[jose] AD review of draft-ietf-jose-jws-signing-input-options
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Mon, 23 November 2015 19:05 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B84331ACDCC for <jose@ietfa.amsl.com>; Mon, 23 Nov 2015 11:05:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5DR227o0nUI for <jose@ietfa.amsl.com>; Mon, 23 Nov 2015 11:05:35 -0800 (PST)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 107C11ACDCB for <jose@ietf.org>; Mon, 23 Nov 2015 11:05:35 -0800 (PST)
Received: by wmec201 with SMTP id c201so175749210wme.0 for <jose@ietf.org>; Mon, 23 Nov 2015 11:05:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=RPDjLWohMhxNzQJzwo2CQ5OaGv8dOmuDKi/uXRElatQ=; b=qySM9/Ekk8Xfx/0NggbDSs50YnLyo6K8j2/3284DMY/pDPeCQu1pXMqEsD1BNdhwCx lMQSnW4dHbC5uxRSl5rBQ5sVXE1siYSxWEPBUPhIbdAQ2NEBxPXdtCcua/eo5cR/B7ov 1Nn6AzPJxtk1y0WeaPBqPGeKZgCgelCUL4rlzVdKS9SPG1IrXS/oU+g4XxgwKWtEeQN2 COyc1S2nawtM60tV6Zs8WrS1oYxzEFKYc292/R51oDn9gLToxTjGUkmxbs5gx9rKKkhR TKpK3wlkjg4JdtufRcLj/GbH6lWpqfiCFXLSCwKfbUWXGWGZcusqXVqzAHza6p8unmKg O8GQ==
MIME-Version: 1.0
X-Received: by 10.28.224.7 with SMTP id x7mr17332871wmg.17.1448305533557; Mon, 23 Nov 2015 11:05:33 -0800 (PST)
Received: by 10.28.52.130 with HTTP; Mon, 23 Nov 2015 11:05:33 -0800 (PST)
Date: Mon, 23 Nov 2015 14:05:33 -0500
Message-ID: <CAHbuEH5Y4U0fUB778F2vuVvrsRObh3gbx+pWkw5kkhUsioJJxQ@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: "jose@ietf.org" <jose@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/z_fL8DVAz229b-Enli-kC6PUNwA>
Subject: [jose] AD review of draft-ietf-jose-jws-signing-input-options
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2015 19:05:36 -0000
Dear Mike & JOSE WG, Thanks for your work on this draft! I just have a few nits and am hoping you can turn this around quickly so I can kick off IETF last call. Abstract: The last sentence should state what is prohibited since it does not add a lot of text rather than saying 'this option". How about: "This specification updates RFC 7519 by prohibiting the use of the base64url-encode option in JSON Web Tokens (JWTs)." Section 7, Security considerations. The first sentence is really hard to parse as written: "[JWS] base64url-encodes the JWS Payload to restrict the character set used to represent it to characters that are distinct from the delimiters that separate it from other JWS fields." I'm not sure what you mean by representing something 'to characters' either. Maybe you meant something slightly different than what's there? Second paragraph, first sentence: This is a run-on, please fix it: "One potential problem that applications using this extension may need to address is that if a JWS is created using "b64" with a "false" value and is received by an implementation not supporting the "b64" Header Parameter, then the signature or MAC will still verify correctly but the recipient will believe that the JWS Payload value is the base64url decoding of the payload value received, rather than the payload value received itself." The next sentence needs a comma: Change from: For example, if the payload value received is "NDA1" an implementation not supporting this extension will think that the intended payload is the base64url decoding of this value, which is "405". To: For example, if the payload value received is "NDA1", an implementation not supporting this extension will think that the intended payload is the base64url decoding of this value, which is "405". IDnits: Can you check the 2119 language? IDnits is showing an error, so maybe something is slightly off: == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). The other errors that show up are all fine from my check. Examples: I see Jim's note that the examples have been validated by a non-author implementation. SHould there be an ack for this person's work? Thanks! -- Best regards, Kathleen
- [jose] AD review of draft-ietf-jose-jws-signing-i… Kathleen Moriarty
- Re: [jose] AD review of draft-ietf-jose-jws-signi… Mike Jones
- Re: [jose] AD review of draft-ietf-jose-jws-signi… Kathleen Moriarty