IETF Logo Mail Archive

Re: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices

Carsten Bormann <cabo@tzi.org> Tue, 17 April 2018 11:58 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CFAA12EAD6 for <oauth@ietfa.amsl.com>; Tue, 17 Apr 2018 04:58:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QTkGCmQQRKGD for <oauth@ietfa.amsl.com>; Tue, 17 Apr 2018 04:58:44 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA16A12EACF for <oauth@ietf.org>; Tue, 17 Apr 2018 04:58:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::b]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id w3HBwakj005317; Tue, 17 Apr 2018 13:58:37 +0200 (CEST)
Received: from client-0025.vpn.uni-bremen.de (client-0025.vpn.uni-bremen.de [134.102.107.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 40QP0X3jFQzDWYJ; Tue, 17 Apr 2018 13:58:36 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <2A008301-0BB6-4DAB-98AF-0728FEE5F205@tzi.org>
Date: Tue, 17 Apr 2018 13:58:35 +0200
Cc: oauth <oauth@ietf.org>
X-Mao-Original-Outgoing-Id: 545659113.825737-ebeddc0cd8094a86739a1740e2ed6507
Content-Transfer-Encoding: quoted-printable
Message-Id: <C3AACA46-4502-41A3-86CA-D1A095F82045@tzi.org>
References: <VI1PR0801MB21126C75C51AFC361852988BFAB00@VI1PR0801MB2112.eurprd08.prod.outlook.com> <2A008301-0BB6-4DAB-98AF-0728FEE5F205@tzi.org>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NL4kBL_7W9BxzrntuKnXvfAUb-E>
Subject: Re: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2018 11:58:45 -0000

On Apr 17, 2018, at 12:24, Carsten Bormann <cabo@tzi.org> wrote:
> 
>  ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259)

That also gives rise to:

Minor technical comment: 2.3 claims that JSON can be in different encodings.  This is no longer really the case with RFC 8259 (see Section 8.1).  Please fix the wording to remove the untrue claim (no pun intended).

Major technical comment: Section 3.9 recommends the use of media types 
of the form application/example+jwt.
I don’t find a registration for the RFC 6839 structured syntax
suffix "+jwt".  If this recommendation is desired, this document will
need to register it (preferred) or refer to a document that does.

Nit: Section 1.2 could use the newer template (as per RFC 8174) here.
Nit: Section 3.6: s/use/use or admit the use of/
Nit: Section 3.8: s/not/not present or not/

I think these are all solved in an obvious way, and once done I strongly support this document to go forward.

Grüße, Carsten

v2.23.0 | Report a Bug | By Email