[Last-Call] draft-ietf-oauth-rfc8725bis-06 ietf last call Artart review

Valery Smyslov via Datatracker <noreply@ietf.org> Fri, 10 July 2026 07:58 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: last-call@ietf.org
Delivered-To: last-call@mail2.ietf.org
Received: from [10.244.21.112] (gaia.k8s.ietf.org [4.156.85.76]) by mail2.ietf.org (Postfix) with ESMTP id CF6E7114691D9; Fri, 10 Jul 2026 00:58:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783670301; bh=bsRkAOOyq1TFiN+IlShBzirtKuDbHh8uozzrcO1kEeA=; h=From:To:Cc:Subject:Reply-To:Date; b=I49qLGnRefz1mhu1b++1d8Zwplm5nsph4OzcGrSt3rxhH++W1z3NuRSdBF+6MUYMU zbTXmCEbX9YnSn+6pajmFkaI+s5w/fXe1QnESn5qCBxdTPAJEjPwkzY0sF0Sf9ZztV 7+GoLzwJRcIGC6aVGSV3Al8fFbDaiDgAyycJru0A=
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Valery Smyslov via Datatracker <noreply@ietf.org>
To: art@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.69.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <178367030161.1178.219881871660251080@dt-datatracker-d4d6ff9d9-kg6bf>
Date: Fri, 10 Jul 2026 00:58:21 -0700
Message-ID-Hash: LHAM44SDI7IVWVAWIN6KGMADMHP73LT4
X-Message-ID-Hash: LHAM44SDI7IVWVAWIN6KGMADMHP73LT4
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-oauth-rfc8725bis.all@ietf.org, last-call@ietf.org, oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: Valery Smyslov <valery@smyslov.net>
Subject: [Last-Call] draft-ietf-oauth-rfc8725bis-06 ietf last call Artart review
List-Id: IETF Last Calls <last-call.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/ge-29atihkrAwHekkhHhf1muvrE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Owner: <mailto:last-call-owner@ietf.org>
List-Post: <mailto:last-call@ietf.org>
List-Subscribe: <mailto:last-call-join@ietf.org>
List-Unsubscribe: <mailto:last-call-leave@ietf.org>

Document: draft-ietf-oauth-rfc8725bis
Title: JSON Web Token Best Current Practices
Reviewer: Valery Smyslov
Review result: Ready with Issues

I am the assigned ART directorate reviewer for this document. These comments
were written primarily for the benefit of the ART area directors.  Document
editors and WG chairs should treat these comments just like any other last call
comments.

The document describes Best Current Practices leading to secure implementation 
and deployment of JSON Web Tokens (JWTs). The document lists known treats
and vulnerabilities for JWTs and for each provides possible mitigation.

I have some minor issues with this document.

1. Sections 3.1, 3.2, 3.6, 3.10, 3.11 contain SHOULDs without clarifying under which conditions
   they can be ignored. While I personally think that in some cases such clarifications
   are redundant, it seems that the IESG treats their absence more seriously these days,
   so I let the AD deside whether they are needed in this document.

2. Section 3.11
   The sentence

   When
   explicit typing is employed, implementations SHOULD register and use
   the full media type name "application/example+jwt", where "example"
   identifies the specific kind of JWT, and SHOULD set the corresponding
   "typ" value to "example+jwt", because distinct types make cross-JWT
   substitution harder when validators check "typ", and because
   misapplying the Section 4.1.9 prefix rule can cause validators to
   reject otherwise valid tokens or accept the wrong type. 

   is hard to parse due to its length and multiple mentioned conditions.
   I suggest to split it into several smaller recommendations.
   In addition, it is not defined under what conditions these SHOUDs 
   can be ignored.

3. Section 3.11

   In the sentence

   This pairing
   SHOULD be omitted only when the JWT cannot be confused with other
   kinds of JWTs in its application context.

   shouldn't this SHOULD be MAY? At least it is my feeling from reading 
   this text. And if I'm wrong, then I think the text should be
   re-written (and also include conditions when this SHOULD cab be ignored).

4. Section 3.13

   I'm a bit confused reading recommendations given in this section.
   I believe that the two RECOMMENDED clauses are not consisting:

   Implementations are RECOMMENDED to set a reasonable upper limit on
   the number of hash iterations...

   and

   Rejecting inputs with a p2c (PBES2 Count) value larger than twice that figure is RECOMMENDED...

   So, what values are recommended to reject - larger the limit or larger than twice the limit?
   Am I missing something?

5. Section 3.11

   In the sentence

   For example, for Security
   Event Tokens (SETs) [RFC8417], the media type is "application/
   secevent+jwt" and the "typ" value SHOULD be "secevent+jwt", because...

   why uppercase SHOULD is used? I believe, this is just an example, thus must be "should". No?