[jose] AD review of draft-ietf-jose-jws-signing-input-options

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Mon, 23 November 2015 19:05 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B84331ACDCC for <jose@ietfa.amsl.com>; Mon, 23 Nov 2015 11:05:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5DR227o0nUI for <jose@ietfa.amsl.com>; Mon, 23 Nov 2015 11:05:35 -0800 (PST)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 107C11ACDCB for <jose@ietf.org>; Mon, 23 Nov 2015 11:05:35 -0800 (PST)
Received: by wmec201 with SMTP id c201so175749210wme.0 for <jose@ietf.org>; Mon, 23 Nov 2015 11:05:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=RPDjLWohMhxNzQJzwo2CQ5OaGv8dOmuDKi/uXRElatQ=; b=qySM9/Ekk8Xfx/0NggbDSs50YnLyo6K8j2/3284DMY/pDPeCQu1pXMqEsD1BNdhwCx lMQSnW4dHbC5uxRSl5rBQ5sVXE1siYSxWEPBUPhIbdAQ2NEBxPXdtCcua/eo5cR/B7ov 1Nn6AzPJxtk1y0WeaPBqPGeKZgCgelCUL4rlzVdKS9SPG1IrXS/oU+g4XxgwKWtEeQN2 COyc1S2nawtM60tV6Zs8WrS1oYxzEFKYc292/R51oDn9gLToxTjGUkmxbs5gx9rKKkhR TKpK3wlkjg4JdtufRcLj/GbH6lWpqfiCFXLSCwKfbUWXGWGZcusqXVqzAHza6p8unmKg O8GQ==
MIME-Version: 1.0
X-Received: by 10.28.224.7 with SMTP id x7mr17332871wmg.17.1448305533557; Mon, 23 Nov 2015 11:05:33 -0800 (PST)
Received: by 10.28.52.130 with HTTP; Mon, 23 Nov 2015 11:05:33 -0800 (PST)
Date: Mon, 23 Nov 2015 14:05:33 -0500
Message-ID: <CAHbuEH5Y4U0fUB778F2vuVvrsRObh3gbx+pWkw5kkhUsioJJxQ@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: "jose@ietf.org" <jose@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/z_fL8DVAz229b-Enli-kC6PUNwA>
Subject: [jose] AD review of draft-ietf-jose-jws-signing-input-options
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2015 19:05:36 -0000

Dear Mike & JOSE WG,

Thanks for your work on this draft!  I just have a few nits and am
hoping you can turn this around quickly so I can kick off IETF last
call.


Abstract:
The last sentence should state what is prohibited since it does not
add a lot of text rather than saying 'this option".

How about:

   "This specification updates RFC 7519 by prohibiting the use of the
   base64url-encode option in JSON Web Tokens (JWTs)."


Section 7, Security considerations.

The first sentence is really hard to parse as written:

"[JWS] base64url-encodes the JWS Payload to restrict the character set
   used to represent it to characters that are distinct from the
   delimiters that separate it from other JWS fields."

I'm not sure what you mean by representing something 'to characters'
either.  Maybe you meant something slightly different than what's
there?

Second paragraph, first sentence:
This is a run-on, please fix it:
 "One potential problem that applications using this extension may need
   to address is that if a JWS is created using "b64" with a "false"
   value and is received by an implementation not supporting the "b64"
   Header Parameter, then the signature or MAC will still verify
   correctly but the recipient will believe that the JWS Payload value
   is the base64url decoding of the payload value received, rather than
   the payload value received itself."

The next sentence needs a comma:
Change from:

For example, if the payload value
   received is "NDA1" an implementation not supporting this extension
   will think that the intended payload is the base64url decoding of
   this value, which is "405".

To:

For example, if the payload value
   received is "NDA1", an implementation not supporting this extension
   will think that the intended payload is the base64url decoding of
   this value, which is "405".


IDnits:
Can you check the 2119 language?  IDnits is showing an error, so maybe
something is slightly off:

== The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords -- however, there's a paragraph with
     a matching beginning. Boilerplate error?

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).

The other errors that show up are all fine from my check.

Examples: I see Jim's note that the examples have been validated by a
non-author implementation.  SHould there be an ack for this person's
work?

Thanks!

-- 

Best regards,
Kathleen