IETF Logo Mail Archive

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Mon, 06 October 2014 07:54 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFF711A1B46; Mon, 6 Oct 2014 00:54:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ODLbiVWFiq8; Mon, 6 Oct 2014 00:54:23 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0102.outbound.protection.outlook.com [207.46.100.102]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FC3C1A1B45; Mon, 6 Oct 2014 00:54:23 -0700 (PDT)
Received: from BN3PR0301CA0083.namprd03.prod.outlook.com (25.160.152.179) by BN3PR0301MB1202.namprd03.prod.outlook.com (25.161.207.155) with Microsoft SMTP Server (TLS) id 15.0.1044.10; Mon, 6 Oct 2014 07:54:22 +0000
Received: from BY2FFO11FD007.protection.gbl (2a01:111:f400:7c0c::129) by BN3PR0301CA0083.outlook.office365.com (2a01:111:e400:401e::51) with Microsoft SMTP Server (TLS) id 15.0.1044.10 via Frontend Transport; Mon, 6 Oct 2014 07:54:21 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD007.mail.protection.outlook.com (10.1.14.128) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Mon, 6 Oct 2014 07:54:20 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.03.0210.003; Mon, 6 Oct 2014 07:54:14 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
Thread-Index: AQHP3jjwXNtLGJwBq0euviBV//YhCJwiQ55Q
Date: Mon, 06 Oct 2014 07:54:14 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BAF0C2A@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20141002120308.9386.79961.idtracker@ietfa.amsl.com>
In-Reply-To: <20141002120308.9386.79961.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(189002)(51704005)(52044002)(377454003)(43784003)(13464003)(199003)(77096002)(81156004)(76482002)(47776003)(87936001)(23676002)(66066001)(31966008)(21056001)(50466002)(97736003)(95666004)(86612001)(4396001)(85306004)(106116001)(106466001)(80022003)(85852003)(44976005)(85806002)(68736004)(19580395003)(107046002)(92726001)(84676001)(69596002)(6806004)(10300001)(76176999)(230783001)(19580405001)(2656002)(20776003)(33656002)(99396003)(55846006)(86362001)(92566001)(120916001)(64706001)(15202345003)(50986999)(15975445006)(46102003)(54356999)(104016003)(26826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1202; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1202;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03569407CC
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/vQ7L_euUe33tKBJEBDRyc7DWqzo
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "draft-ietf-oauth-json-web-token@tools.ietf.org" <draft-ietf-oauth-json-web-token@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Oct 2014 07:54:26 -0000

Thanks for your review, Stephen.  I've added the working group to the thread so they're aware of your comments.

> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
> Sent: Thursday, October 02, 2014 5:03 AM
> To: The IESG
> Cc: oauth-chairs@tools.ietf.org; draft-ietf-oauth-json-web-
> token@tools.ietf.org
> Subject: Stephen Farrell's Discuss on draft-ietf-oauth-json-web-token-27: (with
> DISCUSS and COMMENT)
> 
> Stephen Farrell has entered the following ballot position for
> draft-ietf-oauth-json-web-token-27: Discuss
> 
> When responding, please keep the subject line intact and reply to all email
> addresses included in the To and CC lines. (Feel free to cut this introductory
> paragraph, however.)
> 
> 
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> 
> (1) 4.1.1 and elsewhere you say case-sensitive: the same thing I raised wrt DNS
> names for another JOSE spec - do you need to say those SHOULD be
> [upper|lower]cased when used in these?

I believe that somewhere we should say that if case-insensitive values, such as DNS names, are used when constructing "kid" values, that the application doing so needs to define a convention on the canonical case to use for the case-insensitive portions, such as lowercasing them.

> (2) Section 8: Why is "none" MTI? That seems both broken and going in the
> oppostite direction from other WGs and so should be explicitly jusified I think. (If
> a good enough justification exists that is.)

It is MTI because there are several existing applications of JWTs in which both unsigned and signed representations of the JWTs are requirements.  These include draft-ietf-oauth-token-exchange, draft-hunt-oauth-v2-user-a4c, and OpenID Connect.  This is a pretty common pattern where you sign something if the recipient cares who made the statements and where you don't have to sign it either if the recipient doesn't care who made the statements or if it can tell from another secured aspect of the application protocol (typically through the use of TLS) who made the statements.  In the TLS case, the server authentication step makes a signature step unnecessary, so an Unsecured JWT is fine there.

> (3) Section 12: another way to handle privacy is to not include sensitive data - I
> think you ought mention that as a bit of thought along those lines can be much
> simpler than putting in place the key management to handle thoughtlessly
> included PII.

We can include a discussion of that point, but sometimes the very point of a JWT is to securely deliver PII from a verifiable party to an intended party with appropriate rights to receive it.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> 
> - abstract: 2nd sentence isn't needed here, in intro would be fine.

I don't know - I think it's a big deal that the claims can be digitally signed or MACed and/or encrypted.  That's the reason we have JWTs, rather than just JSON.

> - 4.1.7: maybe worth adding that jti+iss being unique enough is not sufficient and
> jti alone has to meet that need. In
> X.509 the issuer/serial has the equivalent property so someone might assume
> sequential jti values starting at 0 are ok.

Makes sense to add a warning of some kind along these lines.  I think I know the reasons you say that, but can you expand on that thought a bit before I take a stab on writing this up?  For instance, while normally true, I don't think your observation is true if a relying party will only accept tokens from a single issuer.

> - section 6: yuk
> 
> - again I think the secdir comments are being handled by Kathleen and the
> authors.

Again, this is there because multiple applications asked for the ability to represent content that is optionally signed, sometimes securing it another way, such as with TLS.  JWTs are used specific application protocol contexts - not in isolation.

				Thanks again,
				-- Mike

v2.23.0 | Report a Bug | By Email