May 28, 2025 11:32 AM To: Roman Danyliw <r...@cert.org> Cc: The IESG <i...@ietf.org>; draft-ietf-oauth-selective-disclosure-...@ietf.org; oauth-cha...@ietf.org; oauth@ietf.org; hannes.tschofe...@gmx.net Subject: Re: Roman Danyliw's No Objection on draft-ietf-oauth-selective-disclosure-jwt-20: (with COMMENT) Warning: External Sender - do not click links or open attachments unless you recognize the sender and know the content is safe. Thanks for clearing the DISCUSS Roman, https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/579/files has a few more updates aimed at your remaining comments. Please let me know if anything there looks amiss. I'll work with the co-authors and responsible AD to get a new draft out and moved forward in the process. On Tue, May 27, 2025 at 2:02 PM Roman Danyliw via Datatracker <nore...@ietf.org<mailto:nore...@ietf.org>> wrote: Roman Danyliw has entered the following ballot position for draft-ietf-oauth-selective-disclosure-jwt-20: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Thomas Fossati for the GENART review. Thanks for addressing my DISCUSS and COMMENT feedback with -20. Below is additional recommendations based on the DISCUSS feedback: ** Section 7.1 1. Decide which Disclosures to release to the Verifier, obtaining consent if necessary. Thanks for revising this text in -20. I would recommend making it clear that the means to get this “consent” is out of scope for this document. ** Section 9.1 Any of the JWS asymmetric digital signature algorithms registered in [IANA.JWS.Algorithms] that meet the security requirements described in the last paragraph of Section 5.2 of [RFC7515] can be used, including post-quantum algorithms, when they are ready. The last paragraph of Section 5.2 of RFC7515 says: Finally, note that it is an application decision which algorithms may be used in a given context. Even if a JWS can be successfully validated, unless the algorithm(s) used in the JWS are acceptable to the application, it SHOULD consider the JWS to be invalid. [on -19] -- This text from RFC7515 appears to be saying that the application decides and there aren’t any new security requirements. [response] Hard to disagree with that observation. Do you think some change is needed as a result? That bit in Section 9.1 was mostly (I think) intended to reassure readers that post-quantum algorithms showing up in the alg registry will be usable. [on -20] No comment on the phrase “… including post-quantum algorithms, when they are ready”. I’m reacting to the reference to RFC7515, as it seems misleading to me. Practically, it doesn’t impost any requirements, so why mention it? Would this be clearer: NEW (roughly) Per the last paragraph of Section 5.2 of [RFC7515], it is an application-specific decision to choose the appropriate JWS digital signature algorithm from [IANA.JWS.Algorithms]. CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
