Re: [jose] [apps-discuss] Appsdir review for draft-ietf-jose-json-web-algorithms-33

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 14 October 2014 17:48 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 017AE1A90E2; Tue, 14 Oct 2014 10:48:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EkVK5pOUZsX7; Tue, 14 Oct 2014 10:48:01 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEC411A90C4; Tue, 14 Oct 2014 10:48:00 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id pn19so9025760lab.14 for <multiple recipients>; Tue, 14 Oct 2014 10:47:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=sHoexLWwz9wCYDpR/XQejffTsq9YBu0S74Vz8vqc1JI=; b=R5QuTMGKiCjyI9032+wISO2uFke/ECZCSizy6Be3qG7tuq3+cWpMnyYs7ywALcWJMs CQnvHonsvkRKUCvX+mXnn5km1q9Ccc6q0a10fi+hFH83Htp+P5FsVRKZoSYDfhL8jCCL E4WgxO3YEzXNtxLiy5uPBKE1Bc1EwMY/FiE8+DB+scnAs3jtQ7rfb/Rhk9gFrSCIQgGz fwC2fPye4tRqjK9vBBGbGMZDIAVplhbam7ZqoLMg3EhDiwrcMSSADoPRnNP/S5eMq7Xu Nm1ragRFWMe/2Dw+RClLBX0ue2POxTkklV9U8nrF3oLOGRBppiC6lZbWiQKP4cRbBZWg gVow==
MIME-Version: 1.0
X-Received: by 10.152.198.204 with SMTP id je12mr6983833lac.61.1413308879178; Tue, 14 Oct 2014 10:47:59 -0700 (PDT)
Received: by 10.112.95.36 with HTTP; Tue, 14 Oct 2014 10:47:59 -0700 (PDT)
In-Reply-To: <7CEA60C1-BC9D-43BE-84B4-128D08F111F5@tzi.org>
References: <805301AA-4E04-410D-A451-7A2175792CB0@tzi.org> <7CEA60C1-BC9D-43BE-84B4-128D08F111F5@tzi.org>
Date: Tue, 14 Oct 2014 13:47:59 -0400
Message-ID: <CAHbuEH6x9THDEjnnejsct7-aD6y1TVLpOtEjbLEv+Vvm4Ka3Jw@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Content-Type: multipart/alternative; boundary=001a11348e2ab3910e0505659d17
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/vQzZU_nZ73G7_i7h6jy-ASJUbko
Cc: draft-ietf-jose-json-web-algorithms.all@tools.ietf.org, "jose@ietf.org" <jose@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [jose] [apps-discuss] Appsdir review for draft-ietf-jose-json-web-algorithms-33
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 17:48:05 -0000

Carsten,

Thanks for the re-check.  I asked Mike to do a few iterations of the draft
to remove what comments/discusses he could and we will make sure your
comments get addressed before the draft can move forward.  I'd appreciate
another check once Mike thinks your comments have been addressed to make
sure you agree.

Thanks.

On Tue, Oct 14, 2014 at 12:35 PM, Carsten Bormann <cabo@tzi.org> wrote:

> Here is a quick re-check of my review against -34.
> I’m not sure any of the necessary fixes made it into -34.
>
> Grüße, Carsten
>
> On 02 Oct 2014, at 09:22, Carsten Bormann <cabo@tzi.org> wrote:
>
> > I have been selected as the Applications Area Directorate reviewer for
> > this draft (for background on appsdir, please see
> > ​
> http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectorate
> > ).
> >
> > Please resolve these comments along with any other Last Call comments
> > you may receive. Please wait for direction from your document shepherd
> > or AD before posting a new version of the draft.
> >
> > Document:  draft-ietf-jose-json-web-algorithms-33
> > Title: JSON Web Algorithms (JWA)
> > Reviewer: Carsten Bormann
> > Review Date: 2014-10-02
> > IESG Telechat date: 2014-10-02
> >
> > Summary: This draft is ready for publication as a standards track RFC,
> > with a few nits corrected.
> >
> > However, some additional editorial improvements might improve the
> > security outcome when it is referenced by application developers.
> >
> > Major issues: None.
> >
> > Minor issues:
> >
> > 5.2:
> > Add a reference that defines PKCS #7 padding.
>
> No change.
> (Note that there is a reference behind “PKCS #7 padding”, it just happens
> to define CBC and not PKCS #7).
>
> > 5.2.2.2
> > Does "the PKCS #7 padding is removed" entail checking all of its bytes?
>
> No change.
>
> > 6.2.1
> > Is the intention that the sentence containing "point compression is not
> > supported" also applies to any future registered value of "crv"?
> > A similar comment applies to other specifications in 6.2.1.x, e.g.,
> > the reference to SEC1 representation to x and y.
>
> No change.
>
> > 6.2.1.1
> > »Additional "crv" values MAY be
> > used, provided they are understood by implementations using that
> > Elliptic Curve key.«
> > How are conflicts between such implementation defined values and
> > future registered values handled?
>
> No change.
>
> And so on.
>
> > 6.3.2:
> > The MAY accept partially overrides the MUST include?
> > Is the latter thus really a SHOULD?
> >
> > 7.1:
> > It is interesting that a mere registration (vetted only by a DE) can
> > change the IETF consensus base specifications by making an algorithm
> > "Required".
> >
> > 8.
> > I am unable to find a "security considerations" section in NIST SP
> 800-38A.
> > 800-38D at least has a "practical considerations" section, is that meant?
> > (Etc., I haven't checked all the references.)
> > In general, I believe a security considerations section is most useful
> > where it provides more directed guidance instead of saying the
> > equivalent of "here is a textbook".
> >
> > 8.7 is not clear: is it NOT RECOMMENDED to reuse an entire set of key
> > material (including IV), or to reuse any part of it?
> >
> >
> > Nits/editorial comments:
> >
> > 6.3.2.x:
> > The constant repetition of »It is represented as the base64url encoding
> of
> > the value's unsigned big endian representation as an octet sequence.
> > The octet sequence MUST utilize the minimum number of octets to
> > represent the value.« almost ensures that an implementer will stop
> > reading the details (well, I did, and I did not write a program to
> > verify the same phrase is used everywhere; if any parameter were using a
> > different encoding, that sure would be missed).  Why not define
> > another abstraction like base64url and use this?
> >
> > 6.2.3.1: This is not a positive integer?  6.2.3.x mentions this
> otherwise.
> >
> > 7.1.1
> > »Example description« is not a useful example for an "Algorithm
> Description".
> > (Same comment for 7.x.1.)
> >
> > 8.3:
> > s/because it/because it is/
> >
> > [sec1]
> > (Given the date, this is probably referencing V2.0 of this spec.)
> >
> > [usascii]
> > The reference to ANSI X3.4:1986 should probably be replaced by a
> > reference to RFC 20.  There is little reason to reference a somewhat
> > hard to obtain external document ($60!) when we have an RFC about the
> > same subject.
> >
> > (Tables in Appendix A need some formatting.)
> >
> > _______________________________________________
> > apps-discuss mailing list
> > apps-discuss@ietf.org
> > https://www.ietf.org/mailman/listinfo/apps-discuss
> >
> >
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>



-- 

Best regards,
Kathleen