Re: [jose] Stephen Farrell's Discuss on draft-ietf-jose-json-web-key-33: (with DISCUSS and COMMENT)

> -----Original Message-----
> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
> Sent: Monday, October 06, 2014 12:54 AM
> To: Stephen Farrell; The IESG
> Cc: jose-chairs@tools.ietf.org;
draft-ietf-jose-json-web-key@tools.ietf.org;
> jose@ietf.org
> Subject: Re: [jose] Stephen Farrell's Discuss on
draft-ietf-jose-json-web-key-33:
> (with DISCUSS and COMMENT)
> 
> Thanks for your review, Stephen.  I'm adding the working group to the
thread
> so they're aware of your comments.
> 
> > -----Original Message-----
> > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
> > Sent: Thursday, October 02, 2014 4:15 AM
> > To: The IESG
> > Cc: jose-chairs@tools.ietf.org;
> > draft-ietf-jose-json-web-key@tools.ietf.org
> > Subject: Stephen Farrell's Discuss on draft-ietf-jose-json-web-key-33:
> > (with DISCUSS and COMMENT)
> >
> > Stephen Farrell has entered the following ballot position for
> > draft-ietf-jose-json-web-key-33: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut
> > this introductory paragraph, however.)
> >
> >
> > Please refer to
> > http://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-key/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> >
> > nearly a nit, but would impact code so a discuss to make sure we get it
right...
> >
> > 4.5: saying kid is case sensitive precludes use of DNS names there or
> > introduces bugs if those are used.  Since DNS names are the primary
> > way we distinguish things on the Internet, that seems odd. I don't
> > think that you need to say case- insensitive here but that you might
> > want to say that DNS names SHOULD be [lower|upper]cased before being
> used in kid parameters.
> 
> OK

I worry that if we starting providing guidance to DNS names, then we need to
worry about the I18N implications.  I don't remember if these are both case
sensitive and easy to do the case conversion on.

> 
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> >
> > 4.8/4.9: the disconnect with DANE and other specs that use
> > HASH(SPKI) as a thumbprint is a pity (but can be fixed later). How'd
that
> happen?
> 
> The current thumbprint calculation is the one used by OpenSSL and Windows,
> among others.
> 
> The first that this issue was raised was during Tero Kivinen's secdir
review.  In
> that discussion, I pointed out that other specs are free to define header
> parameter(s) to represent the HASH(SPKI) thumbprint and register them.  (I
> even pointed him to draft-jones-jose-jwk-thumbprint-01 as an example of a
> spec making a similar registration that he could use as an example if he
> wanted to write it up.)  He thought that that definition would be useful
to the
> IoT community, so I expect that someone will do that when the need arises.

I would also say that a hash of the full certificate is needed if you care
about the extensions in the certificate as well.  Many of the bare key cases
don't care about this they are just using a cert to carry the key.

> 				Thanks again,
> 				-- Mike
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose