Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
Mike Jones <Michael.Jones@microsoft.com> Mon, 20 October 2014 15:46 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B6781A1B4B; Mon, 20 Oct 2014 08:46:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4fz25eOCScj; Mon, 20 Oct 2014 08:46:41 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0747.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:747]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2E901A1B0F; Mon, 20 Oct 2014 08:45:18 -0700 (PDT)
Received: from BY2PR03CA005.namprd03.prod.outlook.com (10.255.93.22) by CY1PR0301MB1212.namprd03.prod.outlook.com (25.161.212.146) with Microsoft SMTP Server (TLS) id 15.0.1054.13; Mon, 20 Oct 2014 15:44:56 +0000
Received: from BN1AFFO11FD030.protection.gbl (10.255.93.4) by BY2PR03CA005.outlook.office365.com (10.255.93.22) with Microsoft SMTP Server (TLS) id 15.0.1054.13 via Frontend Transport; Mon, 20 Oct 2014 15:44:55 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD030.mail.protection.outlook.com (10.58.52.168) with Microsoft SMTP Server (TLS) id 15.0.1049.20 via Frontend Transport; Mon, 20 Oct 2014 15:44:53 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0210.003; Mon, 20 Oct 2014 15:44:42 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Barry Leiba <barryleiba@computer.org>
Thread-Topic: Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
Thread-Index: Ac/nrPscpwn+lU95TEyXOragiNkBcgEz7Qsg
Date: Mon, 20 Oct 2014 15:44:41 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB1AE8A@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739439BB0D351@TK5EX14MBXC286.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BB0D351@TK5EX14MBXC286.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(164054003)(199003)(13464003)(51704005)(52044002)(50854003)(43784003)(51914003)(189002)(377454003)(21056001)(50986999)(68736004)(69596002)(19580395003)(19580405001)(84676001)(87936001)(85852003)(230783001)(85806002)(2656002)(86612001)(85306004)(76176999)(54356999)(15975445006)(120916001)(97736003)(26826002)(76482002)(23676002)(80022003)(46102003)(92726001)(55846006)(92566001)(99396003)(86362001)(33656002)(66066001)(95666004)(4396001)(64706001)(31966008)(20776003)(47776003)(50466002)(104016003)(44976005)(77096002)(107046002)(110136001)(6806004)(81156004)(106466001)(15202345003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB1212; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB1212;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03706074BC
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Sh5Hm4ILZLV3aj39KFrBrr4YbcU
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-oauth-json-web-token@tools.ietf.org" <draft-ietf-oauth-json-web-token@tools.ietf.org>
Subject: Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 15:46:45 -0000
Hi Barry, Could you take a look at the text changes made and responses to your DISCUSS positions in the next few days? We’re down to a week left to submit new drafts and if we need to make further changes for you, it would be good to know what they are before that. In response to your first DISCUSS, the string comparison rules at http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-29#section-7.3 have been revised to reference the rules in RFC 7159, to explicitly list the exceptions for “typ” and “cty”, and to include the new last paragraph about including case-insensitive values as part of case-sensitive fields. In response to your second, the drafts now reference RFC 6838, now include fragment identifier considerations and provisional registration entries, and Kathleen initiated the media-types@iana.org review on October 1st, with no objections having been voiced during the review. The proposed resolutions were applied in response to your COMMENT positions too. Thanks, -- Mike -----Original Message----- From: Mike Jones [mailto:Michael.Jones@microsoft.com] Sent: Tuesday, October 14, 2014 5:47 AM To: Barry Leiba; The IESG Cc: oauth-chairs@tools.ietf.org; draft-ietf-oauth-json-web-token@tools.ietf.org; oauth@ietf.org Subject: RE: Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT) The proposed resolutions have been applied to the -28 draft. Hopefully this will enable to clear your DISCUSSes. Thanks again for the careful read! -- Mike > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones > Sent: Saturday, October 04, 2014 5:17 PM > To: Barry Leiba; The IESG > Cc: oauth-chairs@tools.ietf.org; draft-ietf-oauth-json-web- > token@tools.ietf.org; oauth@ietf.org > Subject: Re: [OAUTH-WG] Barry Leiba's Discuss on > draft-ietf-oauth-json-web- > token-27: (with DISCUSS and COMMENT) > > Thanks for your review, Barry. I'm adding the working group so > they’re aware of these comments. At Stephen Farrell's request, I'm > responding with "> " line prefixes on previous thread content. I'm > also repeating (and in the first case, > augmenting) my previous responses to the DISCUSS comments in this > consolidated message. > > > -----Original Message----- > > From: Barry Leiba [mailto:barryleiba@computer.org] > > Sent: Wednesday, October 01, 2014 8:54 AM > > To: The IESG > > Cc: oauth-chairs@tools.ietf.org; draft-ietf-oauth-json-web- > > token@tools.ietf.org > > Subject: Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: > > (with DISCUSS and COMMENT) > > > > Barry Leiba has entered the following ballot position for > > draft-ietf-oauth-json-web-token-27: Discuss > > > > When responding, please keep the subject line intact and reply to > > all email addresses included in the To and CC lines. (Feel free to > > cut this introductory paragraph, however.) > > > > > > Please refer to > > http://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ > > > > > > > > -------------------------------------------------------------------- > > -- > > DISCUSS: > > -------------------------------------------------------------------- > > -- > > > > I have two points that I'd like to get resolved before happily > > approving this fine > > document: > > > > -- Section 7.1 -- > > > > The comparison you specify is as specified in RFC 7159, Section 8.3, > > which is to "transform the textual representation into sequences of > > Unicode code units and then perform the comparison numerically, code > > unit by code unit". This has no regard for text case, and so it's a > > case-sensitive > comparison. > > > > And, yet, Sections 5.1 and 5.2 specify that the values of typ and > > cty are case- insensitive, and specify using upper case as a SHOULD, > > for "compatibility with legacy implementations". > > > > It doesn't seem that "legacy" has anything to do with this: someone > > conforming to *this* specification will compare the values of typ > > and cty Unicode-character by Unicode-character, and will fail to > > match "JWT" with > "jwt". > > > > Is there not a problem here? > > We can update the text to clarify that MIME type comparisons are an > exception to the “code unit by code unit” comparison rule. The drafts > will also be scrutinized for other possible occurrences of exceptions > to the default string comparison instructions. Finally, we can add > language to 7.1 about "unless otherwise noted for a particular kind of > string" so that it's clear that there are exceptions to the rule. > > > -- Section 10.3.1 -- > > > > Nice that you cite 2046 for media types, but the *registration* of > > media types is documented in RFC 6838, and this document doesn't > > quite conform to that. The only thing missing in the doc is > > "Fragment identifier considerations" in the registration template, > > but 6838 also strongly suggests review of the media-type > > registration on the media-types mailing list. Given that this will > > not get expert review (because it's an IETF-stream RFC), I'd like to > > ask for an explicit review on the media-types list to make sure that > > the registration information is > complete and makes sense. > > Thanks for the 6833 reference. We’ll use that. I know that Kathleen > already initiated the review on the media-types list. > > > -------------------------------------------------------------------- > > -- > > COMMENT: > > -------------------------------------------------------------------- > > -- > > > > -- Abstract -- > > > > The suggested pronunciation of JWT is the same as the English word > > "jot". > > > > I have no objection (well, I do, but it's not for me to say how you > > want to pronounce it) to having this sentence in the Introduction, > > but it seems out of place in the Abstract, which is meant to be concise. > > OK - We can remove it from the Abstract. > > > -- Section 4.1 -- > > > > It appears that all claims defined here are OPTIONAL, and each one > > says so in its subsection. Given that they *all* are, it might be > > useful to say that up front, maybe with a sentence that says, "All > > claims defined in this section are OPTIONAL to use." (I don't feel > > strongly about this; it's just a suggestion, so do with it as you > > see best.) See > also my comment on 10.1.1, below. > > Editorially, we decided to describe the optionality of each claim in > the claim definition so that when used as a reference without reading > the whole thing, the optionality will still be obvious to the reader. > > > -- Section 4.1.2 -- > > > > The subject value MAY be scoped to be locally > > unique in the context of the issuer or MAY be globally unique. > > > > Or it MAY be anything else, including not unique at all. Is that what you mean? > > Or are these meant to be two options, one of which has to be true? > > If so, you need to re-do this, perhaps like this: > > > > NEW > > The subject value MUST either be globally unique, or be scoped > > to be locally unique in the context of the issuer. > > END > > Your new language matches the intent. I'll plan to revise accordingly. > > > -- Section 10.1.1 -- > > > > Given that the descriptions of the claims include a statement that > > their use is OPTIONAL, should there not be an entry in the table > > that says whether the claim is OPTIONAL or REQUIRED ? Or is it the > > intent that > > *all* of them always be OPTIONAL ? Or is it sufficient to have that > > indication in the reference documentation ? > > What claims are required by applications will be specified by > applications. For instance, some applications using JWTs require that > the issuer, subject, and audience be present. Therefore, I don't > think that adding a table entry would help a great deal, and it could even confuse some developers. > > -- Mike > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth