Re: [OAUTH-WG] Next Steps for the JSON Web Token Document

Mike Jones <Michael.Jones@microsoft.com> Mon, 03 March 2014 22:23 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BFC51A0132 for <oauth@ietfa.amsl.com>; Mon, 3 Mar 2014 14:23:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwcr9D6LtOMQ for <oauth@ietfa.amsl.com>; Mon, 3 Mar 2014 14:23:54 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0209.outbound.protection.outlook.com [207.46.163.209]) by ietfa.amsl.com (Postfix) with ESMTP id 7A5731A0217 for <oauth@ietf.org>; Mon, 3 Mar 2014 14:23:54 -0800 (PST)
Received: from CH1PR03CA009.namprd03.prod.outlook.com (10.255.156.154) by BN1PR03MB006.namprd03.prod.outlook.com (10.255.224.36) with Microsoft SMTP Server (TLS) id 15.0.888.9; Mon, 3 Mar 2014 22:23:44 +0000
Received: from BN1BFFO11FD012.protection.gbl (10.255.156.132) by CH1PR03CA009.outlook.office365.com (10.255.156.154) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:23:43 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD012.mail.protection.outlook.com (10.58.144.75) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:23:43 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.03.0174.002; Mon, 3 Mar 2014 22:23:10 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] Next Steps for the JSON Web Token Document
Thread-Index: Ac6uLCi0s+NnkeGAQiKoedy9ftGvOApD9IKAF/o4MbA=
Date: Mon, 03 Mar 2014 22:23:09 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0A959A@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA3396C@USCHMBX001.nsn-intra.net> <CA+k3eCQgTiLCSiCUY6p0XXp14YKo4f=0Q8OAnvpr--T1RBwXYQ@mail.gmail.com>
In-Reply-To: <CA+k3eCQgTiLCSiCUY6p0XXp14YKo4f=0Q8OAnvpr--T1RBwXYQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0A959ATK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(377454003)(43544003)(164054003)(199002)(189002)(83072002)(54356001)(87936001)(33656001)(47736001)(47976001)(54316002)(74366001)(90146001)(53806001)(31966008)(74662001)(92726001)(81816001)(81686001)(56816005)(84326002)(50986001)(85852003)(85806002)(76482001)(18206015023)(15975445006)(85306002)(2656002)(51856001)(49866001)(79102001)(74876001)(46102001)(20776003)(66066001)(87266001)(63696002)(16236675002)(19580395003)(44976005)(83322001)(19300405004)(93516002)(55846006)(80976001)(95666003)(93136001)(81342001)(77096001)(94316002)(94946001)(74706001)(16297215004)(47446002)(71186001)(86612001)(65816001)(69226001)(512954002)(6806004)(59766001)(77982001)(95416001)(4396001)(74502001)(15202345003)(80022001)(92566001)(76786001)(19580405001)(81542001)(76796001)(86362001)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN1PR03MB006; H:mail.microsoft.com; CLIP:131.107.125.37; FPR:AFCDC1C4.A2F267C1.CBD37D3B.8986FA42.205FB; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0139052FDB
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
X-OriginatorOrg: microsoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/7Kjteux7c1-vnabyPSQXIx8TVrU
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Next Steps for the JSON Web Token Document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 22:23:59 -0000

Thanks for your useful comments, Brian.  See my replies inline.

                                                            -- Mike

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Friday, November 01, 2013 12:53 PM
To: Tschofenig, Hannes (NSN - FI/Espoo)
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Next Steps for the JSON Web Token Document

I just saw http://www.ietf.org/mail-archive/web/oauth/current/msg12218.html from Hannes noting reviews on draft-ietf-oauth-json-web-token and was surprised that mine wasn't included. So I went looking for it and apparently I didn't actually send it to the list. But I did find it and am including what I wrote and tried but failed to send back in September. Sorry about that.
And here it s:

Below are my review comments on the JSON Web Token Document that I (had forgotten until reminded by Hannes yesterday) committed to reviewing at the meeting in Berlin.

Review of draft-ietf-oauth-json-web-token-11:

* The sentence about the suggested pronunciation being 'jot' is in both the intro and the abstract. Seems like just once would be sufficient.

Yes, but some people start reading with the abstract and some start reading with the introduction.  I want them to read that whichever place they start.  So I didn't change this.

* Should "Base64url Encoding" in the Terminology section also mention the omission/prohibition of line wrapping?

Good catch.  I've added this, both here and in the JWS spec, which defines it for JOSE.

* References to sections or appendices in other documents often don't have the correct href value.  For example, "Base64url Encoding" in the Terminology section has this problem for Section 3.2, which should point to RFC 4648 and Appendix C, which should go to JWS but both refer to the local document. There are many other instances of the same issue. I assume this is due to some tool in the xml2rfc or I-D upload process (and I know I have it in some of the drafts I author) but is this the kind of thing that the RFC editor will take care of?

That's something the IETF post-processing tools are doing and getting wrong.  You'll notice that this problem doesn't exist in the HTML version that's directly generated by xml2rfc that's posted at http://self-issued.info/docs/draft-ietf-oauth-json-web-token-17.html, for instance.  So yes, this is in the RFC Editor domain.

* I continue to struggle to understand how the type and content type Header parameters and the type claim can or will be used in a meaningful and reliable way.  I can't help but wonder if it couldn't be simplified. For example. what if we only had the cty header and defined a cty value for a JWT Claims Set - couldn't all the same things be conveyed?


As described in the JOSE specs that define them, "typ" is the type of the entire object, whereas "cty" is the type of the message contained in the JWS or JWE.  Both are now MIME type values.  "cty" is used by JWTs in the specific way specified whereas "typ" can be used as needed by applications using JWTs.

* There are a number of the reserved claims that say the use of the claim is OPTIONAL while also stating that the "JWT MUST be rejected" if some condition about the claim doesn't hold. There seems to be some potential ambiguity here regarding whether (in the absence of tighter context-dependent requirements, which is what generalized JWT libraries need to be built for) the optionality applies only to the producer or also to the consumer of a JWT. My guess is that the claims are optional to include for the producer but, if they are present, they must be validated by the consumer and the JWT must be rejected if whatever condition isn't satisfied. Do I have that right? Regardless, I think there is some ambiguity as currently written that should be clarified.

Many of these have been revised since WGLC.  The only "MUST be rejected" remaining is for the audience claim, in which I've qualified the "MUST be rejected" with "if this claim is present" - clearing up this ambiguity.

Note that some of these comments relate to or even apply directly to JWS and JWE as well. Which I suppose underscores the point James made a while ago about progressing this document so far ahead of the JOSE drafts.
[https://mail.google.com/mail/u/0/images/cleardot.gif]
There was one comment - the one about base64url encoding - that also required a coordinated change in JWS, hence the publication of the -23 JOSE drafts.

On Tue, Sep 10, 2013 at 8:26 AM, Tschofenig, Hannes (NSN - FI/Espoo) <hannes.tschofenig@nsn.com<mailto:hannes.tschofenig@nsn.com>> wrote:
Hi again,

I also checked the minutes from IETF#87 regarding the JWT and here are the action items:

** I issued a WGLC, as discussed during the meeting: http://www.ietf.org/mail-archive/web/oauth/current/msg11894.html

** We got some reviews from James, and Prateek. Thanks, guys!
Here are the reviews:
http://www.ietf.org/mail-archive/web/oauth/current/msg11905.html (James)
http://www.ietf.org/mail-archive/web/oauth/current/msg12003.html (Prateek)

 During the meeting a few others, namely Torsten, Karen, Paul Hoffman, and Brian volunteered to provide their review comments. Please send your review to the list.

** I will have to do my shepherd write-up as well.

Ciao
Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth