[OAUTH-WG] FW: New Version Notification for draft-sakimura-oauth-rjwtprof-06.txt
"Kepeng Li" <kepeng.lkp@alibaba-inc.com> Wed, 21 October 2015 03:53 UTC
Return-Path: <kepeng.lkp@alibaba-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B0461B2E18 for <oauth@ietfa.amsl.com>; Tue, 20 Oct 2015 20:53:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5yTC7Afa2M1A for <oauth@ietfa.amsl.com>; Tue, 20 Oct 2015 20:53:09 -0700 (PDT)
Received: from out4133-146.mail.aliyun.com (out4133-146.mail.aliyun.com [42.120.133.146]) by ietfa.amsl.com (Postfix) with ESMTP id F329F1B2E14 for <oauth@ietf.org>; Tue, 20 Oct 2015 20:53:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1445399587; h=Date:Subject:From:To:Message-ID:Mime-version:Content-type; bh=wse2Q0nH6V/GfiywVVwo54+QBXevmsIaxM9w+iZxmjY=; b=SgnkV5IKOmup/U0DzlVQ97PC6wHJA4dspaIyZh9wwvXam2HdZGytoJ/uozmq1ZfblPmtJDveIdOETi5RUghjQWWWD/Lh1zObAGmrec+nLSORP8TllWwBqPckGivpGdpP0CqKC4T5v3tTDr2ERibU/G2Izr5vjt11FmVZJZhB6k8=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R141e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03299; MF=kepeng.lkp@alibaba-inc.com; NM=1; PH=DS; RN=3; SR=0;
Received: from 10.1.152.166(mailfrom:kepeng.lkp@alibaba-inc.com ip:42.120.74.185) by smtp.aliyun-inc.com(127.0.0.1); Wed, 21 Oct 2015 11:52:59 +0800
User-Agent: Microsoft-MacOutlook/14.4.8.150116
Date: Wed, 21 Oct 2015 11:52:54 +0800
From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Message-ID: <D24D2B8B.208B9%kepeng.lkp@alibaba-inc.com>
Thread-Topic: New Version Notification for draft-sakimura-oauth-rjwtprof-06.txt
References: <20151019150331.1746.43411.idtracker@ietfa.amsl.com> <D24C08B2.201B1%kepeng.lkp@alibaba-inc.com> <BY2PR03MB4421662080E9F806121A965F5390@BY2PR03MB442.namprd03.prod.outlook.com>
In-Reply-To: <BY2PR03MB4421662080E9F806121A965F5390@BY2PR03MB442.namprd03.prod.outlook.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3528273179_5529654"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/P8xV17gZs8gbsOLB-ykIJP5S1eI>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] FW: New Version Notification for draft-sakimura-oauth-rjwtprof-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2015 03:53:15 -0000
Hi Mike, Thanks for your review. It is very helpful, and I also forward it to the whole list. We will make a update when the submission window opens. Kind Regards Kepeng 发件人: Mike Jones <Michael.Jones@microsoft.com> 日期: Wednesday, 21 October, 2015 1:07 am 至: Li Kepeng <kepeng.lkp@alibaba-inc.com> 抄送: Nat Sakimura <sakimura@gmail.com> 主题: RE: New Version Notification for draft-sakimura-oauth-rjwtprof-06.txt Hi Kepeng, Thanks for the pointer to the current version of the document. Review comments follow… Abstract – Remove the reference, since they aren’t allowed in IETF abstracts. Introduction. I would replace this text: While Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) [POPS <https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-06#ref-POPS> ] touches briefly on the Sender Constraint, it is only one paragraph within a introductory text and does not discuss it in detail. Instead, it devotes much of the discussion to the Key Confirmation method. It also is making the usage of such token against the resource server out of scope. with something closer to this: While Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) [POPS] specifies how to use key confirmation with JWTs, it does not specify how to use a sender constraint. And then maybe merge this paragraph with the following one, which starts “This discussion draft”… I have no idea what the last sentence above was referring to. I’d just delete it. Everyplace you say “Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)” you should change this to the current title “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)”. I would delete the term “Authorized Presenter” and instead refer to the “Presenter” term in [POPS] by reference. The term “Authorized Presenter” has a bad history and tends to cause more confusion than clarity when it appears. When you want to talk about the legitimate presenter, I would just use a phrase such as “intended presenter” or “legitimate presenter”. (I would refer to an unauthorized presenter in your