[OAUTH-WG] Ben Campbell's Yes on draft-ietf-oauth-jwsreq-12: (with COMMENT)

"Ben Campbell" <ben@nostrum.com> Thu, 16 February 2017 03:26 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C45CF129C8B; Wed, 15 Feb 2017 19:26:31 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Ben Campbell <ben@nostrum.com>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.43.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148721559179.31568.17364533591826818865.idtracker@ietfa.amsl.com>
Date: Wed, 15 Feb 2017 19:26:31 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/g1-51I23KNKRnFtZ_jzbzvAQcm8>
Cc: oauth@ietf.org, oauth-chairs@ietf.org, draft-ietf-oauth-jwsreq@ietf.org
Subject: [OAUTH-WG] Ben Campbell's Yes on draft-ietf-oauth-jwsreq-12: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2017 03:26:32 -0000

Ben Campbell has entered the following ballot position for
draft-ietf-oauth-jwsreq-12: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


- 4, "Since it is a JWT, JSON strings MUST be represented
   in UTF-8. ": Is that a new requirement, or a statement of fact about
an existing JWT requirement?

- 5.2: I'm not sure all readers will understand the meaning of "feature
phone".  Also, WAP and 2G don't seem all that relevant in 2017.

- 5.2.1, first sentence, "The URL MUST
   be HTTPS URL.": Is that redundant to the similar requirement in the
previous section? That instance had an "unless" clause, but this one does

--2nd paragraph: "... MUST have appropriate entropy for its lifetime."
Can you offer discussion (or a reference) for what constitutes
"appropriate entropy"?

-- 3rd paragraph: Is it reasonable that one would know if TLS would offer
adequate authentication at the time of the signing decision?

- 5.2.3, 2nd paragraph: "SHOULD use a unique URI": Why not MUST? Would it
ever be reasonable to not do this?

- 6.1, 2nd paragraph: What if validation fails?

- 13: Do you want this in the final RFC? If not, it would be wise to add
a note to the RFC editor to that effect.