Re: [jose] AD review of draft-ietf-jose-jws-signing-input-options
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 25 November 2015 01:24 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFA391ACCEE for <jose@ietfa.amsl.com>; Tue, 24 Nov 2015 17:24:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4yBLKIHgRiYv for <jose@ietfa.amsl.com>; Tue, 24 Nov 2015 17:24:28 -0800 (PST)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD7CC1ACCEB for <jose@ietf.org>; Tue, 24 Nov 2015 17:24:27 -0800 (PST)
Received: by wmec201 with SMTP id c201so50408285wme.1 for <jose@ietf.org>; Tue, 24 Nov 2015 17:24:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NyTEwHYVnXURpyPTKs9wd04fSMo+dGGO0jv/CbLryrs=; b=m9SG1StAHaEO34WzsC/y9ZU62A3FoVoFCgSv7rlK3KzlUCODlp/OtX1yaRET35MDEB soFmUrgZNGxBMjaMnVJjOzDg3JPDEwMuK3r14uT9h5E2jaRQu+U71nJBfqDO+Ljx2zWp bG4oP8Fm88rj16IYt8N3hP6NmrRw16lF6pD4RzS73jiFC4n9A6MDRusht0ZCIuG9zaao lYaRfoM3ASf1GCfqCp1jOtQq+DS1QWy1In5B98bWgPGJYmSlHe3hEJFWjLqOxC7WYqFJ ahL3+mE5rfgrLvn8L4xmeTj7v8oqpFGHkrkotK4xcaRLg6ol49jijmgovBppfSI3KfJD Qr1Q==
MIME-Version: 1.0
X-Received: by 10.28.218.17 with SMTP id r17mr1408959wmg.90.1448414666534; Tue, 24 Nov 2015 17:24:26 -0800 (PST)
Received: by 10.28.52.130 with HTTP; Tue, 24 Nov 2015 17:24:26 -0800 (PST)
In-Reply-To: <BY2PR03MB442BBCA83BE31BF5EC9D56CF5060@BY2PR03MB442.namprd03.prod.outlook.com>
References: <CAHbuEH5Y4U0fUB778F2vuVvrsRObh3gbx+pWkw5kkhUsioJJxQ@mail.gmail.com> <BY2PR03MB442BBCA83BE31BF5EC9D56CF5060@BY2PR03MB442.namprd03.prod.outlook.com>
Date: Tue, 24 Nov 2015 20:24:26 -0500
Message-ID: <CAHbuEH7UMtv31g68rF2KWzun==mm3eksDxPqCVABnmfo+hc-=w@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/XjD8WV7gW6gSDB11y1F5OLsR0nQ>
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] AD review of draft-ietf-jose-jws-signing-input-options
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 01:24:30 -0000
Hi Mike, Thanks for the quick turn-around. I'll put the draft into IETF last call to get that started. On Tue, Nov 24, 2015 at 6:35 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > Thanks for your comments, Kathleen. Replies are inline below... > >> -----Original Message----- >> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Kathleen Moriarty >> Sent: Monday, November 23, 2015 11:06 AM >> To: jose@ietf.org >> Subject: [jose] AD review of draft-ietf-jose-jws-signing-input-options >> >> Dear Mike & JOSE WG, >> >> Thanks for your work on this draft! I just have a few nits and am hoping you >> can turn this around quickly so I can kick off IETF last call. > > -06 has been published, which addresses these review comments. > >> Abstract: >> The last sentence should state what is prohibited since it does not add a lot >> of text rather than saying 'this option". >> >> How about: >> >> "This specification updates RFC 7519 by prohibiting the use of the >> base64url-encode option in JSON Web Tokens (JWTs)." > > Replaced "this option" with "the unencoded payload option". > >> Section 7, Security considerations. >> >> The first sentence is really hard to parse as written: >> >> "[JWS] base64url-encodes the JWS Payload to restrict the character set >> used to represent it to characters that are distinct from the >> delimiters that separate it from other JWS fields." >> >> I'm not sure what you mean by representing something 'to characters' >> either. Maybe you meant something slightly different than what's there? > > I rewrote this sentence. > >> Second paragraph, first sentence: >> This is a run-on, please fix it: >> "One potential problem that applications using this extension may need >> to address is that if a JWS is created using "b64" with a "false" >> value and is received by an implementation not supporting the "b64" >> Header Parameter, then the signature or MAC will still verify >> correctly but the recipient will believe that the JWS Payload value >> is the base64url decoding of the payload value received, rather than >> the payload value received itself." > > I rewrote this one as well. The updated text is better, but it is still a little long. I won't hold it up on this though. Thanks! Kathleen > >> The next sentence needs a comma: >> Change from: >> >> For example, if the payload value >> received is "NDA1" an implementation not supporting this extension >> will think that the intended payload is the base64url decoding of >> this value, which is "405". >> >> To: >> >> For example, if the payload value >> received is "NDA1", an implementation not supporting this extension >> will think that the intended payload is the base64url decoding of >> this value, which is "405". > > Done > >> IDnits: >> Can you check the 2119 language? IDnits is showing an error, so maybe >> something is slightly off: >> >> == The document seems to lack the recommended RFC 2119 boilerplate, >> even if >> it appears to use RFC 2119 keywords -- however, there's a paragraph with >> a matching beginning. Boilerplate error? >> >> (The document does seem to have the reference to RFC 2119 which the >> ID-Checklist requires). >> >> The other errors that show up are all fine from my check. > > I think that's because it said "this specification" rather than "this document". I've changed it back. > >> Examples: I see Jim's note that the examples have been validated by a non- >> author implementation. SHould there be an ack for this person's work? > > Great point! Vladimir's contribution is now acknowledged (as is yours). > >> Thanks! >> >> -- >> >> Best regards, >> Kathleen >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose > > Thanks again, > -- Mike > -- Best regards, Kathleen
- [jose] AD review of draft-ietf-jose-jws-signing-i… Kathleen Moriarty
- Re: [jose] AD review of draft-ietf-jose-jws-signi… Mike Jones
- Re: [jose] AD review of draft-ietf-jose-jws-signi… Kathleen Moriarty