Re: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices

Mike Jones <Michael.Jones@microsoft.com> Tue, 08 May 2018 19:28 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D30512E8AF for <oauth@ietfa.amsl.com>; Tue, 8 May 2018 12:28:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32Sjd02dLvCr for <oauth@ietfa.amsl.com>; Tue, 8 May 2018 12:27:56 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0131.outbound.protection.outlook.com [104.47.34.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E18FF12EB15 for <oauth@ietf.org>; Tue, 8 May 2018 12:27:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kU9rgBED3oL6CajPOjaMlfRbefONn7pwfHW8wK8sEG8=; b=Rh0hMRlglhu9vQtXruv6J3Kqy2qbNSUigioM2ZePdEeiWc8urabEgNYvweqFFDgd9F91kzgRoUiNxVvnrP/LpqByenrE7PtabC4ujRpQmLSXFCThjqsFw+jLwg8mOJ8ZyfsBqjh0x1X9+djEfa2NIommT36+6/bxLZnTXFb8hxM=
Received: from BL0PR00MB0292.namprd00.prod.outlook.com (2603:10b6:207:1e::30) by BL0PR00MB0292.namprd00.prod.outlook.com (2603:10b6:207:1e::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.792.0; Tue, 8 May 2018 19:27:52 +0000
Received: from BL0PR00MB0292.namprd00.prod.outlook.com ([fe80::84a0:cb3c:39ec:1b01]) by BL0PR00MB0292.namprd00.prod.outlook.com ([fe80::84a0:cb3c:39ec:1b01%5]) with mapi id 15.20.0792.000; Tue, 8 May 2018 19:27:52 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Carsten Bormann <cabo@tzi.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices
Thread-Index: AdPVqurCFfBabyqeSkmiBPeLsGrqowAi18cAAANH+4AEL6mvQA==
Date: Tue, 8 May 2018 19:27:51 +0000
Message-ID: <BL0PR00MB029201781F79738DAE9E414DF59A0@BL0PR00MB0292.namprd00.prod.outlook.com>
References: <VI1PR0801MB21126C75C51AFC361852988BFAB00@VI1PR0801MB2112.eurprd08.prod.outlook.com> <2A008301-0BB6-4DAB-98AF-0728FEE5F205@tzi.org> <C3AACA46-4502-41A3-86CA-D1A095F82045@tzi.org>
In-Reply-To: <C3AACA46-4502-41A3-86CA-D1A095F82045@tzi.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-05-08T19:27:49.1961735Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:3::291]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BL0PR00MB0292; 7:eFgBA/yG6cg45vTF1Qg5GMlW+AHI79DvMmgUEvogIahCKGYb/6b6gkR8ZaDIFCjUN0LTVj9GXGyoweZJjCmlLwZoObI/hTCY7hfSQwJ9orNaAIaBpUD9zukGWOyWVtt5k0sCa7WDWFY9YEwbKFvEbX6R2Lr1s9HpLI0d98FJjhSu0yqJHNIM0aMkjN4Gs13c4t+FED+7s9ZxF6fXtEADx4OXImRbHjSr2/kx38mjKzBbVT7oBbJU6b1LSSTo6MTn; 20:egNnv/nUu8rTBri9zcOkv1cygyxKVvn22ZUcaGn9wvUJaVSGWuEcPJR1AlIkzPzQHegjTCWe2FsODbABsxuDXsxsqDLITCxVfCbkf/nDk4gPqPg4nqftHHLfFzwj4gtLJPhx/ePiyXF8SRtDqpYBJ5FPxDepcrZCDCEf8PxaxVA=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(2017052603328)(7193020); SRVR:BL0PR00MB0292;
x-ms-traffictypediagnostic: BL0PR00MB0292:
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <BL0PR00MB02929D8F8AE32C5A47804E39F59A0@BL0PR00MB0292.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(180628864354917);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(5005006)(8121501046)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(10201501046)(93006095)(93001095)(3231254)(2018427008)(944501410)(52105095)(3002001)(6055026)(149027)(150027)(6041310)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:BL0PR00MB0292; BCL:0; PCL:0; RULEID:; SRVR:BL0PR00MB0292;
x-forefront-prvs: 0666E15D35
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39860400002)(396003)(39380400002)(376002)(346002)(13464003)(189003)(199004)(99286004)(478600001)(6436002)(110136005)(966005)(4326008)(72206003)(86362001)(6246003)(229853002)(76176011)(7696005)(55016002)(6346003)(6306002)(102836004)(9686003)(25786009)(59450400001)(486006)(53936002)(476003)(186003)(52396003)(10290500003)(316002)(22452003)(5250100002)(11346002)(53546011)(6506007)(446003)(68736007)(8990500004)(46003)(14454004)(305945005)(7736002)(33656002)(81156014)(8676002)(81166006)(8936002)(5660300001)(105586002)(106356001)(6116002)(2900100001)(86612001)(2906002)(74316002)(3660700001)(97736004)(10090500001)(3280700002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR00MB0292; H:BL0PR00MB0292.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-message-info: efFaTnpT8XueLdnbivP/HhoiuAp/0OgvSSv3doq2R8nNEBqKiMb8zrVNSSFtHYGH1lBe5jjccPPW2J4fQGxMPKDjunV+jKeqbe2OftI1okCuabaU40Jg2qDs9X4aku/wGhZMYsww6N61uuM6oSeTEjm22zhQfHL1yd09ASOonSpojcSrhOJcIKaxD9ZlfDj4
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 590b90f3-5b55-4d06-8c90-08d5b519caa2
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 590b90f3-5b55-4d06-8c90-08d5b519caa2
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 May 2018 19:27:52.0362 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0292
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/epkVwQgPLItex0higAxmjlUI1jE>
Subject: Re: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2018 19:28:01 -0000

Hi Carsten,

In preparing a description of the changes made for WGLC, I reread your comments below and saw that we failed to do the update to the RFC 8174 template.  I've made a note of it and will plan to do so when we next edit the document.

Responding to your point about the "+jwt" structured syntax registration - this registration is being done by https://tools.ietf.org/html/draft-ietf-secevent-token-11#section-7.2.  This document will be discussed on this week's telechat.

I believe that all your other points below have been addressed.

				Thanks again,
				-- Mike

-----Original Message-----
From: OAuth <oauth-bounces@ietf.org> On Behalf Of Carsten Bormann
Sent: Tuesday, April 17, 2018 4:59 AM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices

On Apr 17, 2018, at 12:24, Carsten Bormann <cabo@tzi.org> wrote:
> 
>  ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259)

That also gives rise to:

Minor technical comment: 2.3 claims that JSON can be in different encodings.  This is no longer really the case with RFC 8259 (see Section 8.1).  Please fix the wording to remove the untrue claim (no pun intended).

Major technical comment: Section 3.9 recommends the use of media types of the form application/example+jwt.
I don’t find a registration for the RFC 6839 structured syntax suffix "+jwt".  If this recommendation is desired, this document will need to register it (preferred) or refer to a document that does.

Nit: Section 1.2 could use the newer template (as per RFC 8174) here.
Nit: Section 3.6: s/use/use or admit the use of/
Nit: Section 3.8: s/not/not present or not/

I think these are all solved in an obvious way, and once done I strongly support this document to go forward.

Grüße, Carsten

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth