[Last-Call] draft-ietf-oauth-rfc8725bis-06 ietf last call Artart review
Valery Smyslov via Datatracker <noreply@ietf.org> Fri, 10 July 2026 07:58 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: last-call@ietf.org
Delivered-To: last-call@mail2.ietf.org
Received: from [10.244.21.112] (gaia.k8s.ietf.org [4.156.85.76]) by mail2.ietf.org (Postfix) with ESMTP id CF6E7114691D9; Fri, 10 Jul 2026 00:58:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783670301; bh=bsRkAOOyq1TFiN+IlShBzirtKuDbHh8uozzrcO1kEeA=; h=From:To:Cc:Subject:Reply-To:Date; b=I49qLGnRefz1mhu1b++1d8Zwplm5nsph4OzcGrSt3rxhH++W1z3NuRSdBF+6MUYMU zbTXmCEbX9YnSn+6pajmFkaI+s5w/fXe1QnESn5qCBxdTPAJEjPwkzY0sF0Sf9ZztV 7+GoLzwJRcIGC6aVGSV3Al8fFbDaiDgAyycJru0A=
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Valery Smyslov via Datatracker <noreply@ietf.org>
To: art@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.69.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <178367030161.1178.219881871660251080@dt-datatracker-d4d6ff9d9-kg6bf>
Date: Fri, 10 Jul 2026 00:58:21 -0700
Message-ID-Hash: LHAM44SDI7IVWVAWIN6KGMADMHP73LT4
X-Message-ID-Hash: LHAM44SDI7IVWVAWIN6KGMADMHP73LT4
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-oauth-rfc8725bis.all@ietf.org, last-call@ietf.org, oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: Valery Smyslov <valery@smyslov.net>
Subject: [Last-Call] draft-ietf-oauth-rfc8725bis-06 ietf last call Artart review
List-Id: IETF Last Calls <last-call.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/ge-29atihkrAwHekkhHhf1muvrE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Owner: <mailto:last-call-owner@ietf.org>
List-Post: <mailto:last-call@ietf.org>
List-Subscribe: <mailto:last-call-join@ietf.org>
List-Unsubscribe: <mailto:last-call-leave@ietf.org>
Document: draft-ietf-oauth-rfc8725bis Title: JSON Web Token Best Current Practices Reviewer: Valery Smyslov Review result: Ready with Issues I am the assigned ART directorate reviewer for this document. These comments were written primarily for the benefit of the ART area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document describes Best Current Practices leading to secure implementation and deployment of JSON Web Tokens (JWTs). The document lists known treats and vulnerabilities for JWTs and for each provides possible mitigation. I have some minor issues with this document. 1. Sections 3.1, 3.2, 3.6, 3.10, 3.11 contain SHOULDs without clarifying under which conditions they can be ignored. While I personally think that in some cases such clarifications are redundant, it seems that the IESG treats their absence more seriously these days, so I let the AD deside whether they are needed in this document. 2. Section 3.11 The sentence When explicit typing is employed, implementations SHOULD register and use the full media type name "application/example+jwt", where "example" identifies the specific kind of JWT, and SHOULD set the corresponding "typ" value to "example+jwt", because distinct types make cross-JWT substitution harder when validators check "typ", and because misapplying the Section 4.1.9 prefix rule can cause validators to reject otherwise valid tokens or accept the wrong type. is hard to parse due to its length and multiple mentioned conditions. I suggest to split it into several smaller recommendations. In addition, it is not defined under what conditions these SHOUDs can be ignored. 3. Section 3.11 In the sentence This pairing SHOULD be omitted only when the JWT cannot be confused with other kinds of JWTs in its application context. shouldn't this SHOULD be MAY? At least it is my feeling from reading this text. And if I'm wrong, then I think the text should be re-written (and also include conditions when this SHOULD cab be ignored). 4. Section 3.13 I'm a bit confused reading recommendations given in this section. I believe that the two RECOMMENDED clauses are not consisting: Implementations are RECOMMENDED to set a reasonable upper limit on the number of hash iterations... and Rejecting inputs with a p2c (PBES2 Count) value larger than twice that figure is RECOMMENDED... So, what values are recommended to reject - larger the limit or larger than twice the limit? Am I missing something? 5. Section 3.11 In the sentence For example, for Security Event Tokens (SETs) [RFC8417], the media type is "application/ secevent+jwt" and the "typ" value SHOULD be "secevent+jwt", because... why uppercase SHOULD is used? I believe, this is just an example, thus must be "should". No?
- [Last-Call] draft-ietf-oauth-rfc8725bis-06 ietf l… Valery Smyslov via Datatracker