[OAUTH-WG] FW: New Version Notification for draft-sakimura-oauth-rjwtprof-06.txt

"Kepeng Li" <kepeng.lkp@alibaba-inc.com> Wed, 21 October 2015 03:53 UTC

Return-Path: <kepeng.lkp@alibaba-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 9B0461B2E18 for <oauth@ietfa.amsl.com>; Tue, 20 Oct 2015 20:53:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 5yTC7Afa2M1A for <oauth@ietfa.amsl.com>; Tue, 20 Oct 2015 20:53:09 -0700 (PDT)
Received: from out4133-146.mail.aliyun.com (out4133-146.mail.aliyun.com []) by ietfa.amsl.com (Postfix) with ESMTP id F329F1B2E14 for <oauth@ietf.org>; Tue, 20 Oct 2015 20:53:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1445399587; h=Date:Subject:From:To:Message-ID:Mime-version:Content-type; bh=wse2Q0nH6V/GfiywVVwo54+QBXevmsIaxM9w+iZxmjY=; b=SgnkV5IKOmup/U0DzlVQ97PC6wHJA4dspaIyZh9wwvXam2HdZGytoJ/uozmq1ZfblPmtJDveIdOETi5RUghjQWWWD/Lh1zObAGmrec+nLSORP8TllWwBqPckGivpGdpP0CqKC4T5v3tTDr2ERibU/G2Izr5vjt11FmVZJZhB6k8=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R141e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03299; MF=kepeng.lkp@alibaba-inc.com; NM=1; PH=DS; RN=3; SR=0;
Received: from ip: by smtp.aliyun-inc.com(; Wed, 21 Oct 2015 11:52:59 +0800
User-Agent: Microsoft-MacOutlook/
Date: Wed, 21 Oct 2015 11:52:54 +0800
From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Message-ID: <D24D2B8B.208B9%kepeng.lkp@alibaba-inc.com>
Thread-Topic: New Version Notification for draft-sakimura-oauth-rjwtprof-06.txt
References: <20151019150331.1746.43411.idtracker@ietfa.amsl.com> <D24C08B2.201B1%kepeng.lkp@alibaba-inc.com> <BY2PR03MB4421662080E9F806121A965F5390@BY2PR03MB442.namprd03.prod.outlook.com>
In-Reply-To: <BY2PR03MB4421662080E9F806121A965F5390@BY2PR03MB442.namprd03.prod.outlook.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3528273179_5529654"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/P8xV17gZs8gbsOLB-ykIJP5S1eI>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] FW: New Version Notification for draft-sakimura-oauth-rjwtprof-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2015 03:53:15 -0000

Hi Mike,

Thanks for your review. It is very helpful, and I also forward it to the
whole list.

We will make a update when the submission window opens.

Kind Regards

发件人:  Mike Jones <Michael.Jones@microsoft.com>
日期:  Wednesday, 21 October, 2015 1:07 am
至:  Li Kepeng <kepeng.lkp@alibaba-inc.com>
抄送:  Nat Sakimura <sakimura@gmail.com>
主题:  RE: New Version Notification for draft-sakimura-oauth-rjwtprof-06.txt

Hi Kepeng,
Thanks for the pointer to the current version of the document.  Review
comments follow…
Abstract – Remove the reference, since they aren’t allowed in IETF
Introduction.  I would replace this text:
   While Proof-Of-Possession Semantics for JSON Web Tokens
   (JWTs) [POPS 
<https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-06#ref-POPS> ]
touches briefly on the Sender Constraint, it is only
   one paragraph within a introductory text and does not discuss it in
   detail.  Instead, it devotes much of the discussion to the Key
   Confirmation method.  It also is making the usage of such token
   against the resource server out of scope.
with something closer to this:
While Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) [POPS]
specifies how to use key confirmation with JWTs, it does not specify how to
use a sender constraint.
And then maybe merge this paragraph with the following one, which starts
“This discussion draft”…
I have no idea what the last sentence above was referring to.  I’d just
delete it.
Everyplace you say “Proof-Of-Possession Semantics for JSON Web Tokens
(JWTs)” you should change this to the current title “Proof-of-Possession Key
Semantics for JSON Web Tokens (JWTs)”.
I would delete the term “Authorized Presenter” and instead refer to the
“Presenter” term in [POPS] by reference.  The term “Authorized Presenter”
has a bad history and tends to cause more confusion than clarity when it
appears.  When you want to talk about the legitimate presenter, I would just
use a phrase such as “intended presenter” or “legitimate presenter”.  (I
would refer to an unauthorized presenter in your discussion as “the
s/use-case/use case/
Delete this sentence, since Sender Constraint isn’t in scope for POPS, and
the sentence makes it sound like it is:
   Key Confirmation mechanism is
   described in OAuth 2.0 Proof-Of-Possession Semantics for JSON Web
   Tokens (JWTs) [POPS
<https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-06#ref-POPS> ]
specification in detail, but Sender Constraint
   mechanism is not explained in detail.
Justification – Some places in the draft you talk about “.well-known/jwks”
(plural) and other places you talk about “.well-known/jwk” (singular).  I
suspect that multiple keys have to be published in the general case in order
to enable key rotation, with the right key selected by the “kid”.  See
http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys for a
description of how keys are rotated in OpenID Connect.  This spec should do
the same or something similar.
Sender Constraint Representation – I would not overload the “azp” claim
specified in http://openid.net/specs/openid-connect-core-1_0.html#IDToken
with a different meaning.  There’s a widespread agreement in the OpenID
Connect working group that “azp” is confusing – see
pecified-and.  John Bradley has also stated that the use you’re making of it
is different than Google’s usage (which is the only party using “azp” that
I’m aware of), and should use a different claim name.  Rather, I’d suggest
adding a new parameter name under the “cnf” claim defined by POPS to express
the presenter – possible “prsnt”.  So the syntax would be:
    “cnf”: {“prsnt”: “presenter identifier”}
and when a Key ID is needed to select from among multiple keys, the syntax
would be:
    “cnf”: {“prsnt”: “presenter identifier”, “kid”: “key identifier”}
This syntax would be more harmonized with POPS, and is the kind of extension
to “cnf” that were anticipated and enabled by the JWT Confirmation Methods
Registry in Section 6.2 of POPS.
Client Authentication – In (1), why is a “HEAD” request listed as a
possibility?  Why not just “GET”?
In (2), where is the “named” Authorization header value defined?  Please
provide a reference where you first use it.  (Oh – I just realized when I
got to 7.1 that you are defining the scheme in this specification.  I
couldn’t tell for sure until then.  I would have a separate section that’s
just about defining “named” and how it works before you use it.)
In (3), do you mean that the nonce is signed using the JWS Compact
Serialization, with the nonce being the JWS Payload value?  What key is used
for signing?
In (4), I’d rename “at” to “access_token” for consistency with other specs
and rename “s” to “signature”.
In (5), I’d cite RFC 7591 when you refer to Dynamic Client Registration.
Also, people won’t like the “may have been”.  You should probably define one
or a few preferred ways of doing this.
In (7), you need to say how the resource server verifies the access token.
What steps does it take to do this, for instance?
6.1 URI Client ID – As I wrote earlier, this has to be a JWK Set, with the
key being selected by “kid”, to enable key rotation.
6.3 Metadata about the authorization server is its discovery information.
For instance, OpenID Connect publishes this information as described at
and the following sections.  I would describe this as “authorization server
discovery information” and probably add an informative reference to OpenID
Connect Discovery.
10.2 Informative References – PKCE and Introspection is now both RFCs.
Please add URLs to all of the references like those in the Normative
References.  If you use references like these, you get them automatically:
t-ietf-oauth-pop-architecture-03.xml" ?>
Or you can include an explicit target= value in the <reference> element,
such as in this reference:
      <reference anchor="IANA.JWT.Claims"
          <title>JSON Web Token Claims</title>
I hope you find these review comments to be useful.
                                                                Best wishes,
                                                                -- Mike