Re: [OAUTH-WG] Next Steps for the JSON Web Token Document

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 01 November 2013 20:13 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0422F21E80B7 for <oauth@ietfa.amsl.com>; Fri, 1 Nov 2013 13:13:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97upLKqsNIdE for <oauth@ietfa.amsl.com>; Fri, 1 Nov 2013 13:13:05 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id 0B10221E80E1 for <oauth@ietf.org>; Fri, 1 Nov 2013 13:13:04 -0700 (PDT)
Received: from masham-mac.home ([81.164.176.169]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MMBun-1VZKHi1wTt-00864E for <oauth@ietf.org>; Fri, 01 Nov 2013 21:13:03 +0100
Message-ID: <52740B4D.6060404@gmx.net>
Date: Fri, 01 Nov 2013 21:13:01 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA3396C@USCHMBX001.nsn-intra.net> <CA+k3eCQgTiLCSiCUY6p0XXp14YKo4f=0Q8OAnvpr--T1RBwXYQ@mail.gmail.com>
In-Reply-To: <CA+k3eCQgTiLCSiCUY6p0XXp14YKo4f=0Q8OAnvpr--T1RBwXYQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:d/Mjr8IXkWaoSXy0IZ3iQ8n9cJ3TtYmNZ8fYF6zBgDasadK7li/ 4MktR9BJG+1KCuPGGPiSbPsxEA+A0Ne3PtjV9WVpX9yBupDjzYucOiL+0yhJ5jzbNhmRnO9 9FDzfkU672xlxu8qf+RAOSOLDTUoaq6K9zmrUumQorsGL6ZUWablenVC2rCfQpY//ybm/fl AMov25DKuedK22Bsb9AJQ==
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Next Steps for the JSON Web Token Document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2013 20:13:10 -0000

Thank you for your review, Brian.

Am 01.11.13 20:53, schrieb Brian Campbell:
> I just saw
> http://www.ietf.org/mail-archive/web/oauth/current/msg12218.html from
> Hannes noting reviews on draft-ietf-oauth-json-web-token and was
> surprised that mine wasn't included. So I went looking for it and
> apparently I didn't actually send it to the list. But I did find it and
> am including what I wrote and tried but failed to send back in
> September. Sorry about that.
>
> And here it s:
>
> Below are my review comments on the JSON Web Token Document that I (had
> forgotten until reminded by Hannes yesterday) committed to reviewing at
> the meeting in Berlin.
>
> Review of draft-ietf-oauth-json-web-token-11:
>
> * The sentence about the suggested pronunciation being 'jot' is in both
> the intro and the abstract. Seems like just once would be sufficient.
>
> * Should "Base64url Encoding" in the Terminology section also mention
> the omission/prohibition of line wrapping?
>
> * References to sections or appendices in other documents often don't
> have the correct href value.  For example, "Base64url Encoding" in the
> Terminology section has this problem for Section 3.2, which should point
> to RFC 4648 and Appendix C, which should go to JWS but both refer to the
> local document. There are many other instances of the same issue. I
> assume this is due to some tool in the xml2rfc or I-D upload process
> (and I know I have it in some of the drafts I author) but is this the
> kind of thing that the RFC editor will take care of?
>
> * I continue to struggle to understand how the type and content type
> Header parameters and the type claim can or will be used in a meaningful
> and reliable way.  I can't help but wonder if it couldn't be simplified.
> For example. what if we only had the cty header and defined a cty value
> for a JWT Claims Set - couldn't all the same things be conveyed?
>
> * There are a number of the reserved claims that say the use of the
> claim is OPTIONAL while also stating that the "JWT MUST be rejected" if
> some condition about the claim doesn't hold. There seems to be some
> potential ambiguity here regarding whether (in the absence of tighter
> context-dependent requirements, which is what generalized JWT libraries
> need to be built for) the optionality applies only to the producer or
> also to the consumer of a JWT. My guess is that the claims are optional
> to include for the producer but, if they are present, they must be
> validated by the consumer and the JWT must be rejected if whatever
> condition isn't satisfied. Do I have that right? Regardless, I think
> there is some ambiguity as currently written that should be clarified.
>
> Note that some of these comments relate to or even apply directly to JWS
> and JWE as well. Which I suppose underscores the point James made a
> while ago about progressing this document so far ahead of the JOSE drafts.
>
>
>
> On Tue, Sep 10, 2013 at 8:26 AM, Tschofenig, Hannes (NSN - FI/Espoo)
> <hannes.tschofenig@nsn.com <mailto:hannes.tschofenig@nsn.com>> wrote:
>
>     Hi again,
>
>     I also checked the minutes from IETF#87 regarding the JWT and here
>     are the action items:
>
>     ** I issued a WGLC, as discussed during the meeting:
>     http://www.ietf.org/mail-archive/web/oauth/current/msg11894.html
>
>     ** We got some reviews from James, and Prateek. Thanks, guys!
>     Here are the reviews:
>     http://www.ietf.org/mail-archive/web/oauth/current/msg11905.html (James)
>     http://www.ietf.org/mail-archive/web/oauth/current/msg12003.html
>     (Prateek)
>
>       During the meeting a few others, namely Torsten, Karen, Paul
>     Hoffman, and Brian volunteered to provide their review comments.
>     Please send your review to the list.
>
>     ** I will have to do my shepherd write-up as well.
>
>     Ciao
>     Hannes
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>