[Gen-art] Genart telechat review of draft-ietf-ace-cbor-web-token-12

Dan Romascanu <dromasca@gmail.com> Mon, 26 February 2018 19:03 UTC

Return-Path: <dromasca@gmail.com>
X-Original-To: gen-art@ietf.org
Delivered-To: gen-art@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AC1012D87A; Mon, 26 Feb 2018 11:03:07 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Dan Romascanu <dromasca@gmail.com>
To: gen-art@ietf.org
Cc: ace@ietf.org, ietf@ietf.org, draft-ietf-ace-cbor-web-token.all@ietf.org, dromasca@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 6.73.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <151967178760.21771.14005895812023525211@ietfa.amsl.com>
Date: Mon, 26 Feb 2018 11:03:07 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/7GPNKnlQ7klcgAqkwt4XZtQ2kko>
Subject: [Gen-art] Genart telechat review of draft-ietf-ace-cbor-web-token-12
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Feb 2018 19:03:08 -0000

Reviewer: Dan Romascanu
Review result: Almost Ready

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please wait for direction from your
document shepherd or AD before posting a new version of the draft.

For more information, please see the FAQ at

<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.

Document: draft-ietf-ace-cbor-web-token-12
Reviewer: Dan Romascanu
Review Date: 2018-02-26
IETF LC End Date: 2018-03-06
IESG Telechat date: 2018-03-08

Summary:

This is a clear and detailed specification, which is almost ready for
publications. There are however a couple of issues that I recommend to be
discussed and addressed before the document is approved.

Major issues:

1. CWT is derived from JWT (RFC 7519) using CBOR rather than JSON for encoding.
The rationale as explained in the document is related to efficiency for some
IoT systems. The initial claims registry defined in Section 9.1 is identical
(semantically) with the initial claims registry defined in Section 10.1 of RFC
7519. Is this parallelism supposed to continue? If the two registries will
continue to evolve in parallel, maybe there should be a mechanism at IANA to
make this happen. Was this discussed by the WG? Maybe there is a need to
include some text about the relationship between the two registries.

2. I am a little confused by the definition of policies in Section 9.1:

   Depending upon the values being requested, registration requests are
   evaluated on a Standards Track Required, Specification Required,
   Expert Review, or Private Use basis [RFC8126] after a three-week
   review period on the cwt-reg-review@ietf.org mailing list, on the
   advice of one or more Designated Experts.

How does this work? The request is forwarded to the designated expert, he/she
make a recommendation concerning the policy on the mail list, and depending on
the feedback received a policy is selected? Who establishes consensus?

Frankly, I wonder if this can work at all. Are there other examples of four
different policies for the same registry, applied on a case-to-case basis?

I would also observe that this is different from the policy defined for the
parallel registry for JWT (Section 10.1 in RFC 7519) which is Specification
Required.

Minor issues:

Nits/editorial comments: