Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
Mike Jones <Michael.Jones@microsoft.com> Sun, 05 October 2014 00:17 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 199A41A0332; Sat, 4 Oct 2014 17:17:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Mw12NEr-Rc9; Sat, 4 Oct 2014 17:17:55 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0723.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::723]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 966EC1A031A; Sat, 4 Oct 2014 17:17:55 -0700 (PDT)
Received: from CO2PR03CA0033.namprd03.prod.outlook.com (10.141.194.160) by BN3PR0301MB1203.namprd03.prod.outlook.com (25.161.207.156) with Microsoft SMTP Server (TLS) id 15.0.1044.10; Sun, 5 Oct 2014 00:17:29 +0000
Received: from BL2FFO11FD029.protection.gbl (2a01:111:f400:7c09::165) by CO2PR03CA0033.outlook.office365.com (2a01:111:e400:1414::32) with Microsoft SMTP Server (TLS) id 15.0.1044.10 via Frontend Transport; Sun, 5 Oct 2014 00:17:28 +0000
Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD029.mail.protection.outlook.com (10.173.160.69) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Sun, 5 Oct 2014 00:17:27 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.193]) with mapi id 14.03.0210.003; Sun, 5 Oct 2014 00:17:02 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Barry Leiba <barryleiba@computer.org>, The IESG <iesg@ietf.org>
Thread-Topic: Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
Thread-Index: AQHP3Y/7ZwPSkFMFnEGZknpDTwtaYJwgpBqA
Date: Sun, 05 Oct 2014 00:17:01 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BAE9ADF@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20141001155414.3543.53089.idtracker@ietfa.amsl.com>
In-Reply-To: <20141001155414.3543.53089.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.35]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(979002)(6009001)(438002)(377454003)(51704005)(199003)(189002)(50854003)(13464003)(51914003)(52044002)(77096002)(85306004)(19580395003)(15975445006)(31966008)(85852003)(87936001)(33656002)(104016003)(86612001)(26826002)(15202345003)(230783001)(50986999)(76176999)(6806004)(54356999)(84676001)(92726001)(92566001)(2656002)(85806002)(19580405001)(44976005)(86362001)(69596002)(55846006)(97736003)(68736004)(23676002)(106466001)(81156004)(66066001)(107046002)(64706001)(21056001)(50466002)(4396001)(95666004)(47776003)(20776003)(99396003)(46102003)(106116001)(76482002)(80022003)(120916001)(10300001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1203; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1203;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0355F3A3AE
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/gk_sdUL82N1ku94ZE9JPuZoKxT8
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "draft-ietf-oauth-json-web-token@tools.ietf.org" <draft-ietf-oauth-json-web-token@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Oct 2014 00:17:59 -0000
Thanks for your review, Barry. I'm adding the working group so they’re aware of these comments. At Stephen Farrell's request, I'm responding with "> " line prefixes on previous thread content. I'm also repeating (and in the first case, augmenting) my previous responses to the DISCUSS comments in this consolidated message. > -----Original Message----- > From: Barry Leiba [mailto:barryleiba@computer.org] > Sent: Wednesday, October 01, 2014 8:54 AM > To: The IESG > Cc: oauth-chairs@tools.ietf.org; draft-ietf-oauth-json-web- > token@tools.ietf.org > Subject: Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: (with > DISCUSS and COMMENT) > > Barry Leiba has entered the following ballot position for > draft-ietf-oauth-json-web-token-27: Discuss > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > I have two points that I'd like to get resolved before happily approving this fine > document: > > -- Section 7.1 -- > > The comparison you specify is as specified in RFC 7159, Section 8.3, which is to > "transform the textual representation into sequences of Unicode code units and > then perform the comparison numerically, code unit by code unit". This has no > regard for text case, and so it's a case-sensitive comparison. > > And, yet, Sections 5.1 and 5.2 specify that the values of typ and cty are case- > insensitive, and specify using upper case as a SHOULD, for "compatibility with > legacy implementations". > > It doesn't seem that "legacy" has anything to do with this: someone conforming > to *this* specification will compare the values of typ and cty Unicode-character > by Unicode-character, and will fail to match "JWT" with "jwt". > > Is there not a problem here? We can update the text to clarify that MIME type comparisons are an exception to the “code unit by code unit” comparison rule. The drafts will also be scrutinized for other possible occurrences of exceptions to the default string comparison instructions. Finally, we can add language to 7.1 about "unless otherwise noted for a particular kind of string" so that it's clear that there are exceptions to the rule. > -- Section 10.3.1 -- > > Nice that you cite 2046 for media types, but the *registration* of media types is > documented in RFC 6838, and this document doesn't quite conform to that. The > only thing missing in the doc is "Fragment identifier considerations" in the > registration template, but 6838 also strongly suggests review of the media-type > registration on the media-types mailing list. Given that this will not get expert > review (because it's an IETF-stream RFC), I'd like to ask for an explicit review on > the media-types list to make sure that the registration information is complete > and makes sense. Thanks for the 6833 reference. We’ll use that. I know that Kathleen already initiated the review on the media-types list. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > -- Abstract -- > > The suggested pronunciation of JWT is the same as the English word > "jot". > > I have no objection (well, I do, but it's not for me to say how you want to > pronounce it) to having this sentence in the Introduction, but it seems out of > place in the Abstract, which is meant to be concise. OK - We can remove it from the Abstract. > -- Section 4.1 -- > > It appears that all claims defined here are OPTIONAL, and each one says so in its > subsection. Given that they *all* are, it might be useful to say that up front, > maybe with a sentence that says, "All claims defined in this section are > OPTIONAL to use." (I don't feel strongly about this; it's just a suggestion, so do > with it as you see best.) See also my comment on 10.1.1, below. Editorially, we decided to describe the optionality of each claim in the claim definition so that when used as a reference without reading the whole thing, the optionality will still be obvious to the reader. > -- Section 4.1.2 -- > > The subject value MAY be scoped to be locally > unique in the context of the issuer or MAY be globally unique. > > Or it MAY be anything else, including not unique at all. Is that what you mean? > Or are these meant to be two options, one of which has to be true? If so, you > need to re-do this, perhaps like this: > > NEW > The subject value MUST either be globally unique, or be scoped > to be locally unique in the context of the issuer. > END Your new language matches the intent. I'll plan to revise accordingly. > -- Section 10.1.1 -- > > Given that the descriptions of the claims include a statement that their use is > OPTIONAL, should there not be an entry in the table that says whether the claim > is OPTIONAL or REQUIRED ? Or is it the intent that > *all* of them always be OPTIONAL ? Or is it sufficient to have that indication in > the reference documentation ? What claims are required by applications will be specified by applications. For instance, some applications using JWTs require that the issuer, subject, and audience be present. Therefore, I don't think that adding a table entry would help a great deal, and it could even confuse some developers. -- Mike