[Gen-art] Genart last call review of draft-ietf-oauth-jwt-bcp-04
Brian Carpenter via Datatracker <noreply@ietf.org> Sat, 30 March 2019 20:51 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: gen-art@ietf.org
Delivered-To: gen-art@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C32E912028C; Sat, 30 Mar 2019 13:51:25 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Brian Carpenter via Datatracker <noreply@ietf.org>
To: gen-art@ietf.org
Cc: draft-ietf-oauth-jwt-bcp.all@ietf.org, oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.94.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Brian Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <155397908561.3942.9798054943934320825@ietfa.amsl.com>
Date: Sat, 30 Mar 2019 13:51:25 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/2piatCs-UF-9kKGUol4vtrIjVKQ>
Subject: [Gen-art] Genart last call review of draft-ietf-oauth-jwt-bcp-04
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2019 20:51:26 -0000
Reviewer: Brian Carpenter Review result: Ready with Issues Gen-ART Last Call review of draft-ietf-oauth-jwt-bcp-04 I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Document: draft-ietf-oauth-jwt-bcp-04.txt Reviewer: Brian Carpenter Review Date: 2019-03-31 IETF LC End Date: 2019-04-08 IESG Telechat date: Summary: Ready with (minor) issues -------- Minor issues: ------------- > 2.3. Multiplicity of JSON encodings > > Previous versions of the JSON format [RFC8259] allowed several > different character encodings: UTF-8, UTF-16 and UTF-32. This is not > the case anymore, with the latest standard only allowing UTF-8. > However older implementations may result in the JWT being > misinterpreted by its recipient. Why is that a security issue? > 3.6. Avoid Length-Dependent Encryption Inputs ... > ...It is > RECOMMENDED to avoid any compression of data before encryption since > such compression often reveals information about the plaintext. I'd like a citation for that, because it isn't intuitive. (And compression after encryption is pointless, of course.) > 3.10. Do Not Trust Received Claims Both the recommendations in this section seem imprecise. Maybe there should be some hints about the verification processes.
- [Gen-art] Genart last call review of draft-ietf-o… Brian Carpenter via Datatracker
- Re: [Gen-art] Genart last call review of draft-ie… Yaron Sheffer