IETF Logo Mail Archive

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Sat, 11 October 2014 19:55 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6845A1A8787; Sat, 11 Oct 2014 12:55:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TL_KNqc60Jz3; Sat, 11 Oct 2014 12:55:23 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0789.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:789]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C26BD1A877D; Sat, 11 Oct 2014 12:55:22 -0700 (PDT)
Received: from BY2PR03CA047.namprd03.prod.outlook.com (10.141.249.20) by BN3PR0301MB1202.namprd03.prod.outlook.com (25.161.207.155) with Microsoft SMTP Server (TLS) id 15.0.1049.19; Sat, 11 Oct 2014 19:55:00 +0000
Received: from BL2FFO11FD033.protection.gbl (2a01:111:f400:7c09::130) by BY2PR03CA047.outlook.office365.com (2a01:111:e400:2c5d::20) with Microsoft SMTP Server (TLS) id 15.0.1049.19 via Frontend Transport; Sat, 11 Oct 2014 19:54:59 +0000
Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD033.mail.protection.outlook.com (10.173.161.129) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Sat, 11 Oct 2014 19:54:59 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.03.0210.003; Sat, 11 Oct 2014 19:54:21 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>
Thread-Topic: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
Thread-Index: AQHP3eyTOy20E1mLIki2fp/mr+WNhZwiXvCAgAeJ6YCAAXQIkA==
Date: Sat, 11 Oct 2014 19:54:20 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BAFABFB@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20141002025706.19368.2507.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439BAF0C4E@TK5EX14MBXC286.redmond.corp.microsoft.com> <CAL02cgS1cJR9k6X-tPW27q=o=Hj3VP-sNRcY1t=Sdaqq0y+ryA@mail.gmail.com>
In-Reply-To: <CAL02cgS1cJR9k6X-tPW27q=o=Hj3VP-sNRcY1t=Sdaqq0y+ryA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(51704005)(52604005)(24454002)(13464003)(52044002)(199003)(189002)(377454003)(23676002)(104016003)(21056001)(76482002)(50466002)(20776003)(55846006)(26826002)(4396001)(19580405001)(15202345003)(110136001)(84676001)(81156004)(33656002)(6806004)(19580395003)(15975445006)(69596002)(68736004)(77096002)(47776003)(44976005)(230783001)(54356999)(85306004)(106116001)(50986999)(66066001)(64706001)(80022003)(95666004)(99396003)(2656002)(87936001)(92726001)(120916001)(46102003)(107046002)(85852003)(31966008)(106466001)(76176999)(86362001)(85806002)(92566001)(97736003)(86612001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1202; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1202;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0361212EA8
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/6novhYfkRWLvldF6DEwDGiztjPI
Cc: "draft-ietf-oauth-json-web-token@tools.ietf.org" <draft-ietf-oauth-json-web-token@tools.ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Oct 2014 19:55:25 -0000

> From: Richard Barnes [mailto:rlb@ipv.sx] 
> Sent: Friday, October 10, 2014 2:37 PM
> To: Mike Jones
> Cc: The IESG; oauth-chairs@tools.ietf.org; oauth@ietf.org; draft-ietf-oauth-json-web-token@tools.ietf.org
> Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
> 
> On Mon, Oct 6, 2014 at 3:54 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> Thanks for your review, Richard.  My responses are inline below...
> 
> > -----Original Message-----
> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Richard Barnes
> > Sent: Wednesday, October 01, 2014 7:57 PM
> > To: The IESG
> > Cc: oauth-chairs@tools.ietf.org; oauth@ietf.org; draft-ietf-oauth-json-web-
> > token@tools.ietf.org
> > Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-
> > token-27: (with DISCUSS and COMMENT)
> >
> > Richard Barnes has entered the following ballot position for
> > draft-ietf-oauth-json-web-token-27: Discuss
> >
> > When responding, please keep the subject line intact and reply to all email
> > addresses included in the To and CC lines. (Feel free to cut this introductory
> > paragraph, however.)
> >
> >
> > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > Section 7.
> > In order to prevent confusion between secured and Unsecured JWTs, the
> > validation steps here need to call for the application to specify which is required.
> 
> Per my response on your JWS comments, this is already handed in a more general way in the JWS validation steps.  Specifically, the last paragraph of Section 5.2 is:
> 
> "Finally, note that it is an application decision which algorithms are acceptable in a given context. Even if a JWS can be successfully validated, unless the algorithm(s) used in the JWS are acceptable to the application, it SHOULD reject the JWS."
> 
> I've cleared this DISCUSS in the interest of having this fight over in JWS thread.  But I also added the following COMMENT:
> "It would be good for this document to pass on the note from JWS about selecting which algorithms are acceptable, and in particular, whether unsecured JWTs are acceptable."

Thanks for clearing the DISCUSS.  I'm fine repeating the note about acceptable algorithms in the JWT spec, assuming others are.
 
> I would therefore request that you likewise withdraw this DISCUSS on that basis.

				-- Mike

v2.23.0 | Report a Bug | By Email