IETF Logo Mail Archive

Re: [jose] Working Group Last Call (WGLC) for draft-ietf-jose-cookbook-03

Matt Miller <mamille2@cisco.com> Wed, 06 August 2014 14:45 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAA691B27F8 for <jose@ietfa.amsl.com>; Wed, 6 Aug 2014 07:45:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u1EDmh2tnGc4 for <jose@ietfa.amsl.com>; Wed, 6 Aug 2014 07:45:39 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D488B1A063E for <jose@ietf.org>; Wed, 6 Aug 2014 07:45:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11011; q=dns/txt; s=iport; t=1407336338; x=1408545938; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=Yspm2W91Xf5q5muVZ/PWjeFBtLHhXG4wirpQr5xLC00=; b=ajbwKEekHuYIyv6kgAwmG2jrpzS5lEpO8GjZYD6+0Rs/zPM1Iypn6Mgp HAAhvFWGGGv3CLI2EyuvvOgHX0ycem4djPkv8FhKZp5waLPi7Wc/TlOeh NBjxiZhC9A66/YZ4+fs7iaSof4LZoKaXdg+7k5mA6ArrSYJBuop+v3Jb7 w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjkHAAA/4lOtJV2T/2dsb2JhbABagw1SVwSuGAEBAQEBAQUBbp0JCoYAgUgBgRIWd4QDAQEBAwEBAQEJEQoLATsKAQwECw4DBAEBAQkWCAcJAwIBAgEVHwkIBgEMAQUCAQGINggNw2cXhXyJHTMHBoRFAQSFAIYTg2mGL4I5hC6BVIVQjUGBXQIZgXtNgQYkHA
X-IronPort-AV: E=Sophos;i="5.01,812,1400025600"; d="scan'208";a="66999654"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-2.cisco.com with ESMTP; 06 Aug 2014 14:45:36 +0000
Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id s76EjaVB004847 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 6 Aug 2014 14:45:36 GMT
Received: from [10.129.24.46] (10.129.24.46) by xhc-rcd-x05.cisco.com (173.37.183.79) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 6 Aug 2014 09:45:36 -0500
Message-ID: <53E23F93.1060901@cisco.com>
Date: Wed, 06 Aug 2014 08:45:39 -0600
From: Matt Miller <mamille2@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
References: <53CFC9A4.3000500@isoc.org> <4E1F6AAD24975D4BA5B16804296739439AE06688@TK5EX14MBXC293.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439AE06688@TK5EX14MBXC293.redmond.corp.microsoft.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.129.24.46]
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/9-UCd5WbK7pCLrZzh6Id-Qcmew4
Cc: Karen O'Donoghue <odonoghue@isoc.org>
Subject: Re: [jose] Working Group Last Call (WGLC) for draft-ietf-jose-cookbook-03
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2014 14:45:42 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Thank you for your feedback, Mike.

More comments inline.

On 8/5/14, 7:21 PM, Mike Jones wrote:
> COMMENTS ON NORMATIVE CONTENT
> 
> 
> 
> 1.  This document contains a wealth of useful JWS and JWE examples
> using a broad selection of algorithms.  My review primary review
> comment is that it should also contain a section with illustrative
> JWK examples. These examples should intentionally illustrate corner
> cases that will actually occur that developers might get wrong.  I
> would suggest adding these JWK examples:
> 
> 
> 
> 1a.  JWK with “kty”: “RSA”, e=65537, and 2048 bit “n”.  I would
> point out that neither can legally be prefixed by with extra zero
> bytes. (Examples have been found in the wild in which developers
> mistakenly represent “n” values by encoding an extra leading byte –
> the extra byte being zero – rather than encoding the specified
> number of bytes – the highest-order bit of which is always 1 for a
> correctly generated key. For instance, such mis-representations
> encode 257 bytes for a 2048 bit key, rather than 256 bytes.)
> 
> 
> 
> 1b.  JWK with “kty”: “EC”, “crv”: “P-256”, and for which the
> high-order byte of one of “x” or “y” are zero.  I would point out
> that the high-order bytes are required to be represented, even if
> zero.  I would also point out that extra zero bytes are not
> permitted.
> 
> 
> 
> 1c.  JWK with “kty”: “EC”, “crv”: “P-521”, and for which the
> high-order (521^st ) bit of one of “x” or “y” are zero (and because
> only one significant bit is used to represent the 521^st bit in the
> high-order byte, consequently the corresponding high-order byte is
> zero).    I would point out that the high-order bytes are required
> to be represented, even if zero.  I would also point out that extra
> zero bytes are not permitted.
> 
> 
> 
> 1d.  JWK with “kty”: “oct” and 128 bit “k” value in which the
> high-order byte is zero.  I would point out that the high-order
> bytes are required to be represented, even if zero.  I would also
> point out that extra zero bytes are not permitted.
> 
> 
> 
> This will also necessitate revising some descriptive text at
> various locations in the specification.  For instance, a new
> sentence at the end of the Abstract should added “This document
> also illustrates a sampling of JSON Web Key (JWK)
> representations”.
> 
> 

The document includes all of the above, but does not call them out
specifically.  I can add a section that copies a representative sample
of JWKs from elsewhere in the document.

