Re: [OAUTH-WG] WGLC for draft-ietf-oauth-jwsreq-06
Mike Jones <Michael.Jones@microsoft.com> Thu, 05 November 2015 12:48 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27A791B29DA for <oauth@ietfa.amsl.com>; Thu, 5 Nov 2015 04:48:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.792
X-Spam-Level:
X-Spam-Status: No, score=-1.792 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QcpXISHSCEaO for <oauth@ietfa.amsl.com>; Thu, 5 Nov 2015 04:48:29 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0112.outbound.protection.outlook.com [207.46.100.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC3081B29D9 for <oauth@ietf.org>; Thu, 5 Nov 2015 04:48:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=K/+cXr9Rs9PXXW9NN4IhNDyLNcE690SJKcjAykxMflE=; b=gtoSy7gPDNkBMbZ3UCiZTAAhFsEqyaTi0DyTZ9XCTcKt70HTNY08Dq3w7ugV4Y32Zkeiji9CuMQ34cwwbroNFb/qO2s6rfbeTOfQuV+UptcY0RdMWb2EBn8DW/flNUFeBAY9JIqrigFSNHFvuJzhlWDtD1lVeFlStrbzoARU550=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.318.15; Thu, 5 Nov 2015 12:48:28 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0318.003; Thu, 5 Nov 2015 12:48:28 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>, Nat Sakimura <nat@sakimura.org>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] WGLC for draft-ietf-oauth-jwsreq-06
Thread-Index: AQHRCxY0a+EzJaqO+kOHPyEVOtLSO56NEKrg
Date: Thu, 05 Nov 2015 12:48:27 +0000
Message-ID: <BY2PR03MB44202DBBEF2972517070D67F5290@BY2PR03MB442.namprd03.prod.outlook.com>
References: <5626032F.7070700@gmx.net>
In-Reply-To: <5626032F.7070700@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [210.160.37.23]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:cCb0www1vZ2goR+yJ6pA8GN6H1/zMsY1WlKnMr+smsnpqpsquFGxefYIENexVWoHy5CDM5kWrn4KZ/1l6UXpEQw9gCS23N6S1kdWYA8DiNTNr8sQJwQoYZlcdydD0mPBmKyR0yZwL+TYqIkh9b8dJQ==; 24:YHw7L1fr1CAchZdAh50Ii0r9SYfkYA3VMb3zYlWASAyTJJsF9t3CVFtMMkTYVEpBJAl3vFHKRDPQ50sx4jyP3EzDb7MOHgcF0t1bxpNcoZI=; 20:u8xGJRIFQH/0SicQRR2RIVQc6DK5f3awuRPxOn3DSOEZ8MM8DptPxpdBjgCE2ah4kEgv3HkyJy7jR8ypt4BLvg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442;
x-microsoft-antispam-prvs: <BY2PR03MB4429C63C20ADE108952D06CF5290@BY2PR03MB442.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(189930954265078);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(8121501046)(520078)(5005006)(10201501046)(3002001)(61426024)(61427024); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442;
x-forefront-prvs: 0751474A44
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(13464003)(53754006)(377454003)(52604005)(189002)(5005710100001)(230783001)(66066001)(54356999)(97736004)(106356001)(99286002)(105586002)(87936001)(76576001)(19580395003)(575784001)(76176999)(101416001)(86362001)(19580405001)(5007970100001)(5004730100002)(50986999)(86612001)(5002640100001)(40100003)(122556002)(10400500002)(5001920100001)(8990500004)(5001960100002)(106116001)(92566002)(189998001)(2501003)(10290500002)(11100500001)(5003600100002)(2900100001)(2950100001)(15975445007)(5001770100001)(81156007)(74316001)(77096005)(10090500001)(102836002)(5008740100001)(33656002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2015 12:48:27.3267 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/gH5HPPoGNT3vLO7698473LnmRTs>
Subject: Re: [OAUTH-WG] WGLC for draft-ietf-oauth-jwsreq-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2015 12:48:32 -0000
My slightly late WGLC review follows...
