Re: [OAUTH-WG] Next Steps for the JSON Web Token Document
Brian Campbell <bcampbell@pingidentity.com> Fri, 01 November 2013 19:53 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFFDE11E811D for <oauth@ietfa.amsl.com>; Fri, 1 Nov 2013 12:53:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.847
X-Spam-Level:
X-Spam-Status: No, score=-5.847 tagged_above=-999 required=5 tests=[AWL=0.130, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5lrwd61bjoma for <oauth@ietfa.amsl.com>; Fri, 1 Nov 2013 12:53:39 -0700 (PDT)
Received: from na3sys009aog123.obsmtp.com (na3sys009aog123.obsmtp.com [74.125.149.149]) by ietfa.amsl.com (Postfix) with ESMTP id 4899B21F9FA4 for <oauth@ietf.org>; Fri, 1 Nov 2013 12:53:36 -0700 (PDT)
Received: from mail-ie0-f175.google.com ([209.85.223.175]) (using TLSv1) by na3sys009aob123.postini.com ([74.125.148.12]) with SMTP ID DSNKUnQGwHvOTdqc9XiR1v+YIXWvf0lkZCTo@postini.com; Fri, 01 Nov 2013 12:53:36 PDT
Received: by mail-ie0-f175.google.com with SMTP id aq17so8413192iec.34 for <oauth@ietf.org>; Fri, 01 Nov 2013 12:53:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=04vhuw6zEfsyVyjmzHFIKxTMcjhpP0aP40tNj5bwHQw=; b=mmVp/8ISJYdRpMDzyT/sCctkzcCPyCRHa7bYka3ldj32fqtjP98NPZGSvsP1KYwc7k 8e73qn1lrNTCtbTLkinrD9isJOEnFSEpFvSEYAFYwtAqbHBTTFcdgHrjtK4PT/NpsClW ItdYljmBfndazCkoChDpceGwcJtwlAVlBZEZpVmY54I26zgTEVe6k/niNzrbu3zCxpIc 2lEKEtps4vE5G4tUlQgNynNjx5eikzZkmhCt/odcLi+3UVo5UVcjjmvwY4cnXxvvi/2V dqigc5hcY9iN7MRY7+CydJTN8c9EY4+x7nC2TkvTy6ZdjOEtmQlJcMZKAPi2HltYax9/ 0DMQ==
X-Gm-Message-State: ALoCoQm87woNLzLDIcBJevVZ2YxhDsfNZJ2D7XuuC0SyK504DtNCq4uIGIrRkK+8fDMjyLV+KMg2wmY/+NAaF0GcTlDlCeR3Prk84DkJfyVz1I3po1CELz4UD2G2KlBvlW3PZT0V4bUlX4PZZPxwRWWts0ckVamNKw==
X-Received: by 10.50.56.44 with SMTP id x12mr3706431igp.41.1383335615765; Fri, 01 Nov 2013 12:53:35 -0700 (PDT)
X-Received: by 10.50.56.44 with SMTP id x12mr3706424igp.41.1383335615608; Fri, 01 Nov 2013 12:53:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.245.233 with HTTP; Fri, 1 Nov 2013 12:53:05 -0700 (PDT)
In-Reply-To: <1373E8CE237FCC43BCA36C6558612D2AA3396C@USCHMBX001.nsn-intra.net>
References: <1373E8CE237FCC43BCA36C6558612D2AA3396C@USCHMBX001.nsn-intra.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 01 Nov 2013 13:53:05 -0600
Message-ID: <CA+k3eCQgTiLCSiCUY6p0XXp14YKo4f=0Q8OAnvpr--T1RBwXYQ@mail.gmail.com>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
Content-Type: multipart/alternative; boundary="089e0158a8faf951f404ea22ebf5"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Next Steps for the JSON Web Token Document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2013 19:53:43 -0000
I just saw http://www.ietf.org/mail-archive/web/oauth/current/msg12218.htmlfrom Hannes noting reviews on draft-ietf-oauth-json-web-token and was surprised that mine wasn't included. So I went looking for it and apparently I didn't actually send it to the list. But I did find it and am including what I wrote and tried but failed to send back in September. Sorry about that. And here it s: Below are my review comments on the JSON Web Token Document that I (had forgotten until reminded by Hannes yesterday) committed to reviewing at the meeting in Berlin. Review of draft-ietf-oauth-json-web-token-11: * The sentence about the suggested pronunciation being 'jot' is in both the intro and the abstract. Seems like just once would be sufficient. * Should "Base64url Encoding" in the Terminology section also mention the omission/prohibition of line wrapping? * References to sections or appendices in other documents often don't have the correct href value. For example, "Base64url Encoding" in the Terminology section has this problem for Section 3.2, which should point to RFC 4648 and Appendix C, which should go to JWS but both refer to the local document. There are many other instances of the same issue. I assume this is due to some tool in the xml2rfc or I-D upload process (and I know I have it in some of the drafts I author) but is this the kind of thing that the RFC editor will take care of? * I continue to struggle to understand how the type and content type Header parameters and the type claim can or will be used in a meaningful and reliable way. I can't help but wonder if it couldn't be simplified. For example. what if we only had the cty header and defined a cty value for a JWT Claims Set - couldn't all the same things be conveyed? * There are a number of the reserved claims that say the use of the claim is OPTIONAL while also stating that the "JWT MUST be rejected" if some condition about the claim doesn't hold. There seems to be some potential ambiguity here regarding whether (in the absence of tighter context-dependent requirements, which is what generalized JWT libraries need to be built for) the optionality applies only to the producer or also to the consumer of a JWT. My guess is that the claims are optional to include for the producer but, if they are present, they must be validated by the consumer and the JWT must be rejected if whatever condition isn't satisfied. Do I have that right? Regardless, I think there is some ambiguity as currently written that should be clarified. Note that some of these comments relate to or even apply directly to JWS and JWE as well. Which I suppose underscores the point James made a while ago about progressing this document so far ahead of the JOSE drafts. On Tue, Sep 10, 2013 at 8:26 AM, Tschofenig, Hannes (NSN - FI/Espoo) < hannes.tschofenig@nsn.com> wrote: > Hi again, > > I also checked the minutes from IETF#87 regarding the JWT and here are the > action items: > > ** I issued a WGLC, as discussed during the meeting: > http://www.ietf.org/mail-archive/web/oauth/current/msg11894.html > > ** We got some reviews from James, and Prateek. Thanks, guys! > Here are the reviews: > http://www.ietf.org/mail-archive/web/oauth/current/msg11905.html (James) > http://www.ietf.org/mail-archive/web/oauth/current/msg12003.html (Prateek) > > During the meeting a few others, namely Torsten, Karen, Paul Hoffman, and > Brian volunteered to provide their review comments. Please send your review > to the list. > > ** I will have to do my shepherd write-up as well. > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Next Steps for the JSON Web Token Docu… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Next Steps for the JSON Web Token … Torsten Lodderstedt
- Re: [OAUTH-WG] Next Steps for the JSON Web Token … Brian Campbell
- Re: [OAUTH-WG] Next Steps for the JSON Web Token … Hannes Tschofenig
- Re: [OAUTH-WG] Next Steps for the JSON Web Token … Mike Jones