Re: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12

Mike Jones <Michael.Jones@microsoft.com> Tue, 06 March 2018 00:45 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9732C12D7F4; Mon, 5 Mar 2018 16:45:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R76CiSffhJJD; Mon, 5 Mar 2018 16:45:43 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on071b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe49::71b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEE55126BF7; Mon, 5 Mar 2018 16:45:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ewi9YuJaNSQvAiGdXglDA+n9NX8DTEgjJV+9yjK6osA=; b=OC4D/9SQl8gKCIUH3ZbMd4uiCUNEXmfDx+p7b9SCO+R6FHYOOJbj9XwWR/Z4cjkXBTlTELlRTf7xXRc/GNrNEstWJKDvkdmrRjPh6uJimCqiEAi7z3oUlILO3zbQn18v2niFGbJBxE+mxnevicWU45qkd6H3jRxK/z/IAx7AVfQ=
Received: from SN6PR2101MB0943.namprd21.prod.outlook.com (52.132.114.20) by SN6PR2101MB1103.namprd21.prod.outlook.com (52.132.115.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.588.3; Tue, 6 Mar 2018 00:45:38 +0000
Received: from SN6PR2101MB0943.namprd21.prod.outlook.com ([fe80::9866:f6b5:e2d6:50]) by SN6PR2101MB0943.namprd21.prod.outlook.com ([fe80::9866:f6b5:e2d6:50%2]) with mapi id 15.20.0588.001; Tue, 6 Mar 2018 00:45:38 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Kyle Rose <krose@krose.org>
CC: IETF SecDir <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-ace-cbor-web-token.all@ietf.org" <draft-ietf-ace-cbor-web-token.all@ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: Secdir last call review of draft-ietf-ace-cbor-web-token-12
Thread-Index: AQHTslKnGqkTlElBUUmHtMtpYOQ4daO9Q/YAgAAFIJCABRroAA==
Date: Tue, 6 Mar 2018 00:45:37 +0000
Message-ID: <SN6PR2101MB09439F177FD5939966DC5EF1F5D90@SN6PR2101MB0943.namprd21.prod.outlook.com>
References: <CAJU8_nWatM=_reHiUMcshA0twHMSKrmgSkaorgtaOkbUb-1uuQ@mail.gmail.com> <CAHbuEH4M2QqtSYMZFeqMs_-TfCE8ZvvsuxmBA9j0kBcnN2hBMw@mail.gmail.com> <SN6PR2101MB094333949BEB83BCCC5B3D98F5C50@SN6PR2101MB0943.namprd21.prod.outlook.com>
In-Reply-To: <SN6PR2101MB094333949BEB83BCCC5B3D98F5C50@SN6PR2101MB0943.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-03-02T18:47:57.6281908Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:a::562]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR2101MB1103; 7:zGz7soUNSz+E85E7ESsC6tjNwfx8xYA3SfkAOnYL+g7Q/9e1qRH+DbYeJXegTVB3BXJPxdgbL0/Nf5y0cbu4g4KWDnf+/wpJcp5V7Ikktm3Kfyrs5ZZ2mf28wcX0DDMG3kX8DtYo5H6MpNmduhzG2LiO0lTEuL+942zt8rJvgO/PFkP3fc5zLfL9kV0YpUIZGyPAFBMGRED0VOEic4/Jb0JDJuvGf25xrKiQ98iw08ifXimoSgnHgPCgXZ9IpX/j; 20:N58PP7JlAhuPmgXl91H8KHTf/apuokBM3uZx9q0p3VgAvrHD2zJcvT2AfktgpdiPm6GHlTuPnVCXmrEBispMCGBKkalr+vBOOW4x1mai++h6I5/ChmLHCKo8B/R2ldVa4zYS0YXeFNpE+1A99p4x8+QfQFFl/NDuJh28jHcwtrE=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: bf617bd2-5eeb-4e24-0312-08d582fb9478
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:SN6PR2101MB1103;
x-ms-traffictypediagnostic: SN6PR2101MB1103:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-prvs: <SN6PR2101MB1103189D2EE0D52E31530C39F5D90@SN6PR2101MB1103.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(85827821059158);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(61425038)(6040501)(2401047)(8121501046)(5005006)(3231220)(944501244)(52105095)(93006095)(93001095)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041288)(20161123558120)(20161123564045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011); SRVR:SN6PR2101MB1103; BCL:0; PCL:0; RULEID:; SRVR:SN6PR2101MB1103;
x-forefront-prvs: 06036BD506
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(396003)(39380400002)(39860400002)(366004)(189003)(199004)(13464003)(54906003)(305945005)(7736002)(6116002)(3660700001)(39060400002)(86612001)(3280700002)(33656002)(74316002)(2900100001)(22452003)(316002)(966005)(14454004)(478600001)(105586002)(72206003)(2906002)(46003)(55016002)(6436002)(186003)(8990500004)(106356001)(10090500001)(229853002)(99286004)(5250100002)(10290500003)(53936002)(59450400001)(6506007)(53546011)(6306002)(9686003)(102836004)(7696005)(6246003)(76176011)(86362001)(68736007)(81166006)(8936002)(4326008)(2950100002)(6916009)(5660300001)(97736004)(81156014)(8676002)(25786009); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR2101MB1103; H:SN6PR2101MB0943.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: XMq1A92idIhQ/O3X/B5amlWjez+XmErkfpNH/E7I8RBoRK74vHKOyapA+wvGnJ9w8aCNDh2TGH2GeOsMxuHF/w6bcd+NpwGjaF3vOgl0JCrnIel+ZvPsbm4nddOzbeJmcZiy0bYLmKkc9j7WJvOi2WlgKviV83BmKHKvtabBfR99w+q6T4fAiWuNeOUKzwLW9HK/EC+Io1MiHEdwLdSyq1J+IskPsjBnCccF9f37bSNpWX1kkWAxEeMn0w44nEXa+jb4XWi1EngroFIufGDjSeCU29TWruiuMjm4VMXa0eBf/wT3JwqALfZafrParnJZukcZS4ErjVxej0U1iI7JZA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bf617bd2-5eeb-4e24-0312-08d582fb9478
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2018 00:45:37.6114 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR2101MB1103
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/cI-ZXLiR2TYEDl0NdiwPh0hZasw>
Subject: Re: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 00:45:47 -0000

