IETF Logo Mail Archive

[OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)

"Richard Barnes" <rlb@ipv.sx> Thu, 02 October 2014 02:57 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFDEB1A0037; Wed, 1 Oct 2014 19:57:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MlPaxgLfNplI; Wed, 1 Oct 2014 19:57:06 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A7C331A0033; Wed, 1 Oct 2014 19:57:06 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Richard Barnes <rlb@ipv.sx>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.3.p2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20141002025706.19368.2507.idtracker@ietfa.amsl.com>
Date: Wed, 01 Oct 2014 19:57:06 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/TYANOKHXUG69qB7xRWwc4dllPLk
Cc: oauth-chairs@tools.ietf.org, oauth@ietf.org, draft-ietf-oauth-json-web-token@tools.ietf.org
Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 02:57:08 -0000

Richard Barnes has entered the following ballot position for
draft-ietf-oauth-json-web-token-27: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Section 7.
In order to prevent confusion between secured and Unsecured JWTs, the
validation steps here need to call for the application to specify which
is required.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Abstract.
Welsh is the only language I know of in which "w" is a vowel.  According
to Wikipedia, then, "JWT" should pronounced "joot" :)

Section 2.
It seems like "Unsecured JWT" should simply be defined as "A JWT carried
in an Unsigned JWS."

Section 4.1.
I'm a little surprised not to see a "jwk" claim, which would basically
enable JWTs to sub in for certificates for many use cases.  Did the WG
consider this possibility?

v2.23.0 | Report a Bug | By Email