discussion as “the attacker”.) s/use-case/use case/ Delete this sentence, since Sender Constraint isn’t in scope for POPS, and the sentence makes it sound like it is: Key Confirmation mechanism is described in OAuth 2.0 Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) [POPS <https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-06#ref-POPS> ] specification in detail, but Sender Constraint mechanism is not explained in detail. Justification – Some places in the draft you talk about “.well-known/jwks” (plural) and other places you talk about “.well-known/jwk” (singular). I suspect that multiple keys have to be published in the general case in order to enable key rotation, with the right key selected by the “kid”. See http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys for a description of how keys are rotated in OpenID Connect. This spec should do the same or something similar. Sender Constraint Representation – I would not overload the “azp” claim specified in http://openid.net/specs/openid-connect-core-1_0.html#IDToken with a different meaning. There’s a widespread agreement in the OpenID Connect working group that “azp” is confusing – see https://bitbucket.org/openid/connect/issues/973/core-2-3137-azp-claim-unders pecified-and. John Bradley has also stated that the use you’re making of it is different than Google’s usage (which is the only party using “azp” that I’m aware of), and should use a different claim name. Rather, I’d suggest adding a new parameter name under the “cnf” claim defined by POPS to express the presenter – possible “prsnt”. So the syntax would be: “cnf”: {“prsnt”: “presenter identifier”} and when a Key ID is needed to select from among multiple keys, the syntax would be: “cnf”: {“prsnt”: “presenter identifier”, “kid”: “key identifier”} This syntax would be more harmonized with POPS, and is the kind of extension to “cnf” that were anticipated and enabled by the JWT Confirmation Methods Registry in Section 6.2 of POPS. Client Authentication – In (1), why is a “HEAD” request listed as a possibility? Why not just “GET”? In (2), where is the “named” Authorization header value defined? Please provide a reference where you first use it. (Oh – I just realized when I got to 7.1 that you are defining the scheme in this specification. I couldn’t tell for sure until then. I would have a separate section that’s just about defining “named” and how it works before you use it.) In (3), do you mean that the nonce is signed using the JWS Compact Serialization, with the nonce being the JWS Payload value? What key is used for signing? In (4), I’d rename “at” to “access_token” for consistency with other specs and rename “s” to “signature”. In (5), I’d cite RFC 7591 when you refer to Dynamic Client Registration. Also, people won’t like the “may have been”. You should probably define one or a few preferred ways of doing this. In (7), you need to say how the resource server verifies the access token. What steps does it take to do this, for instance? 6.1 URI Client ID – As I wrote earlier, this has to be a JWK Set, with the key being selected by “kid”, to enable key rotation. 6.3 Metadata about the authorization server is its discovery information. For instance, OpenID Connect publishes this information as described at http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata and the following sections. I would describe this as “authorization server discovery information” and probably add an informative reference to OpenID Connect Discovery. 10.2 Informative References – PKCE and Introspection is now both RFCs. Please add URLs to all of the references like those in the Normative References. If you use references like these, you get them automatically: <?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.draf t-ietf-oauth-pop-architecture-03.xml" ?> Or you can include an explicit target= value in the <reference> element, such as in this reference: <reference anchor="IANA.JWT.Claims" target="http://www.iana.org/assignments/jwt"> <front> <title>JSON Web Token Claims</title> <author> <organization>IANA</organization> </author> <date/> </front> </reference> I hope you find these review comments to be useful. Best wishes, -- Mike