Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sat, 11 October 2014 21:42 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CB8A1A87E9; Sat, 11 Oct 2014 14:42:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gYsKwEquXRqn; Sat, 11 Oct 2014 14:42:15 -0700 (PDT)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA10C1A87E8; Sat, 11 Oct 2014 14:42:14 -0700 (PDT)
Received: by mail-qg0-f52.google.com with SMTP id q108so5458295qgd.11 for <multiple recipients>; Sat, 11 Oct 2014 14:42:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=cMspEQhuFFK8lhpCP/igBmwSpwpUORJiGqZ2+R1UhZw=; b=iEAsf4sO86b4LBhrpANV2LTnfK9OyNSnkDLHXJE5Q/W5/DC51lC3ngigXgFzbTTARn SAjAv19727CpGzEQMuz6KgmrLWzbLlLOOEZPiqUYDnx5QqtG5jnWHjs2OnfcJW6XopsZ PLJ21NAwymcqiZ/lGIFNijXSxnL0DI/VjjzVOk54t9d2mGzTYD5qaDs3mPLmZrvNYbqD +FSIIBb9GlyrvEEEUG2HCql9uoCliRojSQc8e8J4Twg1159uweumNzxYQu5gR73y65Z2 hKWHG2GWXRJWc/ccOoBYOndL5CMxaOvm5uWYhC3eY4UnDtlT2IEqSjCneooy8nFN3UND m6+w==
X-Received: by 10.224.14.139 with SMTP id g11mr24537692qaa.57.1413063734152; Sat, 11 Oct 2014 14:42:14 -0700 (PDT)
Received: from [192.168.1.3] (209-6-114-252.c3-0.arl-ubr1.sbo-arl.ma.cable.rcn.com. [209.6.114.252]) by mx.google.com with ESMTPSA id d8sm8431754qam.46.2014.10.11.14.42.12 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 11 Oct 2014 14:42:12 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (11D257)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BAFABFB@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Sat, 11 Oct 2014 17:42:12 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <2081B766-1A49-48FC-8AC5-E364B6741E13@gmail.com>
References: <20141002025706.19368.2507.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439BAF0C4E@TK5EX14MBXC286.redmond.corp.microsoft.com> <CAL02cgS1cJR9k6X-tPW27q=o=Hj3VP-sNRcY1t=Sdaqq0y+ryA@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439BAFABFB@TK5EX14MBXC286.redmond.corp.microsoft.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/OCY2Hzn0jqV_Fm5dqd0L2c200x0
Cc: Richard Barnes <rlb@ipv.sx>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "draft-ietf-oauth-json-web-token@tools.ietf.org" <draft-ietf-oauth-json-web-token@tools.ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Oct 2014 21:42:17 -0000
Mike, Are you about ready to post an update so we can clear some of the discusses and comments that have been agreed to (like the comment added below when the discuss of Richard's was removed)? It will help ADs if we are able to reduce and work on the rest. I find sooner rather than later to be easier so they don't need to figure out the issues again to clear things that have been agreed upon. It doesn't need to be over the weekend :-) Thank you! Kathleen Sent from my iPhone On Oct 11, 2014, at 3:54 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: >> From: Richard Barnes [mailto:rlb@ipv.sx] >> Sent: Friday, October 10, 2014 2:37 PM >> To: Mike Jones >> Cc: The IESG; oauth-chairs@tools.ietf.org; oauth@ietf.org; draft-ietf-oauth-json-web-token@tools.ietf.org >> Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT) >> >> On Mon, Oct 6, 2014 at 3:54 AM, Mike Jones <Michael.Jones@microsoft.com> wrote: >> Thanks for your review, Richard. My responses are inline below... >> >>> -----Original Message----- >>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Richard Barnes >>> Sent: Wednesday, October 01, 2014 7:57 PM >>> To: The IESG >>> Cc: oauth-chairs@tools.ietf.org; oauth@ietf.org; draft-ietf-oauth-json-web- >>> token@tools.ietf.org >>> Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web- >>> token-27: (with DISCUSS and COMMENT) >>> >>> Richard Barnes has entered the following ballot position for >>> draft-ietf-oauth-json-web-token-27: Discuss >>> >>> When responding, please keep the subject line intact and reply to all email >>> addresses included in the To and CC lines. (Feel free to cut this introductory >>> paragraph, however.) >>> >>> >>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html >>> for more information about IESG DISCUSS and COMMENT positions. >>> >>> >>> The document, along with other ballot positions, can be found here: >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ >>> >>> >>> >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> Section 7. >>> In order to prevent confusion between secured and Unsecured JWTs, the >>> validation steps here need to call for the application to specify which is required. >> >> Per my response on your JWS comments, this is already handed in a more general way in the JWS validation steps. Specifically, the last paragraph of Section 5.2 is: >> >> "Finally, note that it is an application decision which algorithms are acceptable in a given context. Even if a JWS can be successfully validated, unless the algorithm(s) used in the JWS are acceptable to the application, it SHOULD reject the JWS." >> >> I've cleared this DISCUSS in the interest of having this fight over in JWS thread. But I also added the following COMMENT: >> "It would be good for this document to pass on the note from JWS about selecting which algorithms are acceptable, and in particular, whether unsecured JWTs are acceptable." > > Thanks for clearing the DISCUSS. I'm fine repeating the note about acceptable algorithms in the JWT spec, assuming others are. > >> I would therefore request that you likewise withdraw this DISCUSS on that basis. > > -- Mike >
- [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Kathleen Moriarty
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Brian Campbell
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Kathleen Moriarty