Re: [OAUTH-WG] Next Steps for the JSON Web Token Document
Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 01 November 2013 20:13 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0422F21E80B7 for <oauth@ietfa.amsl.com>; Fri, 1 Nov 2013 13:13:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97upLKqsNIdE for <oauth@ietfa.amsl.com>; Fri, 1 Nov 2013 13:13:05 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id 0B10221E80E1 for <oauth@ietf.org>; Fri, 1 Nov 2013 13:13:04 -0700 (PDT)
Received: from masham-mac.home ([81.164.176.169]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MMBun-1VZKHi1wTt-00864E for <oauth@ietf.org>; Fri, 01 Nov 2013 21:13:03 +0100
Message-ID: <52740B4D.6060404@gmx.net>
Date: Fri, 01 Nov 2013 21:13:01 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA3396C@USCHMBX001.nsn-intra.net> <CA+k3eCQgTiLCSiCUY6p0XXp14YKo4f=0Q8OAnvpr--T1RBwXYQ@mail.gmail.com>
In-Reply-To: <CA+k3eCQgTiLCSiCUY6p0XXp14YKo4f=0Q8OAnvpr--T1RBwXYQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:d/Mjr8IXkWaoSXy0IZ3iQ8n9cJ3TtYmNZ8fYF6zBgDasadK7li/ 4MktR9BJG+1KCuPGGPiSbPsxEA+A0Ne3PtjV9WVpX9yBupDjzYucOiL+0yhJ5jzbNhmRnO9 9FDzfkU672xlxu8qf+RAOSOLDTUoaq6K9zmrUumQorsGL6ZUWablenVC2rCfQpY//ybm/fl AMov25DKuedK22Bsb9AJQ==
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Next Steps for the JSON Web Token Document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2013 20:13:10 -0000
Thank you for your review, Brian. Am 01.11.13 20:53, schrieb Brian Campbell: > I just saw > http://www.ietf.org/mail-archive/web/oauth/current/msg12218.html from > Hannes noting reviews on draft-ietf-oauth-json-web-token and was > surprised that mine wasn't included. So I went looking for it and > apparently I didn't actually send it to the list. But I did find it and > am including what I wrote and tried but failed to send back in > September. Sorry about that. > > And here it s: > > Below are my review comments on the JSON Web Token Document that I (had > forgotten until reminded by Hannes yesterday) committed to reviewing at > the meeting in Berlin. > > Review of draft-ietf-oauth-json-web-token-11: > > * The sentence about the suggested pronunciation being 'jot' is in both > the intro and the abstract. Seems like just once would be sufficient. > > * Should "Base64url Encoding" in the Terminology section also mention > the omission/prohibition of line wrapping? > > * References to sections or appendices in other documents often don't > have the correct href value. For example, "Base64url Encoding" in the > Terminology section has this problem for Section 3.2, which should point > to RFC 4648 and Appendix C, which should go to JWS but both refer to the > local document. There are many other instances of the same issue. I > assume this is due to some tool in the xml2rfc or I-D upload process > (and I know I have it in some of the drafts I author) but is this the > kind of thing that the RFC editor will take care of? > > * I continue to struggle to understand how the type and content type > Header parameters and the type claim can or will be used in a meaningful > and reliable way. I can't help but wonder if it couldn't be simplified. > For example. what if we only had the cty header and defined a cty value > for a JWT Claims Set - couldn't all the same things be conveyed? > > * There are a number of the reserved claims that say the use of the > claim is OPTIONAL while also stating that the "JWT MUST be rejected" if > some condition about the claim doesn't hold. There seems to be some > potential ambiguity here regarding whether (in the absence of tighter > context-dependent requirements, which is what generalized JWT libraries > need to be built for) the optionality applies only to the producer or > also to the consumer of a JWT. My guess is that the claims are optional > to include for the producer but, if they are present, they must be > validated by the consumer and the JWT must be rejected if whatever > condition isn't satisfied. Do I have that right? Regardless, I think > there is some ambiguity as currently written that should be clarified. > > Note that some of these comments relate to or even apply directly to JWS > and JWE as well. Which I suppose underscores the point James made a > while ago about progressing this document so far ahead of the JOSE drafts. > > > > On Tue, Sep 10, 2013 at 8:26 AM, Tschofenig, Hannes (NSN - FI/Espoo) > <hannes.tschofenig@nsn.com <mailto:hannes.tschofenig@nsn.com>> wrote: > > Hi again, > > I also checked the minutes from IETF#87 regarding the JWT and here > are the action items: > > ** I issued a WGLC, as discussed during the meeting: > http://www.ietf.org/mail-archive/web/oauth/current/msg11894.html > > ** We got some reviews from James, and Prateek. Thanks, guys! > Here are the reviews: > http://www.ietf.org/mail-archive/web/oauth/current/msg11905.html (James) > http://www.ietf.org/mail-archive/web/oauth/current/msg12003.html > (Prateek) > > During the meeting a few others, namely Torsten, Karen, Paul > Hoffman, and Brian volunteered to provide their review comments. > Please send your review to the list. > > ** I will have to do my shepherd write-up as well. > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Next Steps for the JSON Web Token Docu… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Next Steps for the JSON Web Token … Torsten Lodderstedt
- Re: [OAUTH-WG] Next Steps for the JSON Web Token … Brian Campbell
- Re: [OAUTH-WG] Next Steps for the JSON Web Token … Hannes Tschofenig
- Re: [OAUTH-WG] Next Steps for the JSON Web Token … Mike Jones