IETF Logo Mail Archive

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Mon, 06 October 2014 07:55 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 831521A1B68; Mon, 6 Oct 2014 00:55:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ryzPh3OYmcxo; Mon, 6 Oct 2014 00:55:11 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0784.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:784]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2A5C1A1B61; Mon, 6 Oct 2014 00:55:10 -0700 (PDT)
Received: from BY1PR0301MB1208.namprd03.prod.outlook.com (25.161.203.16) by BY1PR0301MB1205.namprd03.prod.outlook.com (25.161.203.154) with Microsoft SMTP Server (TLS) id 15.0.1044.10; Mon, 6 Oct 2014 07:54:49 +0000
Received: from BY2PR03CA057.namprd03.prod.outlook.com (10.141.249.30) by BY1PR0301MB1208.namprd03.prod.outlook.com (25.161.203.16) with Microsoft SMTP Server (TLS) id 15.0.1044.10; Mon, 6 Oct 2014 07:54:47 +0000
Received: from BY2FFO11FD022.protection.gbl (2a01:111:f400:7c0c::104) by BY2PR03CA057.outlook.office365.com (2a01:111:e400:2c5d::30) with Microsoft SMTP Server (TLS) id 15.0.1044.10 via Frontend Transport; Mon, 6 Oct 2014 07:54:47 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD022.mail.protection.outlook.com (10.1.15.211) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Mon, 6 Oct 2014 07:54:47 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0210.003; Mon, 6 Oct 2014 07:54:20 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>, The IESG <iesg@ietf.org>
Thread-Topic: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
Thread-Index: AQHP3eyTOy20E1mLIki2fp/mr+WNhZwiXvCA
Date: Mon, 06 Oct 2014 07:54:19 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BAF0C4E@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20141002025706.19368.2507.idtracker@ietfa.amsl.com>
In-Reply-To: <20141002025706.19368.2507.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(13464003)(189002)(199003)(51704005)(377454003)(52044002)(43784003)(6806004)(107046002)(87936001)(21056001)(92566001)(26826002)(20776003)(64706001)(31966008)(86362001)(97756001)(33656002)(106466001)(92726001)(85806002)(2656002)(97736003)(104016003)(81156004)(66066001)(54356999)(44976005)(86612001)(76176999)(50986999)(69596002)(85852003)(84676001)(68736004)(106116001)(230783001)(47776003)(77096002)(99396003)(4396001)(85306004)(15975445006)(23726002)(46406003)(55846006)(19580405001)(80022003)(15202345003)(19580395003)(46102003)(10300001)(95666004)(76482002)(50466002)(120916001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0301MB1208; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB1208;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03569407CC
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB1205;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/7oICJCbV0OMuJe4ASo3sJWM-CbY
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "draft-ietf-oauth-json-web-token@tools.ietf.org" <draft-ietf-oauth-json-web-token@tools.ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Oct 2014 07:55:15 -0000

Thanks for your review, Richard.  My responses are inline below...

> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Richard Barnes
> Sent: Wednesday, October 01, 2014 7:57 PM
> To: The IESG
> Cc: oauth-chairs@tools.ietf.org; oauth@ietf.org; draft-ietf-oauth-json-web-
> token@tools.ietf.org
> Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-
> token-27: (with DISCUSS and COMMENT)
> 
> Richard Barnes has entered the following ballot position for
> draft-ietf-oauth-json-web-token-27: Discuss
> 
> When responding, please keep the subject line intact and reply to all email
> addresses included in the To and CC lines. (Feel free to cut this introductory
> paragraph, however.)
> 
> 
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> Section 7.
> In order to prevent confusion between secured and Unsecured JWTs, the
> validation steps here need to call for the application to specify which is required.

Per my response on your JWS comments, this is already handed in a more general way in the JWS validation steps.  Specifically, the last paragraph of Section 5.2 is:

"Finally, note that it is an application decision which algorithms are acceptable in a given context. Even if a JWS can be successfully validated, unless the algorithm(s) used in the JWS are acceptable to the application, it SHOULD reject the JWS."

I would therefore request that you likewise withdraw this DISCUSS on that basis.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Abstract.
> Welsh is the only language I know of in which "w" is a vowel.  According to
> Wikipedia, then, "JWT" should pronounced "joot" :)

You're not the only person with knowledge of Welsh to have made this comment.  And this is a Jones responding to you... ;-)

> Section 2.
> It seems like "Unsecured JWT" should simply be defined as "A JWT carried in an
> Unsigned JWS."

It's been useful in other specifications that are applications of JWTs to have a name for this kind of JWT, since it occurs frequently.

> Section 4.1.
> I'm a little surprised not to see a "jwk" claim, which would basically enable JWTs
> to sub in for certificates for many use cases.  Did the WG consider this
> possibility?

Not to my knowledge.  However, I know of several applications in which JWKs and JWK Sets are carried as claims in JWTs of various kinds - just using claim names that are informed by the context of the particular application.  For instance, draft-ietf-oauth-dyn-reg uses a "jwks_uri" claim to pass a JWK Set by reference and a "jwks" claim to pass a JWK Set by value.

> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

				Thanks again,
				-- Mike

v2.23.0 | Report a Bug | By Email