> 
> 2.  Terminology usage throughout the document:  You should replace
> uses of the term “Protected JWS Header” with “JWS Protected
> Header”, to match the JWS spec.  Likewise, you should replace
> “Protected JWE Header” with “JWE Protected Header”, “Unprotected
> JW* Header” with “JW* Unprotected Header”, etc.
> 
> 
> 
> The terms “JWS Header” and “JWE Header” were replaced with the
> term “JOSE Header” in the -29 versions.  You need to apply this
> change as well.
> 
> 
> 
> I’d likewise check other terms to make sure the ones you’re using
> match the other JOSE specs.
> 
> 

I'll make the appropriate changes.  We better be done changing our
dictionary (-:

> 
> 3.  Section 3.1.2 (Signing Operation):  You show the JOSE header
> value as containing line breaks and whitespace, but the base64url
> encoded version of it does not contain these characters.  You need
> to say that the unencoded form is shown with extra whitespace for
> readability but that, for brevity, the cookbook omits these
> formatting characters that don’t change the meaning of the JSON in
> the base64url encoded versions. You should also say that they need
> not have been omitted, as they would have been legal in the
> base64url encoded JSON object.
> 
> 
> 
> I first noticed this inconsistency in Section 3, but it happens 
> everywhere you display a JOSE Header value.  You probably need to
> say something general about this, as well as say something specific
> about it the first time it occurs in an example.

Section 1.1 already contains the following paragraph:

All of the examples in this document have whitespace added to improve
formatting and readability. Except for JWE plaintext or JWS payload
content, whitespace is not part of the cryptographic operations.
Unless otherwise noted, the JWE plaintext or JWS payload content does
include “ “ (U+0020 SPACE) characters; line breaks (U+000A LINE FEED)
are added to improve readability but are not present in the JWE
plaintext or JWS payload.

Do you have a suggestion for better wording?  Does the working group
believe this needs to be repeated in very section?

> 
> 
> 
> 4.  Section 3.1.2 (Signing Operation):  You refer to the “combined 
> projected JWS header and payload content”.  It might be useful to 
> readers to elaborate more on the combination.  You could, for
> instance, say that they are “combined … into the JWS Signing Input
> value, as described in Section 5.1 of [JWS]”.  I might do this for
> at least the first signing example.  At the very least, the term
> “JWS Signing Input” describing this intermediate result should
> probably appear somewhere.
> 
> 

I can add the intermediate examples.

> 
> 5.  Section 3.1.3 (Output Results):  You show a result using the
> JWS Compact Serialization but with line breaks in it.  You need to
> say that the line breaks within the output value are for display
> purposes only. For what it’s worth, the JWS spec does this by
> including the phrases “(with line breaks for display purposes
> only)” or “(with line breaks within values for display purposes
> only)”, where appropriate, in the description of the value.  This
> situation occurs throughout the specification.
> 
> 

See above regarding Section 1.1.

> 
> 6.  Section 3.1.3 (Output Results):  You show a result using the
> JWS JSON Serialization with line breaks within some values.  This
> would be an appropriate place to use the “(with line breaks within
> values for display purposes only)” language.  This situation occurs
> throughout the specification.
> 

See above regarding Section 1.1.

> 
> 
> 
> 
> EDITORIAL COMMENTS
> 
> 
> 
> E0.  I would suggest taking the HTML output and running it through
> a grammar checker, such as the one in Microsoft Word.  This will
> catch a number of simple phrasing problems, omitted words, and
> repeated words. Some specific editorial comments follow.
> 
> 

I admittedly turned off my spell checkers once most of the examples
were in place due to the rather high signal-to-noise ratio.

> 
> E1.  In the Abstract, the first “sentence” is missing a verb, and
> so is actually a fragment.  I’d change it to “This specification
> contains set of examples using JavaScript Object Signing and
> Encryption (JOSE) functionality to protect data”.
> 
> 
> 
> E2.  In the Introduction, I would change the document order to JWS,
> JWE, JWK, JWA – as that is the standard order we usually talk about
> them in – in part, because if a developer uses only one of (JWS,
> JWE, and JWK), it tends to be JWS – so it makes sense to start with
> it.  JWA is last because it’s used by all the others.  JWE follows
> JWS because it makes sense to group encryption with signing.  Which
> leaves JWK in the third spot.
> 
> 
> 
> E3.  In the Introduction, this sentence seems overly negative:
> “The full set of permutations is extremely large, and might be
> daunting to some”.  I’d reword it to: “While the full set of
> permutations is large, and might be daunting to some, it is
> expected that most applications will choose a relatively
> constrained set of algorithms and combinations that meet their
> needs”.
> 
> 
> 
> E4.  Introduction: “compile together” -> “compile”
> 
> 
> 
> E5.  Section 1.1:  “enough factors” -> “enough information”
> 
> 
> 
> E6.  Section 1.1:  “or to validate or to validate” -> “or to
> validate”
> 
> 
> 
> E7.  Section 1.1: “some algorithms inherently use random data and
> cannot be exactly replicated” -> “some algorithms inherently use
> random data and therefore computations employing them cannot be
> exactly replicated”
> 
> 
> 
> E8.  In the Terminology section, use the document order JWS, JWE,
> JWK, JWA.
> 
> 
> 
> E9.  Section 3: “the sequence “\xe2\x80\x99” substituted” -> “the 
> sequence “\xe2\x80\x99” is substituted”
> 
> 
> 
> E10.  Section 3: “line breaks (U+000A LINE FEED) replacing some “
> “ (U+0020 SPACE)” -> “line breaks (U+000A LINE FEED) replace some 
> instances of “ “ (U+0020 SPACE)”
> 
> 
> 
> E11.  Section 4:  Apply the same editorial corrections to the
> second paragraph as E9 and E10 above.
> 
> 
> 
> E12.  Acknowledgments: “quotes” -> “quotations”
> 
> 
> 
> E13.  Acknowledgments: Uses of “;” should be changed to “,”.
> 
> 
> 
> 
> 
> -----Original Message----- From: jose
> [mailto:jose-bounces@ietf.org] On Behalf Of Karen ODonoghue Sent:
> Wednesday, July 23, 2014 7:42 AM To: jose@ietf.org Subject: [jose]
> Working Group Last Call (WGLC) for draft-ietf-jose-cookbook-03
> 
> 
> 
> Folks,
> 
> 
> 
> This message starts a two week working group last call for the
> jose cookbook document "Examples of Protecting Content using
> JavaScript Object Signing and Encryption (JOSE)"
> 
> (https://tools.ietf.org/html/draft-ietf-jose-cookbook-03)
> 
> 
> 
> Please review the document and send comments, questions to the
> Working Group mailing list < jose at ietf.org > or the co-chairs
> <jose-chairs at tools.ietf.org > before the end of the WGLC.
> 
> 
> 
> Please note that suggested changes which include proposed text will
> be more strongly considered than those without. Additionally, even
> if you have no comments, statements to the effect that "I have read
> this document and believe it is ready for publication" are
> helpful.
> 
> 
> 
> Regards,
> 
> Karen and Jim
> 
> 
> 
> _______________________________________________
> 
> jose mailing list
> 
> jose@ietf.org <mailto:jose@ietf.org>
> 
> https://www.ietf.org/mailman/listinfo/jose
> 


- -- 
- - m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJT4j+SAAoJEDWi+S0W7cO1Iy4H/Rt6W6n4abVcEbyIMrFe/zZP
QkJNe1bFBFFmytTz+Djp+gfEsd3ZhseaS8EiwozOWdrlkvcAUR3lIvOgt4LU4tTf
oVV94W41T5azuXavXNjVSgXR7vLtYkOpt991d5oqqU7VRPnA58EsJbCOaUkmrieA
Fi4MLqYKAq4qIHBZvGqRELFhqYhTG4yT9ueoCwpcsN2iEveEU0kjlF+eyEVFS8dn
7IF4kSy6HYyhWzFVfrQ0996Y/hv/50cpJEnGy4Mhlem41Gv3KhsqCV+EexNVrS46
NO1P0UzM/Hv6uYElAucvx6E249n2tQlFkQ+ZJqWJu1qhfsVGmrfQ0rZTwVZ8CXk=
=Km7Y
-----END PGP SIGNATURE-----

v2.34.0 | Report a Bug | By Email | System Status