Re: [jose] AD review of draft-ietf-jose-jws-signing-input-options
Mike Jones <Michael.Jones@microsoft.com> Tue, 24 November 2015 23:35 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43DC91A92B7 for <jose@ietfa.amsl.com>; Tue, 24 Nov 2015 15:35:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EOXhTXZ8SQyE for <jose@ietfa.amsl.com>; Tue, 24 Nov 2015 15:35:20 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0140.outbound.protection.outlook.com [207.46.100.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E97FE1A92AF for <jose@ietf.org>; Tue, 24 Nov 2015 15:35:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xDKe43nznYJ2o1OcNsKfLAVGHaQXc8zaxbll3Vv9pC0=; b=lK7hKBZM09c8Col78WwuCyP/Oa7wNwaOlljg19hfn1fZ5ExRZi8LCEC6Pux0N2y7rKAC1FcATxEPkzvbi1WXHCCCApIzu64S4Q49bOqM83tz4Bq5BRsyejMNvuJVjtO+TZTozvsqrZWA4IOXerQDMvEEc++cFhxeX9z/rgmfs88=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.331.20; Tue, 24 Nov 2015 23:35:16 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0331.023; Tue, 24 Nov 2015 23:35:16 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] AD review of draft-ietf-jose-jws-signing-input-options
Thread-Index: AQHRJiHzzbZQlG1LnE6lmNPed1aozp6rzaVg
Date: Tue, 24 Nov 2015 23:35:16 +0000
Message-ID: <BY2PR03MB442BBCA83BE31BF5EC9D56CF5060@BY2PR03MB442.namprd03.prod.outlook.com>
References: <CAHbuEH5Y4U0fUB778F2vuVvrsRObh3gbx+pWkw5kkhUsioJJxQ@mail.gmail.com>
In-Reply-To: <CAHbuEH5Y4U0fUB778F2vuVvrsRObh3gbx+pWkw5kkhUsioJJxQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:4898:80e8:a::650]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:CcUT9cTAQMwpREkgM5xcV6TnhJASgrgPLZQabRYr/mXLxvjQXI64kOAoYA/81NXKxna2I0cRgAJ03h4giyC3CYdRDWDstK5dJEXWX6oiMjhNdnLLGZPfEJe2L0HbmwREpaVCpksufIUWYTqHPVFYhg==; 24:tWsptE9Cv4DMn9pwiZ9i9LvFkwiLHMP0Q2Ay1OfZcI89XkU6yq1IooBDitkk6kqlqcb+rE9UMnLEB56tkFhFOdpZZnprDWVadcFXs6iAaDc=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441;
x-microsoft-antispam-prvs: <BY2PR03MB44106A3F5D125843BD7ED76F5060@BY2PR03MB441.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(520078)(5005006)(8121501046)(3002001)(10201501046)(61426024)(61427024); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 0770F75EA9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(13464003)(377454003)(51444003)(43784003)(199003)(77096005)(189998001)(86362001)(54356999)(11100500001)(86612001)(10290500002)(5005710100001)(10400500002)(5004730100002)(8990500004)(10090500001)(33656002)(5008740100001)(97736004)(92566002)(19580395003)(2950100001)(19580405001)(101416001)(5001960100002)(2900100001)(5001770100001)(2501003)(15975445007)(107886002)(76576001)(81156007)(586003)(99286002)(122556002)(230783001)(87936001)(102836003)(6116002)(5002640100001)(76176999)(40100003)(106356001)(106116001)(5007970100001)(105586002)(74316001)(50986999)(5003600100002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Nov 2015 23:35:16.6592 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/9skRNfsch_di46nIMVv7Q15XIXE>
Subject: Re: [jose] AD review of draft-ietf-jose-jws-signing-input-options
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2015 23:35:24 -0000
Thanks for your comments, Kathleen. Replies are inline below... > -----Original Message----- > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Kathleen Moriarty > Sent: Monday, November 23, 2015 11:06 AM > To: jose@ietf.org > Subject: [jose] AD review of draft-ietf-jose-jws-signing-input-options > > Dear Mike & JOSE WG, > > Thanks for your work on this draft! I just have a few nits and am hoping you > can turn this around quickly so I can kick off IETF last call. -06 has been published, which addresses these review comments. > Abstract: > The last sentence should state what is prohibited since it does not add a lot > of text rather than saying 'this option". > > How about: > > "This specification updates RFC 7519 by prohibiting the use of the > base64url-encode option in JSON Web Tokens (JWTs)." Replaced "this option" with "the unencoded payload option". > Section 7, Security considerations. > > The first sentence is really hard to parse as written: > > "[JWS] base64url-encodes the JWS Payload to restrict the character set > used to represent it to characters that are distinct from the > delimiters that separate it from other JWS fields." > > I'm not sure what you mean by representing something 'to characters' > either. Maybe you meant something slightly different than what's there? I rewrote this sentence. > Second paragraph, first sentence: > This is a run-on, please fix it: > "One potential problem that applications using this extension may need > to address is that if a JWS is created using "b64" with a "false" > value and is received by an implementation not supporting the "b64" > Header Parameter, then the signature or MAC will still verify > correctly but the recipient will believe that the JWS Payload value > is the base64url decoding of the payload value received, rather than > the payload value received itself." I rewrote this one as well. > The next sentence needs a comma: > Change from: > > For example, if the payload value > received is "NDA1" an implementation not supporting this extension > will think that the intended payload is the base64url decoding of > this value, which is "405". > > To: > > For example, if the payload value > received is "NDA1", an implementation not supporting this extension > will think that the intended payload is the base64url decoding of > this value, which is "405". Done > IDnits: > Can you check the 2119 language? IDnits is showing an error, so maybe > something is slightly off: > > == The document seems to lack the recommended RFC 2119 boilerplate, > even if > it appears to use RFC 2119 keywords -- however, there's a paragraph with > a matching beginning. Boilerplate error? > > (The document does seem to have the reference to RFC 2119 which the > ID-Checklist requires). > > The other errors that show up are all fine from my check. I think that's because it said "this specification" rather than "this document". I've changed it back. > Examples: I see Jim's note that the examples have been validated by a non- > author implementation. SHould there be an ack for this person's work? Great point! Vladimir's contribution is now acknowledged (as is yours). > Thanks! > > -- > > Best regards, > Kathleen > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose Thanks again, -- Mike
- [jose] AD review of draft-ietf-jose-jws-signing-i… Kathleen Moriarty
- Re: [jose] AD review of draft-ietf-jose-jws-signi… Mike Jones
- Re: [jose] AD review of draft-ietf-jose-jws-signi… Kathleen Moriarty