Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02
Phil Hunt <phil.hunt@oracle.com> Wed, 02 August 2017 17:26 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 183E1132146 for <id-event@ietfa.amsl.com>; Wed, 2 Aug 2017 10:26:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.721
X-Spam-Level:
X-Spam-Status: No, score=-1.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n78W0ThncTQy for <id-event@ietfa.amsl.com>; Wed, 2 Aug 2017 10:26:50 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61A0913214D for <id-event@ietf.org>; Wed, 2 Aug 2017 10:26:48 -0700 (PDT)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v72HQkc6023667 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 2 Aug 2017 17:26:46 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v72HQjqn006650 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 2 Aug 2017 17:26:45 GMT
Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v72HQiWE016181; Wed, 2 Aug 2017 17:26:44 GMT
Received: from [10.0.1.37] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 02 Aug 2017 10:26:43 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Message-Id: <BA9AC21F-99A4-45F6-B9F4-38323E915C33@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8224DBB8-C28E-42E1-B6F6-FDFDD4284B14"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 02 Aug 2017 10:26:42 -0700
In-Reply-To: <CABzCy2Cxhs_4soMY+iKwva4YrCpKD9fGngb+ffMV6z2nwzJg0A@mail.gmail.com>
Cc: "M.Lizar@OCG" <m.lizar@openconsentgroup.com>, Mike Jones <Michael.Jones@microsoft.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, SecEvent <id-event@ietf.org>
To: Nat Sakimura <sakimura@gmail.com>
References: <e6649728-f94a-93f5-9885-c948a5b0ed49@gmail.com> <CY4PR21MB0504DEA69A048EADE122995DF5B20@CY4PR21MB0504.namprd21.prod.outlook.com> <D263DE2D-48F7-4AF5-B96F-B83AAED779F6@openconsentgroup.com> <CABzCy2Cxhs_4soMY+iKwva4YrCpKD9fGngb+ffMV6z2nwzJg0A@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/A_blQFrxIi9w8lXGZ8GTBtvQ04s>
Subject: Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2017 17:26:52 -0000
Nat, Thanks for the read. For #1 - should we move that paragraph to section 2 and leave some more generalized statement in section 1? For #2 - I think the paragraph starting “An outer JSON object that acts…” could be improved. Agreed that something along the lines of defined in JWT should be used. I recall #3 came up before as part of the delivery spec discussions. My intent is that when using unsecured JWTs the receiver has to validate via the method of delivery. E.g. was the JWT delivered over a mutually authenticated channel? Section 4.1 and 4.2 covers the issue albeit indirectly. I will go over the text and see what improvement could be made - probably in security considerations. Phil Oracle Corporation, Identity Cloud Services Architect & Standards @independentid www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > On Aug 2, 2017, at 10:07 AM, Nat Sakimura <sakimura@gmail.com> wrote: > > Thanks, it looks generally good. I had only three small nits. > > 1) "MUST NOT" in the introduction. > --------------------------------------------------- > I feel that it is better to have this MUST NOT in the main text. The introduction often is skipped by a reader. > > 2) Potentially missing "defined in " in Section 2 the first bullet > ------------------------------------------------------------------------------------------------------ > There seems to be missing "defined in" in the sentence "the JWT Token Claims Registry Section 10.1". > > 3) Issuer validation > ---------------------------------- > I am not sure how to do an issuer validation when using unsecured JWT. > Adding more explanation would be beneficial. > > Best, > > Nat > > On Wed, Aug 2, 2017 at 1:18 AM M.Lizar@OCG <m.lizar@openconsentgroup.com <mailto:m.lizar@openconsentgroup.com>> wrote: > +1 on existing text . > > Agree the document is ready to publish > > - Mark > >> On 31 Jul 2017, at 16:53, Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> wrote: >> >> I believe that the specification is ready to publish as-is. It already meets the needs of the known use cases and is in production use. >> >> -- Mike >> >> From: Id-event [mailto:id-event-bounces@ietf.org <mailto:id-event-bounces@ietf.org>] On Behalf Of Yaron Sheffer >> Sent: Monday, July 31, 2017 1:40 PM >> To: SecEvent <id-event@ietf.org <mailto:id-event@ietf.org>> >> Subject: [Id-event] WG Last Call for draft-ietf-secevent-token-02 > >> >> This is to announce working group last call on this draft (https://datatracker.ietf.org/doc/draft-ietf-secevent-token/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dsecevent-2Dtoken_&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=Nj4D94_Z5TX7aZpILIENbLknqDGinZlFUseKss9KZyY&s=34V_EUmT5gCZRmlH04kADdidPjoaKQgvob9KTHAK0Y0&e=>). >> >> Please send your comments to the list. Even if you are perfectly happy with the draft, please let us know that you support its publication as-is by posting to the list. >> >> Because of the summer holidays, this last call is open for 3 weeks, until Aug. 21. >> >> Thanks, >> Dick and Yaron > >> _______________________________________________ >> Id-event mailing list >> Id-event@ietf.org <mailto:Id-event@ietf.org> >> https://www.ietf.org/mailman/listinfo/id-event <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=Nj4D94_Z5TX7aZpILIENbLknqDGinZlFUseKss9KZyY&s=jgy3vjdjQKBEXv9AoYCSJ76EnSrAP9cnVXeoCkGMY9o&e=> > _______________________________________________ > Id-event mailing list > Id-event@ietf.org <mailto:Id-event@ietf.org> > https://www.ietf.org/mailman/listinfo/id-event <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=Nj4D94_Z5TX7aZpILIENbLknqDGinZlFUseKss9KZyY&s=jgy3vjdjQKBEXv9AoYCSJ76EnSrAP9cnVXeoCkGMY9o&e=> > -- > Nat Sakimura > > Chairman of the Board, OpenID Foundation > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org <mailto:Id-event@ietf.org> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=Nj4D94_Z5TX7aZpILIENbLknqDGinZlFUseKss9KZyY&s=jgy3vjdjQKBEXv9AoYCSJ76EnSrAP9cnVXeoCkGMY9o&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=Nj4D94_Z5TX7aZpILIENbLknqDGinZlFUseKss9KZyY&s=jgy3vjdjQKBEXv9AoYCSJ76EnSrAP9cnVXeoCkGMY9o&e=>
- [Id-event] WG Last Call for draft-ietf-secevent-t… Yaron Sheffer
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Mike Jones
- Re: [Id-event] WG Last Call for draft-ietf-seceve… John Bradley
- Re: [Id-event] WG Last Call for draft-ietf-seceve… William Denniss
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… M.Lizar@OCG
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Nat Sakimura
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Adam Dawes
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Richard Backman, Annabelle
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Richard Backman, Annabelle
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Richard Backman, Annabelle
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Marius Scurtescu
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Henk Birkholz
- [Id-event] "aud" vs. receiver issue raised in WGLC Phil Hunt
- Re: [Id-event] "aud" vs. receiver issue raised in… Mike Jones
- Re: [Id-event] "aud" vs. receiver issue raised in… Marius Scurtescu
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt
- Re: [Id-event] "aud" vs. receiver issue raised in… Marius Scurtescu
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Mike Jones
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Mike Jones
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Mike Jones
- Re: [Id-event] "aud" vs. receiver issue raised in… Marius Scurtescu
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt (IDM)
- Re: [Id-event] "aud" vs. receiver issue raised in… Marius Scurtescu
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt (IDM)
- Re: [Id-event] "aud" vs. receiver issue raised in… Mike Jones
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Benjamin Kaduk
- Re: [Id-event] "aud" vs. receiver issue raised in… Mike Jones
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt