Re: [OAUTH-WG] Genart last call review of draft-ietf-oauth-jwt-bcp-04
Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 13 April 2019 21:05 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99E61120311; Sat, 13 Apr 2019 14:05:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxqzCnyB6nIa; Sat, 13 Apr 2019 14:05:11 -0700 (PDT)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C897120043; Sat, 13 Apr 2019 14:05:08 -0700 (PDT)
Received: by mail-wm1-x333.google.com with SMTP id q16so15412232wmj.3; Sat, 13 Apr 2019 14:05:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=BQWtcDtOwkUWPssxJJd3zjpPsn+G/xDjo5VQjhtkWwI=; b=ZxZie4z7V482XnFry/iSY4CeYUrd8/NbKrTjdtbhmF56c4CiM+XbxcPd9IUnNj9u3t x/KwTBI8Go0muGugbeBCB5lmLhVr1IHyT3aU057/TNvPTKFGmtrGnJ+EHcU68Y5/IWoh B1nA8fYLNhsn0KK9JG9f7xZPeWK+lIpXMkrAh64ZMMqXxRvq3X8DdcIsEs2b8TjJazvH H6c95pUQim1KTnoNOY1TcKhMbatEBJGxsWGAeYRVcAeyvqlTx1OVKEkU4CIi2gs8K7PY iG771ARgIsRBDwg0wk92sN/dB2UXuPQFkPx30AqGSglDp8uA4AeQVsa4nhqS3LpnHRXr V31g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=BQWtcDtOwkUWPssxJJd3zjpPsn+G/xDjo5VQjhtkWwI=; b=kbhV6R/W0pu2SFGFQjhf41oGHegH/UanLv28IZDVq+k0mqXD30X6UFVDlRaAcZwDAK ZluoeC69iVXqkJFWlZ8RG6NAXfNQCgnpYwSBnuClPUGJ7Rrb9Wl0y/7N+JS+LUru3XZM jDNa9hXnFGp/Q2ikb6xEkFVGTtrfkCnUBeG4JVseiKpP4g8yLtw+aUoF0AiNDknV8SIX nLnonT05taEbSucIpOV2iEgCH4fvnTCDyXvtVlYEhrZAKxW1PE74/ixv7wWRublC31uM IXfI5ZZk6yLrYRkWMb7hSdvqfYt0uMTGKe9eZ291BSh6lu/Q+AZ21niK6VOeJpj6nPwT 5oag==
X-Gm-Message-State: APjAAAUIH80h6yIFOGCdyKW8+JaG7ptQwdEhysoYk5X653u0rOLjYViQ Tbke5Zf8mcySpiRRgIZfxg/Gf/fY
X-Google-Smtp-Source: APXvYqzSlBVgEnU3xDBlDnmbeHn9nBo7s2st6I+pthiNfx4K00lzqhGFCd56uCvf5/TScE6TjdpIQA==
X-Received: by 2002:a7b:c115:: with SMTP id w21mr15737910wmi.55.1555189506553; Sat, 13 Apr 2019 14:05:06 -0700 (PDT)
Received: from [10.0.0.147] (bzq-109-66-94-12.red.bezeqint.net. [109.66.94.12]) by smtp.gmail.com with ESMTPSA id o15sm41237604wrj.59.2019.04.13.14.05.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 13 Apr 2019 14:05:05 -0700 (PDT)
To: Brian Carpenter <brian.e.carpenter@gmail.com>, gen-art@ietf.org
Cc: draft-ietf-oauth-jwt-bcp.all@ietf.org, oauth@ietf.org
References: <155397908561.3942.9798054943934320825@ietfa.amsl.com>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <13c5e6c9-ee7f-b43c-2c4b-a7ec51de7e88@gmail.com>
Date: Sun, 14 Apr 2019 00:05:03 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <155397908561.3942.9798054943934320825@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UKRgcB1nEM1TIaoXmlqb6_1do38>
Subject: Re: [OAUTH-WG] Genart last call review of draft-ietf-oauth-jwt-bcp-04
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Apr 2019 21:05:14 -0000
Hi Brian, Thank you for your review! Your comments are addressed by the following commit: https://github.com/yaronf/I-D/commit/d00674b352f6e1323da8c5b6600f1f0d7e9b64b1 Please let us know if any issues remain. Best, Yaron On 30/03/2019 23:51, Brian Carpenter via Datatracker wrote: > Reviewer: Brian Carpenter > Review result: Ready with Issues > > Gen-ART Last Call review of draft-ietf-oauth-jwt-bcp-04 > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. > > For more information, please see the FAQ at > <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > Document: draft-ietf-oauth-jwt-bcp-04.txt > Reviewer: Brian Carpenter > Review Date: 2019-03-31 > IETF LC End Date: 2019-04-08 > IESG Telechat date: > > Summary: Ready with (minor) issues > -------- > > Minor issues: > ------------- > >> 2.3. Multiplicity of JSON encodings >> >> Previous versions of the JSON format [RFC8259] allowed several >> different character encodings: UTF-8, UTF-16 and UTF-32. This is not >> the case anymore, with the latest standard only allowing UTF-8. >> However older implementations may result in the JWT being >> misinterpreted by its recipient. > > Why is that a security issue? > >> 3.6. Avoid Length-Dependent Encryption Inputs > ... >> ...It is >> RECOMMENDED to avoid any compression of data before encryption since >> such compression often reveals information about the plaintext. > > I'd like a citation for that, because it isn't intuitive. (And compression > after encryption is pointless, of course.) > >> 3.10. Do Not Trust Received Claims > > Both the recommendations in this section seem imprecise. Maybe there > should be some hints about the verification processes. >
- [OAUTH-WG] Genart last call review of draft-ietf-… Brian Carpenter via Datatracker
- Re: [OAUTH-WG] Genart last call review of draft-i… Yaron Sheffer