Hi Kyle,

You’ll find changes that address your review comments in https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13.  See https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13#appendix-C for a summary of the changes made.

Thanks again for your useful review!

                                                          -- Mike

-----Original Message-----
From: Mike Jones 
Sent: Friday, March 2, 2018 10:48 AM
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>;; Kyle Rose <krose@krose.org>;
Cc: IETF SecDir <secdir@ietf.org>;; The IESG <iesg@ietf.org>;; draft-ietf-ace-cbor-web-token.all@ietf.org
Subject: RE: Secdir last call review of draft-ietf-ace-cbor-web-token-12

Thanks, Kyle.  I'll plan to update the document accordingly.

				-- Mike

-----Original Message-----
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>;
Sent: Friday, March 2, 2018 10:29 AM
To: Kyle Rose <krose@krose.org>;
Cc: IETF SecDir <secdir@ietf.org>;; The IESG <iesg@ietf.org>;; draft-ietf-ace-cbor-web-token.all@ietf.org
Subject: Re: Secdir last call review of draft-ietf-ace-cbor-web-token-12

Thanks for your review, Kyle!

On Fri, Mar 2, 2018 at 1:16 PM, Kyle Rose <krose@krose.org>; wrote:
> Reviewer: Kyle Rose
> Review result: Ready with nits
>
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the 
> security area directors.  Document editors and WG chairs should treat 
> these comments just like any other last call comments.
>
> This draft specifies a means for representing claims in CBOR, and for 
> using COSE to encrypt and authenticate such claims. The listed 
> security considerations seem to cover the same ground as the 
> respective slices of the corresponding JWT references: the COSE RFC
> 8152 covers issues of trust establishment, as well as the vagaries of 
> signature algorithms and key reuse, in more depth.
>
> My only nit for this document is the repeated use of the phrasing 
> "...has the same meaning, syntax, and processing rules as..."
> throughout section
> 3.1: specifically, the inclusion of "syntax". For example, it doesn't 
> seem to make sense to talk about the syntax of a CBOR NumericDate 
> being the same as, or different from, the syntax of a JSON
> NumericDate: clearly, the binary representation is different, and it's 
> not at all clear that it makes sense to talk about the human-readable 
> source representation in this context. That said, there is some 
> parallelism with respect to StringOrURI, as presumably the intent is 
> to require that all strings containing a colon also be valid URIs.
>

Good point.  Authors, please put these adjustments in your working copy of the draft and ack the changes made here.

Thank you,
Kathleen



-- 

Best regards,
Kathleen