SUBSTANTIVE ISSUES:
Section 3, paragraph 8: Change "extension variables such as "nonce", "userinfo", and "id_token"" to "extension parameters such as "nonce", "max_age", and "claims"". ("userinfo" and "id_token" are values within the "claims" extension parameter.)
Section 4.2, bullet 2: Change "The maximum URL length supported by Internet Explorer is 2083 ASCII characters" to "The maximum URL length supported by older versions of Internet Explorer was 2083 ASCII characters". (This has since been fixed. I know - because I filed the bug that resulted in the fix! :-) )
Section 4.2.1, paragraph 2: Change "requested values for Claims" to "private information".
Section 5.1: Change "The result MAY be either a signed or unsigned (plaintext) Request Object" to "The result MAY be either a JWT Claims Set representing the request parameters or if the JWE is a nested JWT, a signed JWT containing the request parameters".
Section 6, paragraph 2: Change "this document defines additional error values as follows" to "this document uses these additional error values".
Section 7: Change the IANA Considerations text to "This specification requests no actions by IANA."
Section 8, second paragraph: Delete the security considerations paragraph about not using "alg":"none". Using an Unsecured JWS is no worse than sending the parameters the usual way.
NITS:
Section 1, bullet 3: In "The authorization server then examines the signature and show the conformance status to the end-user, who would have some assurance as to the legitimacy of the request when authorizing it", change "show" to "shows".
Section 1, second bullet 3: This is currently a run-on sentence, and needs to be split into two sentences: "The request_uri may include a SHA-256 hash of the file, as defined in FIPS180-2 [FIPS180-2], the server knows if the file has changed without fetching it, so it does not have to re-fetch a same file, which is a win as well."
Section 1, second bullet 4: This sentence is missing a verb: " When the client wants to simplify the implementation without compromising the security."
Section 1, second bullet 4: Change "they may be tampered in the browser" to "they may be tampered with in the browser".
Section 1, second bullet 4: Change "This implies we need to have signature on the request as well" to "This implies we need to have a signature on the request as well".
Section 1, second bullet 4: Change "tampered" to "tampered with".
Section 3, paragraph 1: Change "JWT [RFC7519] Claims Set" to "JWT Claims Set [RFC7519]".
Section 3, paragraph 4: Change "REQUIRED OAuth 2.0 Authorization Request parameters that are not included in the Request Object MUST be sent as a query parameter" to "REQUIRED OAuth 2.0 Authorization Request parameters that are not included in the Request Object MUST be sent as query parameters".
Section 3, paragraph 4: Change "If a required parameter is not present in neither the query parameter nor the Request Object, it forms a malformed request" to "If a required parameter is not present in either as a query parameter or in the Request Object, the request is malformed".
Section 3, paragraph 6: Change "the values in the Request Object takes precedence" to "the values in the Request Object take precedence".
Section 3, paragraph 6: Change "it cannot include such parameters like "state" that is expected to differ in every request" to "it cannot include parameters such as "state" that are expected to differ in every request".
Section 4, paragraph 6: Delete "(line breaks are for display purposes only)" since there are no extra line breaks in the example.
Thanks for doing this, guys...
-- Mike
-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Tuesday, October 20, 2015 6:03 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] WGLC for draft-ietf-oauth-jwsreq-06
Hi all,
we would like to start a WGLC on draft-ietf-oauth-jwsreq-06:
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-ietf-oauth-jwsreq-06&data=01%7c01%7cMichael.Jones%40microsoft.com%7c3169e0b41753491d365508d2d92d54a9%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=rW3SQyZD3L9OKT5YqE0%2fren%2f1Hb4KLBG1tEkyvMzWq0%3d
This will be a 2-week last call, so it will end on November 3rd.
The WGLC timing is good since our OAuth meeting in Yokohama is on the Thursday, November 5th and you might want to prepare for the WG session anyway.
Please send comments to the list.
Ciao
Hannes
- [OAUTH-WG] WGLC for draft-ietf-oauth-jwsreq-06 Hannes Tschofenig
- Re: [OAUTH-WG] WGLC for draft-ietf-oauth-jwsreq-06 Mike Jones