IETF Logo Mail Archive

[OAUTH-WG] Review comments to PoP document

"Kepeng Li" <kepeng.lkp@alibaba-inc.com> Wed, 07 October 2015 14:30 UTC

Return-Path: <kepeng.lkp@alibaba-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 577C21A92E1 for <oauth@ietfa.amsl.com>; Wed, 7 Oct 2015 07:30:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2mk1e_K_ewWj for <oauth@ietfa.amsl.com>; Wed, 7 Oct 2015 07:30:07 -0700 (PDT)
Received: from out4133-82.mail.aliyun.com (out4133-82.mail.aliyun.com [42.120.133.82]) by ietfa.amsl.com (Postfix) with ESMTP id 050A91A9142 for <oauth@ietf.org>; Wed, 7 Oct 2015 07:30:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1444228203; h=Date:Subject:From:To:Message-ID:Mime-version:Content-type; bh=4cHcmHejYwgfm0L8frkFfSPQswOoYiIcGHeB6ljfTOw=; b=llhYiZMto6/MqQEqiqfIdZaroMXdyLNzBtNUPidHMNVq0+edagjvpYwOu910A3mqR9KNWEf3e1geudO4TkjI2CjEUIGJYn05bFe8EjavwdPpE05PXGPGECWB5pc7t5pEB5bqgurBzXbNjD3u8jWB7w9vmqQRTGL0PPHTd9V8g/M=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R121e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03289; MF=kepeng.lkp@alibaba-inc.com; NM=1; PH=DS; RN=1; SR=0;
Received: from 10.22.32.178(mailfrom:kepeng.lkp@alibaba-inc.com ip:42.120.73.207) by smtp.aliyun-inc.com(127.0.0.1); Wed, 07 Oct 2015 22:29:57 +0800
User-Agent: Microsoft-MacOutlook/14.4.8.150116
Date: Wed, 07 Oct 2015 22:29:54 +0800
From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
To: oauth@ietf.org
Message-ID: <D23B4D62.1E3CA%kepeng.lkp@alibaba-inc.com>
Thread-Topic: Review comments to PoP document
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3527101798_1352027"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/zY-pxkPaelBQOWpaUYShYeDxsR0>
Subject: [OAUTH-WG] Review comments to PoP document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2015 14:30:10 -0000

Hello all,

Please find my review comments to PoP document:
http://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-04
 
1、        Title:

Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
[Kepeng] Should we add OAuth 2.0 in the title? Also, in the whole document,
we use JWT, but in the title, we use “JWTs”. Is there a reason for this?
 
2、        Abstract:

1) This specification defines how to express a declaration in a JSON Web
Token (JWT) that the presenter of the JWT possesses a particular key and
that the recipient can cryptographically confirm proof-of-possession of the
key by the presenter.
[Kepeng] Add reference to JWT.
 
2) This property is also sometimes described as the presenter being a
holder-of-key.
[Kepeng] I am not sure what is “this property”. Do you mean “the key”? If
yes, just use the key. And change the sentence to something like: This key
is also sometimes described as a holder-of-key by the presenter.
 
3. Introduction
1) The first paragraph is the same as the abstract. I suggest to reword it a
little bit or remove it, to avoid the redundancy.
 
2) See [I-D.ietf-oauth-pop-architecture] for a further discussion of key
confirmation.
[Kepeng] I suggest to mention a little bit more about the relationship
between PoP architecture document and this document. In my understanding, in
PoP architecture document, it mentions several mechanisms: confidentiality
protection, key confirmation and sender constraint. This document introduces
the key semantics for the key confirmation mechanism.
 
3) About the two use cases, it will be useful to use two diagrams or flows
to indicate how it works. Maybe put these two flows in a separate section.
Also it will be useful to mention which step is in scope, and which is out
of scope, e.g. how to convey symmetric key from the issuer to the presenter.
 
4. Section 3:
1) It will be useful to put a reference to "sub" (subject) claim, and "iss"
(issuer) claim.
 
2) Note that if an application needs to represent multiple proof-of-
  possession keys in the same JWT, one way for it to achieve this is to
   use other claim names, in addition to "cnf", to hold the additional
  proof-of-possession key information.
[Kepeng] It is not clear, what are the other claim names?


Kind Regards
Kepeng

v2.23.0 | Report a Bug | By Email