Re: [jose] I-D Action: draft-ietf-jose-json-web-signature-02.txt
Mike Jones <Michael.Jones@microsoft.com> Fri, 06 July 2012 18:02 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F0B021F86E0 for <jose@ietfa.amsl.com>; Fri, 6 Jul 2012 11:02:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.721
X-Spam-Level:
X-Spam-Status: No, score=-3.721 tagged_above=-999 required=5 tests=[AWL=-0.123, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HOiUI26AbWwC for <jose@ietfa.amsl.com>; Fri, 6 Jul 2012 11:02:35 -0700 (PDT)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe003.messaging.microsoft.com [216.32.180.13]) by ietfa.amsl.com (Postfix) with ESMTP id 0851921F86E5 for <jose@ietf.org>; Fri, 6 Jul 2012 11:02:34 -0700 (PDT)
Received: from mail76-va3-R.bigfish.com (10.7.14.252) by VA3EHSOBE004.bigfish.com (10.7.40.24) with Microsoft SMTP Server id 14.1.225.23; Fri, 6 Jul 2012 18:00:38 +0000
Received: from mail76-va3 (localhost [127.0.0.1]) by mail76-va3-R.bigfish.com (Postfix) with ESMTP id A6C73200375; Fri, 6 Jul 2012 18:00:37 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC101.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -27
X-BigFish: VS-27(zz9371Ic85fh542M111aIzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839hd25hf0ah107ah)
Received-SPF: pass (mail76-va3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC101.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail76-va3 (localhost.localdomain [127.0.0.1]) by mail76-va3 (MessageSwitch) id 1341597635600304_3713; Fri, 6 Jul 2012 18:00:35 +0000 (UTC)
Received: from VA3EHSMHS012.bigfish.com (unknown [10.7.14.253]) by mail76-va3.bigfish.com (Postfix) with ESMTP id 85284100126; Fri, 6 Jul 2012 18:00:35 +0000 (UTC)
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.8) by VA3EHSMHS012.bigfish.com (10.7.99.22) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 6 Jul 2012 18:00:33 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.53]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.02.0309.003; Fri, 6 Jul 2012 18:02:38 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Sean Turner <turners@ieca.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] I-D Action: draft-ietf-jose-json-web-signature-02.txt
Thread-Index: Ac1boYIc2GQq6CGDQQGFcZ99MzZ2hQ==
Date: Fri, 06 Jul 2012 18:02:37 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436657A064@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.75]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436657A064TK5EX14MBXC283r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-signature-02.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2012 18:02:37 -0000
Thanks again. Responses inline...
-----Original Message-----
From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org]<mailto:[mailto:jose-bounces@ietf.org]> On Behalf Of Sean Turner
Sent: Monday, May 28, 2012 10:36 AM
To: jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-signature-02.txt
Here are some comments on the draft (a lot of these are duplicates from
web-encryption):
1) s2 & Requirements Language: The RFC editor is going to move the Requirements Language section later on so you might as well save them the trouble and just make it part of s2.
Done
2) s3: This is probably a style thing, but I think it's probably better to talk about the structure first and then provide an example. It's just going to make everybody ask you to define/explain x in that section.
See JWE response
3) s4: Contains the following:
The Header Parameter Names within this object
MUST be unique; JWEs with duplicate Header Parameter Names MUST be
rejected.
I'd prefer to see that if this is actually enforceable (not sure it is) that an error gets thrown or the message gets rejected.
See JWE response
Also just checking that this means you can only send one signature type per object. That is you can't send one JSON object that is signed with both RSA and ECDSA?
See draft-jones-json-web-signature-json-serialization for multi-signature capability
4) s4: How are the different types of parameters (res,pub,priv) named?
Is there going to be some kind of designator in front of them? If so, then I would definitely try to get an early review from some Apps folks because they're deprecating X-.
See JWE response
5) s4.1/4.1.1: Same concerns about the registry setup as the other docs.
See JWE response
6) s4.1.2/s4.1.4: Add normative reference to [RFC3986] for absolute URL.
And I think they call it a URI.
Done
7) s4.1.4: Add reference to RFC5280: X.509 public key certificate or certificate chain [RFC5280]
Done
8) s4.1.4: Ack! PEM. Replace the reference to PEM with RFC 4648 and pointer to s4.
See JWE response
9) s4.1.6: let's just do DER: r/DER/BER/DER [X.690]
Done
and add the following normative reference
[X.690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules
(DER).
Done
or: r/DER/BER PKIX certificate value/PKIX certificate value [RFC5280].
10) s7: If the kid and thumbprints are not supposed to be generated in a way to make them unique it's worth pointing this out in s7. I might suggest something along the lines of:
While hash algorithms provide collision resistance, this property
is not needed for key identifiers or thumbprints.
I'm just as confused here as for your equivalent comment in JWE. Section 7 is the IANA Considerations. Try again???
11) s11.1: encoding considerations: isn't it base64url encoded?
Same text used as JWE
applications that use this media type: is it just OpenId connect or can this be generalized a bit?
Now reads: OpenID Connect, Mozilla Browser ID, Salesforce, Google, numerous others that use signed JWTs
spt
_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose
- [jose] I-D Action: draft-ietf-jose-json-web-signa… internet-drafts
- Re: [jose] I-D Action: draft-ietf-jose-json-web-s… Sean Turner
- Re: [jose] I-D Action: draft-ietf-jose-json-web-s… Mike Jones