Re: [jose] Stephen Farrell's Discuss on draft-ietf-jose-json-web-key-33: (with DISCUSS and COMMENT)

"Jim Schaad" <ietf@augustcellars.com> Mon, 06 October 2014 20:31 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AE251A89AD; Mon, 6 Oct 2014 13:31:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZdMnK7ZQdoSe; Mon, 6 Oct 2014 13:30:59 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33BFB1A8953; Mon, 6 Oct 2014 13:30:59 -0700 (PDT)
Received: from Philemon (winery.augustcellars.com [206.212.239.129]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 6F37F2CA58; Mon, 6 Oct 2014 13:30:58 -0700 (PDT)
From: "Jim Schaad" <ietf@augustcellars.com>
To: "'Mike Jones'" <Michael.Jones@microsoft.com>, "'Stephen Farrell'" <stephen.farrell@cs.tcd.ie>, "'The IESG'" <iesg@ietf.org>
References: <20141002111501.6046.52416.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439BAF0C1E@TK5EX14MBXC286.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BAF0C1E@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Mon, 6 Oct 2014 13:28:26 -0700
Message-ID: <00c601cfe1a4$15d32900$41797b00$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFzXA7eJfgYcKZweMPGVE2DOPtSUQEciAY8nNOrCZA=
Content-Language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/Julu-rfwVao1dVJ6VlbuJI3iIGU
Cc: jose-chairs@tools.ietf.org, draft-ietf-jose-json-web-key@tools.ietf.org, jose@ietf.org
Subject: Re: [jose] Stephen Farrell's Discuss on draft-ietf-jose-json-web-key-33: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Oct 2014 20:31:01 -0000


> -----Original Message-----
> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
> Sent: Monday, October 06, 2014 12:54 AM
> To: Stephen Farrell; The IESG
> Cc: jose-chairs@tools.ietf.org;
draft-ietf-jose-json-web-key@tools.ietf.org;
> jose@ietf.org
> Subject: Re: [jose] Stephen Farrell's Discuss on
draft-ietf-jose-json-web-key-33:
> (with DISCUSS and COMMENT)
> 
> Thanks for your review, Stephen.  I'm adding the working group to the
thread
> so they're aware of your comments.
> 
> > -----Original Message-----
> > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
> > Sent: Thursday, October 02, 2014 4:15 AM
> > To: The IESG
> > Cc: jose-chairs@tools.ietf.org;
> > draft-ietf-jose-json-web-key@tools.ietf.org
> > Subject: Stephen Farrell's Discuss on draft-ietf-jose-json-web-key-33:
> > (with DISCUSS and COMMENT)
> >
> > Stephen Farrell has entered the following ballot position for
> > draft-ietf-jose-json-web-key-33: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut
> > this introductory paragraph, however.)
> >
> >
> > Please refer to
> > http://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-key/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> >
> > nearly a nit, but would impact code so a discuss to make sure we get it
right...
> >
> > 4.5: saying kid is case sensitive precludes use of DNS names there or
> > introduces bugs if those are used.  Since DNS names are the primary
> > way we distinguish things on the Internet, that seems odd. I don't
> > think that you need to say case- insensitive here but that you might
> > want to say that DNS names SHOULD be [lower|upper]cased before being
> used in kid parameters.
> 
> OK

I worry that if we starting providing guidance to DNS names, then we need to
worry about the I18N implications.  I don't remember if these are both case
sensitive and easy to do the case conversion on.


> 
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> >
> > 4.8/4.9: the disconnect with DANE and other specs that use
> > HASH(SPKI) as a thumbprint is a pity (but can be fixed later). How'd
that
> happen?
> 
> The current thumbprint calculation is the one used by OpenSSL and Windows,
> among others.
> 
> The first that this issue was raised was during Tero Kivinen's secdir
review.  In
> that discussion, I pointed out that other specs are free to define header
> parameter(s) to represent the HASH(SPKI) thumbprint and register them.  (I
> even pointed him to draft-jones-jose-jwk-thumbprint-01 as an example of a
> spec making a similar registration that he could use as an example if he
> wanted to write it up.)  He thought that that definition would be useful
to the
> IoT community, so I expect that someone will do that when the need arises.

I would also say that a hash of the full certificate is needed if you care
about the extensions in the certificate as well.  Many of the bare key cases
don't care about this they are just using a cert to carry the key.

> 				Thanks again,
> 				-- Mike
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose