Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)

On Mon, Oct 6, 2014 at 3:54 AM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> Thanks for your review, Richard.  My responses are inline below...
>
> > -----Original Message-----
> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Richard Barnes
> > Sent: Wednesday, October 01, 2014 7:57 PM
> > To: The IESG
> > Cc: oauth-chairs@tools.ietf.org; oauth@ietf.org;
> draft-ietf-oauth-json-web-
> > token@tools.ietf.org
> > Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-
> > token-27: (with DISCUSS and COMMENT)
> >
> > Richard Barnes has entered the following ballot position for
> > draft-ietf-oauth-json-web-token-27: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> email
> > addresses included in the To and CC lines. (Feel free to cut this
> introductory
> > paragraph, however.)
> >
> >
> > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > Section 7.
> > In order to prevent confusion between secured and Unsecured JWTs, the
> > validation steps here need to call for the application to specify which
> is required.
>
> Per my response on your JWS comments, this is already handed in a more
> general way in the JWS validation steps.  Specifically, the last paragraph
> of Section 5.2 is:
>
> "Finally, note that it is an application decision which algorithms are
> acceptable in a given context. Even if a JWS can be successfully validated,
> unless the algorithm(s) used in the JWS are acceptable to the application,
> it SHOULD reject the JWS."
>

I've cleared this DISCUSS in the interest of having this fight over in JWS
thread.  But I also added the following COMMENT:
"It would be good for this document to pass on the note from JWS about
selecting which algorithms are acceptable, and in particular, whether
unsecured JWTs are acceptable."

--Richard

> I would therefore request that you likewise withdraw this DISCUSS on that
> basis.
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > Abstract.
> > Welsh is the only language I know of in which "w" is a vowel.  According
> to
> > Wikipedia, then, "JWT" should pronounced "joot" :)
>
> You're not the only person with knowledge of Welsh to have made this
> comment.  And this is a Jones responding to you... ;-)
>
> > Section 2.
> > It seems like "Unsecured JWT" should simply be defined as "A JWT carried
> in an
> > Unsigned JWS."
>
> It's been useful in other specifications that are applications of JWTs to
> have a name for this kind of JWT, since it occurs frequently.
>
> > Section 4.1.
> > I'm a little surprised not to see a "jwk" claim, which would basically
> enable JWTs
> > to sub in for certificates for many use cases.  Did the WG consider this
> > possibility?
>
> Not to my knowledge.  However, I know of several applications in which
> JWKs and JWK Sets are carried as claims in JWTs of various kinds - just
> using claim names that are informed by the context of the particular
> application.  For instance, draft-ietf-oauth-dyn-reg uses a "jwks_uri"
> claim to pass a JWK Set by reference and a "jwks" claim to pass a JWK Set
> by value.
>
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>                                 Thanks again,
>                                 -- Mike
>
>