[Ace] Adam Roach's No Objection on draft-ietf-ace-cbor-web-token-13: (with COMMENT)

Adam Roach <adam@nostrum.com> Thu, 08 March 2018 00:05 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: ace@ietf.org
Delivered-To: ace@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DD6312008A; Wed, 7 Mar 2018 16:05:32 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Adam Roach <adam@nostrum.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ace-cbor-web-token@ietf.org, ace-chairs@ietf.org, kaduk@mit.edu, ace@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.74.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152046753224.21454.8592401400498503627.idtracker@ietfa.amsl.com>
Date: Wed, 07 Mar 2018 16:05:32 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/e-2UWna96GxIZKbL8_hh6l8hRlE>
Subject: [Ace] Adam Roach's No Objection on draft-ietf-ace-cbor-web-token-13: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2018 00:05:32 -0000

Adam Roach has entered the following ballot position for
draft-ietf-ace-cbor-web-token-13: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


Thanks to the WG, chairs, and


>  The "iss" (issuer) claim has the same meaning and processing rules as
>  the "iss" claim defined in Section 4.1.1 of [RFC7519], except that
>  the value is of type StringOrURI.  The Claim Key 1 is used to
>  identify this claim.

1) Given that RFC 7159 defines "iss" to contain a "StringOrURI" value, it's
   not clear what the "except" clause is attempting to convey.

2) Given the many uses of the word "type" in this context (including CBOR
   types and the JWT 'typ' field), and given that RFC 7519 never refers to
   "StringOrURI" as a "type," I think that the use of the word "type" here
   is likely to lead to reader confusion.

This comment -- or a congruent form of it involving "NumericDate" rather than
"StringOrURI" -- applies to §3.1.2 through §3.1.6.



>  Criteria that should be applied by the Designated Experts includes
>  determining whether the proposed registration duplicates existing
>  functionality, whether it is likely to be of general applicability or
>  whether it is useful only for a single application, and whether the
>  registration description is clear.  Registrations for the limited set
>  of values between -256 and 255 and strings of length 1 are to be
>  restricted to claims with general applicability.

Use of the word "between" without qualifying it as inclusive or exclusive of the
endpoints is ambiguous. Suggest either "values from -256 to 255" or "values
between -256 and 255 inclusive".



>     CBOR map key for the claim.  Different ranges of values use
>     different registration policies [RFC8126].  Integer values between
>     -256 and 255 and strings of length 1 are designated as Standards
>     Action.  Integer values from -65536 to 65535 and strings of length
>     2 are designated as Specification Required

Same comment as above.

Also, please replace "from -65536 to 65535" with "from -65536 to -257 and from
256 to 65535".