Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
Mike Jones <Michael.Jones@microsoft.com> Tue, 14 October 2014 12:48 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91E011A87C1; Tue, 14 Oct 2014 05:48:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsFuusQIOCoG; Tue, 14 Oct 2014 05:48:26 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0794.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:794]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E0911A87A0; Tue, 14 Oct 2014 05:48:26 -0700 (PDT)
Received: from DM2PR03CA0008.namprd03.prod.outlook.com (10.141.96.18) by DM2PR0301MB1216.namprd03.prod.outlook.com (25.160.219.17) with Microsoft SMTP Server (TLS) id 15.0.1049.19; Tue, 14 Oct 2014 12:48:03 +0000
Received: from BL2FFO11FD045.protection.gbl (2a01:111:f400:7c09::153) by DM2PR03CA0008.outlook.office365.com (2a01:111:e400:2428::18) with Microsoft SMTP Server (TLS) id 15.0.1054.13 via Frontend Transport; Tue, 14 Oct 2014 12:48:03 +0000
Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD045.mail.protection.outlook.com (10.173.161.207) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Tue, 14 Oct 2014 12:48:03 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0210.003; Tue, 14 Oct 2014 12:47:26 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Barry Leiba <barryleiba@computer.org>, The IESG <iesg@ietf.org>
Thread-Topic: Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
Thread-Index: Ac/nrPscpwn+lU95TEyXOragiNkBcg==
Date: Tue, 14 Oct 2014 12:47:25 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB0D351@TK5EX14MBXC286.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(13464003)(189002)(52044002)(50854003)(43784003)(199003)(51704005)(51914003)(377454003)(31966008)(85306004)(54356999)(50986999)(230783001)(46102003)(87936001)(85806002)(2656002)(120916001)(80022003)(104016003)(20776003)(64706001)(66066001)(47776003)(15202345003)(4396001)(97736003)(99396003)(107046002)(95666004)(92566001)(6806004)(106466001)(84676001)(81156004)(92726001)(15975445006)(44976005)(19580395003)(19580405001)(21056001)(86362001)(50466002)(86612001)(55846006)(76482002)(77096002)(85852003)(69596002)(68736004)(33656002)(23676002)(26826002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB1216; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB1216;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03648EFF89
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/mRDuvY7Kf6TmatYkWTJdOvL21us
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "draft-ietf-oauth-json-web-token@tools.ietf.org" <draft-ietf-oauth-json-web-token@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 12:48:33 -0000
The proposed resolutions have been applied to the -28 draft. Hopefully this will enable to clear your DISCUSSes. Thanks again for the careful read! -- Mike > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones > Sent: Saturday, October 04, 2014 5:17 PM > To: Barry Leiba; The IESG > Cc: oauth-chairs@tools.ietf.org; draft-ietf-oauth-json-web- > token@tools.ietf.org; oauth@ietf.org > Subject: Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-json-web- > token-27: (with DISCUSS and COMMENT) > > Thanks for your review, Barry. I'm adding the working group so they’re aware > of these comments. At Stephen Farrell's request, I'm responding with "> " line > prefixes on previous thread content. I'm also repeating (and in the first case, > augmenting) my previous responses to the DISCUSS comments in this > consolidated message. > > > -----Original Message----- > > From: Barry Leiba [mailto:barryleiba@computer.org] > > Sent: Wednesday, October 01, 2014 8:54 AM > > To: The IESG > > Cc: oauth-chairs@tools.ietf.org; draft-ietf-oauth-json-web- > > token@tools.ietf.org > > Subject: Barry Leiba's Discuss on draft-ietf-oauth-json-web-token-27: > > (with DISCUSS and COMMENT) > > > > Barry Leiba has entered the following ballot position for > > draft-ietf-oauth-json-web-token-27: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut > > this introductory paragraph, however.) > > > > > > Please refer to > > http://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > I have two points that I'd like to get resolved before happily > > approving this fine > > document: > > > > -- Section 7.1 -- > > > > The comparison you specify is as specified in RFC 7159, Section 8.3, > > which is to "transform the textual representation into sequences of > > Unicode code units and then perform the comparison numerically, code > > unit by code unit". This has no regard for text case, and so it's a case-sensitive > comparison. > > > > And, yet, Sections 5.1 and 5.2 specify that the values of typ and cty > > are case- insensitive, and specify using upper case as a SHOULD, for > > "compatibility with legacy implementations". > > > > It doesn't seem that "legacy" has anything to do with this: someone > > conforming to *this* specification will compare the values of typ and > > cty Unicode-character by Unicode-character, and will fail to match "JWT" with > "jwt". > > > > Is there not a problem here? > > We can update the text to clarify that MIME type comparisons are an exception > to the “code unit by code unit” comparison rule. The drafts will also be > scrutinized for other possible occurrences of exceptions to the default string > comparison instructions. Finally, we can add language to 7.1 about "unless > otherwise noted for a particular kind of string" so that it's clear that there are > exceptions to the rule. > > > -- Section 10.3.1 -- > > > > Nice that you cite 2046 for media types, but the *registration* of > > media types is documented in RFC 6838, and this document doesn't quite > > conform to that. The only thing missing in the doc is "Fragment > > identifier considerations" in the registration template, but 6838 also > > strongly suggests review of the media-type registration on the > > media-types mailing list. Given that this will not get expert review > > (because it's an IETF-stream RFC), I'd like to ask for an explicit > > review on the media-types list to make sure that the registration information is > complete and makes sense. > > Thanks for the 6833 reference. We’ll use that. I know that Kathleen already > initiated the review on the media-types list. > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > -- Abstract -- > > > > The suggested pronunciation of JWT is the same as the English word > > "jot". > > > > I have no objection (well, I do, but it's not for me to say how you > > want to pronounce it) to having this sentence in the Introduction, but > > it seems out of place in the Abstract, which is meant to be concise. > > OK - We can remove it from the Abstract. > > > -- Section 4.1 -- > > > > It appears that all claims defined here are OPTIONAL, and each one > > says so in its subsection. Given that they *all* are, it might be > > useful to say that up front, maybe with a sentence that says, "All > > claims defined in this section are OPTIONAL to use." (I don't feel > > strongly about this; it's just a suggestion, so do with it as you see best.) See > also my comment on 10.1.1, below. > > Editorially, we decided to describe the optionality of each claim in the claim > definition so that when used as a reference without reading the whole thing, the > optionality will still be obvious to the reader. > > > -- Section 4.1.2 -- > > > > The subject value MAY be scoped to be locally > > unique in the context of the issuer or MAY be globally unique. > > > > Or it MAY be anything else, including not unique at all. Is that what you mean? > > Or are these meant to be two options, one of which has to be true? If > > so, you need to re-do this, perhaps like this: > > > > NEW > > The subject value MUST either be globally unique, or be scoped > > to be locally unique in the context of the issuer. > > END > > Your new language matches the intent. I'll plan to revise accordingly. > > > -- Section 10.1.1 -- > > > > Given that the descriptions of the claims include a statement that > > their use is OPTIONAL, should there not be an entry in the table that > > says whether the claim is OPTIONAL or REQUIRED ? Or is it the intent > > that > > *all* of them always be OPTIONAL ? Or is it sufficient to have that > > indication in the reference documentation ? > > What claims are required by applications will be specified by applications. For > instance, some applications using JWTs require that the issuer, subject, and > audience be present. Therefore, I don't think that adding a table entry would > help a great deal, and it could even confuse some developers. > > -- Mike > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth