Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 064B11B34B8; Thu, 11 Jun 2015 17:00:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JspVYVCzYINV; Thu, 11 Jun 2015 17:00:01 -0700 (PDT) Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86E271B34BB; Thu, 11 Jun 2015 17:00:00 -0700 (PDT) Received: from hebrews (unknown [50.109.226.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 4AE7438EF3; Thu, 11 Jun 2015 16:59:59 -0700 (PDT) From: "Jim Schaad" To: "'Mike Jones'" , "'Adam W. Montville'" , "'The IESG'" , , References: <003d01d0a496$f2ee7d70$d8cb7850$@augustcellars.com> In-Reply-To: Date: Thu, 11 Jun 2015 17:00:06 -0700 Message-ID: <004801d0a4a2$be5e1b40$3b1a51c0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQH/CRWIcZSXbJbM2kM+qRSrEj4cCAIc57yoAlPx0JQCobgd4Z0Snnug Content-Language: en-us Archived-At: Cc: jose@ietf.org Subject: Re: [secdir] sector review of draft-ietf-jose-jwk-thumbprint-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2015 00:00:04 -0000 I would do this by including an IANA considerations section that states = you are updating the expert review instructions for a registry. They = will then include that in the list of references for the registry = itself. Jim > -----Original Message----- > From: Mike Jones [mailto:Michael.Jones@microsoft.com] > Sent: Thursday, June 11, 2015 3:49 PM > To: Jim Schaad; 'Adam W. Montville'; 'The IESG'; secdir@ietf.org; = draft-ietf-jose- > jwk-thumbprint.all@ietf.org > Cc: jose@ietf.org > Subject: RE: sector review of draft-ietf-jose-jwk-thumbprint-05 >=20 > The registration instructions don't appear to be stored with the = registry at > http://www.iana.org/assignments/jose/jose.xhtml. The closest there is = there is > the Reference field, which specifies [RFC7515], which I assume is how = the > designated experts are expected to retrieve the instructions. >=20 > Does anyone on the thread know if it's possible to add a copy of the = registration > instructions in the registry itself? If so, then we'd have a = mechanism by which > we could update them, as Jim suggested. >=20 > -- Mike >=20 > -----Original Message----- > From: Jim Schaad [mailto:ietf@augustcellars.com] > Sent: Thursday, June 11, 2015 3:36 PM > To: Mike Jones; 'Adam W. Montville'; 'The IESG'; secdir@ietf.org; = draft-ietf-jose- > jwk-thumbprint.all@ietf.org > Cc: jose@ietf.org > Subject: RE: sector review of draft-ietf-jose-jwk-thumbprint-05 >=20 >=20 >=20 > > -----Original Message----- > > From: Mike Jones [mailto:Michael.Jones@microsoft.com] > > Sent: Thursday, June 11, 2015 2:25 PM > > To: Adam W. Montville; The IESG; secdir@ietf.org; = draft-ietf-jose-jwk- > > thumbprint.all@ietf.org > > Cc: jose@ietf.org > > Subject: RE: sector review of draft-ietf-jose-jwk-thumbprint-05 > > > > Hi Adam, > > > > Thanks for the secdir review. > > > > > From: Adam W. Montville [mailto:adam.w.montville@gmail.com] > > > Sent: Monday, June 08, 2015 8:46 AM > > > To: The IESG; secdir@ietf.org; > > > draft-ietf-jose-jwk-thumbprint.all@ietf.org > > > Subject: sector review of draft-ietf-jose-jwk-thumbprint-05 > > > > > Hi, > > > > > I have reviewed this document as part of the security = directorate's > > > ongoing > > effort to review all IETF documents being processed by the IESG. = These > > comments were written primarily for the benefit of the security area = directors. > > Document editors and WG chairs should treat these comments just like > > any other last call comments. > > > > > > I believe the document is ready with (potential) issues. The = =E2=80=9Cwith > > > issues=E2=80=9D might > > be due to ignorance on my part. The draft does a very good job of > > explaining the canonical form of a JSON Web Key that can be used for > > establishing a thumbprint under varying circumstances, complete with > > what I found to be helpful examples. > > > > > > The primary issue I have is that it=E2=80=99s unclear how relying = parties > > > are going to > > know which hash algorithm has been used. The examples use SHA-256, > > but I=E2=80=99m not seeing where SHA-256 might be specified as a = MUST or even a > SHOULD. > > Moreover, the example output ultimately shows only the Base-64 > > encoding of the resulting hash, which says nothing about the = algorithm > > used to identify a key. > > > > Earlier drafts had included fields whose names were intended to > > communicate the information about the hash function used - see the > > "jkt" field definitions in > > = http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-01#section-4 > > - but several working group reviewers suggested that these fields = were > > unnecessary and that the typical usage would be as "kid" (key ID) > > field values. With that removal, it falls onto the application to > > specify the hash algorithm for its particular usage. > > > > This isn't as bad as you might think, however, because typically the > > consumer of the "kid" doesn't need to know the algorithm because it > > won't be reproducing the computation. It just relies on the fact = that > > a unique key ID value was generated for the key and compares "kid" > > values as opaque strings to find the appropriate key. In this = usage, > > the producer of the key is the only party that needs to know the = hash > algorithm that it is using. I hope this helps. > > > > > Additionally, in Section 4, =E2=80=9CJSON and Unicode = Considerations=E2=80=9D some > > > =E2=80=9Cshould=E2=80=9Ds > > are used, but I=E2=80=99m not reading them as SHOULDs. Should they = be > > SHOULDs? For example, the start of the third paragraph in that > > section: =E2=80=9Cif new JWK members are defined that use non-ASCII = member > > names, their definitions should specify the exact Unicode code point > > sequences used to represent them.=E2=80=9D It=E2=80=99s not clear = to me whether this > > is a strong statement or just a recommendation - it seems that this > > draft could help the future by making stronger statements to = encourage future > interoperability. > > > > For the other JOSE specifications, our chair Jim Schaad took the > > position that RFC 2119 keywords should be reserved for testable > > protocol behaviors and that other uses of the English word "should" > > should not use "SHOULD". The authors followed that convention in = this > > document. I do understand that other authors and working groups = have > > taken different positions in this regard. If there are particular > > uses that you still feel should be changed to use RFC 2119 keywords, = please > call them out. >=20 > If we really wanted to make sure that the recommendation was followed, = then > it would make sense to adjust the IANA reviewers instructions for the = registry. > Putting a SHOULD or a MUST in this document would not have any effect = since it > does not define a protocol and might not be seen by anybody defining a = new > header field. >=20 > Jim >=20 > > > > > Kind regards, > > > Adam > > > > Thanks again! > > -- Mike >=20