Re: [OAUTH-WG] Review comments to PoP document
"Kepeng Li" <kepeng.lkp@alibaba-inc.com> Fri, 09 October 2015 01:04 UTC
Return-Path: <kepeng.lkp@alibaba-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E78161B2ECC for <oauth@ietfa.amsl.com>; Thu, 8 Oct 2015 18:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y7LIm8zzhU1d for <oauth@ietfa.amsl.com>; Thu, 8 Oct 2015 18:04:11 -0700 (PDT)
Received: from out4133-66.mail.aliyun.com (out4133-66.mail.aliyun.com [42.120.133.66]) by ietfa.amsl.com (Postfix) with ESMTP id 20EE21B2ACD for <oauth@ietf.org>; Thu, 8 Oct 2015 18:04:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1444352650; h=Date:Subject:From:To:Message-ID:Mime-version:Content-type; bh=JSHSiasXT4TEZvjzL5YhV1Hi3hJWFAt6IQisY4qdaIQ=; b=bgn3KY7LmUQGaUeP33AXMynNkIUdXAMWOtFWrfSb2RDzGWmhYIzV7e2QQIkLzANcdlVje6sb77wo9u3YN6oL7RHj+D6CrUZ4nMmqXJQLjxZoA8KTIHNqmZsLAV+E3y+Xh3IMLmwvfRkVOEe/7dQy0nId4gFLgFBSyJm+FOO5WHc=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R201e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03284; MF=kepeng.lkp@alibaba-inc.com; NM=1; PH=DS; RN=2; SR=0;
Received: from 10.1.153.174(mailfrom:kepeng.lkp@alibaba-inc.com ip:42.120.74.161) by smtp.aliyun-inc.com(127.0.0.1); Fri, 09 Oct 2015 09:04:05 +0800
User-Agent: Microsoft-MacOutlook/14.4.8.150116
Date: Fri, 09 Oct 2015 09:04:00 +0800
From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <D23D317B.1E816%kepeng.lkp@alibaba-inc.com>
Thread-Topic: Review comments to PoP document
References: <D23B4D62.1E3CA%kepeng.lkp@alibaba-inc.com> <BY2PR03MB442210DD6E914261F978382F5350@BY2PR03MB442.namprd03.prod.outlook.com>
In-Reply-To: <BY2PR03MB442210DD6E914261F978382F5350@BY2PR03MB442.namprd03.prod.outlook.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3527226246_3853144"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/lJQkq19cpQ4McLkxhUTQIPlzxXY>
Subject: Re: [OAUTH-WG] Review comments to PoP document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2015 01:04:17 -0000
Hi Mike, Thanks for your responses. About the first paragraph in the introduction, I would prefer to make it different from the same one in the abstract. I am fine with others. Kind Regards Kepeng 发件人: Mike Jones <Michael.Jones@microsoft.com> 日期: Friday, 9 October, 2015 1:58 am 至: Li Kepeng <kepeng.lkp@alibaba-inc.com>, "oauth@ietf.org" <oauth@ietf.org> 主题: RE: Review comments to PoP document Thanks for the useful review, Kepeng. Responses inline… From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Kepeng Li Sent: Wednesday, October 07, 2015 7:30 AM To: oauth@ietf.org Subject: [OAUTH-WG] Review comments to PoP document Hello all, Please find my review comments to PoP document: http://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-04 <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2ftools.ietf. org%2fhtml%2fdraft-ietf-oauth-proof-of-possession-04&data=01%7c01%7cMichael. Jones%40microsoft.com%7c39fc367bfc044fe9243c08d2cf23d95b%7c72f988bf86f141af9 1ab2d7cd011db47%7c1&sdata=XNX89l21GzCoKDzkQufdN1vF9VsGqOpNpWp9M6yyqAQ%3d> 1、 Title: Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) [Kepeng] Should we add OAuth 2.0 in the title? Also, in the whole document, we use JWT, but in the title, we use “JWTs”. Is there a reason for this? I wouldn’t suggest adding “OAuth 2.0” to the title, in part, because JWTs are used in contexts outside of OAuth. As for why JWTs is plural here, the title is saying that PoP keys can be communicated in JSON Web Tokens. If it were singular, it would sound like you could only use PoP keys in a single JWT, which isn’t right. 2、 Abstract: 1) This specification defines how to express a declaration in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter. [Kepeng] Add reference to JWT. I’ve been told when editing other drafts to remove references that I’d placed in abstracts, since IETF abstracts don’t include references. 2) This property is also sometimes described as the presenter being a holder-of-key. [Kepeng] I am not sure what is “this property”. Do you mean “the key”? If yes, just use the key. And change the sentence to something like: This key is also sometimes described as a holder-of-key by the presenter. I can change “This property” to “Being able to prove possession of a key”. 3. Introduction 1) The first paragraph is the same as the abstract. I suggest to reword it a little bit or remove it, to avoid the redundancy. The rest of the introduction builds on the ideas introduced in the first two sentences (the content of the abstract). If they were to be removed, it would make the introduction confusing, as many people won’t start by reading the abstract, but will read the introduction independently. (The introduction does add references, which cannot be present in the abstract.) I’ll work with the other editors to see if they want to reword the first two sentences of the introduction and/or abstract to make them different from one another. 2) See [I-D.ietf-oauth-pop-architecture] for a further discussion of key confirmation. [Kepeng] I suggest to mention a little bit more about the relationship between PoP architecture document and this document. In my understanding, in PoP architecture document, it mentions several mechanisms: confidentiality protection, key confirmation and sender constraint. This document introduces the key semantics for the key confirmation mechanism. OK – we can say that [I-D.ietf-oauth-pop-architecture] describes key confirmation, among other conformation mechanisms, and that this specification defines how to communicate key confirmation key information in JWTs. 3) About the two use cases, it will be useful to use two diagrams or flows to indicate how it works. Maybe put these two flows in a separate section. Also it will be useful to mention which step is in scope, and which is out of scope, e.g. how to convey symmetric key from the issuer to the presenter. Both are in scope, which is why they’re both described in the introduction. I’ll work with the other editors on trying to create appropriate diagrams. 4. Section 3: 1) It will be useful to put a reference to "sub" (subject) claim, and "iss" (issuer) claim. OK 2) Note that if an application needs to represent multiple proof-of- possession keys in the same JWT, one way for it to achieve this is to use other claim names, in addition to "cnf", to hold the additional proof-of-possession key information. [Kepeng] It is not clear, what are the other claim names? Fair point. We can say that those claim names would be defined by applications and could be registered in the JWT Claims Registry. Kind Regards Kepeng Thanks again! -- Mike
- [OAUTH-WG] Review comments to PoP document Kepeng Li
- Re: [OAUTH-WG] Review comments to PoP document Mike Jones
- Re: [OAUTH-WG] Review comments to PoP document Kepeng Li
- Re: [OAUTH-WG] Review comments to PoP document Mike Jones
- Re: [OAUTH-WG] Review comments to PoP document Mike Jones