Re: [Ace] Genart telechat review of draft-ietf-ace-cbor-web-token-12

[Dan Romascanu <dromasca@gmail.com>]

Hi,

See also my other notes.

I believe that what the document tries to say is:

Register R is divided into four different ranges R1, R2, R3, R4 (defining
the value limits may be useful)

Values in range R1 are allocated according to policy P1 in the case that ...
Values in range R2 are allocated according to policy P2 in the case that ...
Values in range R3 are allocated according to policy P3 in the case that ...
Values in range R4 are allocated according to policy P4 in the case that ...

But it doesn't say it. Mentioning four concurrent policies for the same
registry without separation of values range, and without providing clear
instructions when each policy is recommended to be used, seems confusing to
me, and may be confusing for users of this document in the future.

Regards,

Dan


On Tue, Feb 27, 2018 at 5:40 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Mon, Feb 26, 2018 at 11:19:04PM +0200, Dan Romascanu wrote:
> > Hi Jim,
> >
> > Thank you for your answer and for addressing my comments.
> >
> > On item #2:
> >
> >
> >
> > On Mon, Feb 26, 2018 at 10:12 PM, Jim Schaad <ietf@augustcellars.com>
> wrote:
> >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Dan Romascanu [mailto:dromasca@gmail.com]
> > > >
> > >
> > > ...
> >
> > > >
> > > > 2. I am a little confused by the definition of policies in Section
> 9.1:
> > > >
> > > >    Depending upon the values being requested, registration requests
> are
> > > >    evaluated on a Standards Track Required, Specification Required,
> > > >    Expert Review, or Private Use basis [RFC8126] after a three-week
> > > >    review period on the cwt-reg-review@ietf.org mailing list, on the
> > > >    advice of one or more Designated Experts.
> > > >
> > > > How does this work? The request is forwarded to the designated
> expert,
> > > > he/she make a recommendation concerning the policy on the mail list,
> and
> > > > depending on the feedback received a policy is selected? Who
> establishes
> > > > consensus?
> > > >
> > > > Frankly, I wonder if this can work at all. Are there other examples
> of
> > > four
> > > > different policies for the same registry, applied on a case-to-case
> > > basis?
> > >
> > > This is the same approach that is being used for the COSE registries.
> As
> > > an example, you can look at https://www.iana.org/
> > > assignments/cose/cose.xhtml#algorithms.
> > >
> > > Part of the issue about this is that the JOSE/JWT registries do have
> the
> > > same different policies, but that differences are hidden from the IANA
> > > registry.  Since they allow for a URI to be used as the identifier of a
> > > field, only the plain text versions are registered.  Thus I can use "
> > > http://augustcellars.com/JWT/My_Tag" as an identifier.  Since for CBOR
> > > the set of tag values is closed and does not have this escape (nor
> would
> > > one want the length of the tag) it is necessary to have this break
> down of
> > > tag fields.
> > >
> > >
> > >
> > >
> > This does not seem to be exactly the same approach. The COSE RFC 8152
> > defines the registry policy in a different manner. There is only one
> policy
> > that is proposed 'Expert Review' and than the Expert Review Instructions
> > are used to define the cases when a Standards Track specification is
> > required. No such text exists in the current I-D. There is no separation
> of
> > the values space in the registry according to the type of assignment
> here,
> > as  in RFC 8152.
>
> The template in section 9.1.1 has the different policies for the
> different integer ranges, under the 'Claim Key' section.  Kathleen
> (IIRC) already noted that this should probably be repeated in the
> introductory part of section 9.1 as well, and that will be done
> before the document is sent to the IESG.
>
> -Benjamin
>