Re: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12
Kyle Rose <krose@krose.org> Tue, 06 March 2018 02:24 UTC
Return-Path: <krose@krose.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02DB712EAB4 for <secdir@ietfa.amsl.com>; Mon, 5 Mar 2018 18:24:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0DZDhQDEi1L for <secdir@ietfa.amsl.com>; Mon, 5 Mar 2018 18:24:04 -0800 (PST)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B85A1275F4 for <secdir@ietf.org>; Mon, 5 Mar 2018 18:24:04 -0800 (PST)
Received: by mail-qk0-x235.google.com with SMTP id o25so23176255qkl.7 for <secdir@ietf.org>; Mon, 05 Mar 2018 18:24:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/wmISbOZoZMDtLpmpRGPsZLnoaxITkybA59LjzbgYw0=; b=Oub4SjDohKQYfSfUTSpZlOO5WHpx8bsZetKEdd5NqJEZw3pok+0abo4mBN9xOU7mXm vxIPrIi+tGbAm5RNsDkEFJCer1cDkVU2Ie0w6PGUw+b41VxHO0TC3iytOOA78iG9mHVV Sy8krujveTTqHJSgGKL2KJY2IU+qEDHkIbMEA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/wmISbOZoZMDtLpmpRGPsZLnoaxITkybA59LjzbgYw0=; b=a5z8BFw7oZg036dZaDfY7LFYw5vMW6s0vOS2Fd0oTF8musVtHFKtOhJS4v7zHc1Els FY7/5Zc1+Ao34gzM5o5XKiiWchMboXGXFacvM7WIxNIU2N3ItMP8pCuoB3fIjwE69yAe 5Y/E6mjnvFBLCIZ6ArV1ial+Aomd12qW6KclZ5Omm+58ziT4oebxET1xx25tOXdqa4Zi koFhJGIa/cJz5x/ftkzdfGwPLVFiZcJC1EcJ5rJEMsuxJQOaOQwCJl/0MBjzx3gYQzaf kHKK15MnK2zNlmcgykqwy/8xxzWy6nYP6XkwuGNtE7ZIkTK6dDE4UK1zem0eGGW/qgZT JVkA==
X-Gm-Message-State: AElRT7G+zqMsYO5SZhXOqMTlUDnEPUyDlRpv2RCI+E6w0ynBtNSe7Gt5 YJqHZSamrdhHL1mp+Wj8eLWtJkNRe5zd9h6U5gCJMA==
X-Google-Smtp-Source: AG47ELtmWxBQmWMCf0Pkf6vgZWrzv4wevXYVYxh7K5UZuKJRGuNUCHEAEKOxh9vF8Ko+Kbhe8YGQjHpuDRUYP8oJEKg=
X-Received: by 10.55.215.205 with SMTP id t74mr24599254qkt.259.1520303043626; Mon, 05 Mar 2018 18:24:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.215.204 with HTTP; Mon, 5 Mar 2018 18:24:03 -0800 (PST)
X-Originating-IP: [2001:470:1f07:121:4874:d9ff:fead:6ea5]
In-Reply-To: <SN6PR2101MB09439F177FD5939966DC5EF1F5D90@SN6PR2101MB0943.namprd21.prod.outlook.com>
References: <CAJU8_nWatM=_reHiUMcshA0twHMSKrmgSkaorgtaOkbUb-1uuQ@mail.gmail.com> <CAHbuEH4M2QqtSYMZFeqMs_-TfCE8ZvvsuxmBA9j0kBcnN2hBMw@mail.gmail.com> <SN6PR2101MB094333949BEB83BCCC5B3D98F5C50@SN6PR2101MB0943.namprd21.prod.outlook.com> <SN6PR2101MB09439F177FD5939966DC5EF1F5D90@SN6PR2101MB0943.namprd21.prod.outlook.com>
From: Kyle Rose <krose@krose.org>
Date: Mon, 05 Mar 2018 21:24:03 -0500
Message-ID: <CAJU8_nXco0Tht2GRcPN23GCO=UCwyuWe8gYLS3FyYPTVmWqRrA@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: IETF SecDir <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-ace-cbor-web-token.all@ietf.org" <draft-ietf-ace-cbor-web-token.all@ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a1149a22cdde0f80566b5228c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/gCLEMdyLMbWXe2GDybGAhC4fIoU>
Subject: Re: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 02:24:11 -0000
I just perused the relevant parts of the diff. LGTM. Thanks, Kyle On Mon, Mar 5, 2018 at 7:45 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > Hi Kyle, > > You’ll find changes that address your review comments in > https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13. See > https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13#appendix-C > for a summary of the changes made. > > Thanks again for your useful review! > > -- Mike > > -----Original Message----- > From: Mike Jones > Sent: Friday, March 2, 2018 10:48 AM > To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; Kyle Rose < > krose@krose.org> > Cc: IETF SecDir <secdir@ietf.org>; The IESG <iesg@ietf.org>; > draft-ietf-ace-cbor-web-token.all@ietf.org > Subject: RE: Secdir last call review of draft-ietf-ace-cbor-web-token-12 > > Thanks, Kyle. I'll plan to update the document accordingly. > > -- Mike > > -----Original Message----- > From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> > Sent: Friday, March 2, 2018 10:29 AM > To: Kyle Rose <krose@krose.org> > Cc: IETF SecDir <secdir@ietf.org>; The IESG <iesg@ietf.org>; > draft-ietf-ace-cbor-web-token.all@ietf.org > Subject: Re: Secdir last call review of draft-ietf-ace-cbor-web-token-12 > > Thanks for your review, Kyle! > > On Fri, Mar 2, 2018 at 1:16 PM, Kyle Rose <krose@krose.org> wrote: > > Reviewer: Kyle Rose > > Review result: Ready with nits > > > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the > > IESG. These comments were written primarily for the benefit of the > > security area directors. Document editors and WG chairs should treat > > these comments just like any other last call comments. > > > > This draft specifies a means for representing claims in CBOR, and for > > using COSE to encrypt and authenticate such claims. The listed > > security considerations seem to cover the same ground as the > > respective slices of the corresponding JWT references: the COSE RFC > > 8152 covers issues of trust establishment, as well as the vagaries of > > signature algorithms and key reuse, in more depth. > > > > My only nit for this document is the repeated use of the phrasing > > "...has the same meaning, syntax, and processing rules as..." > > throughout section > > 3.1: specifically, the inclusion of "syntax". For example, it doesn't > > seem to make sense to talk about the syntax of a CBOR NumericDate > > being the same as, or different from, the syntax of a JSON > > NumericDate: clearly, the binary representation is different, and it's > > not at all clear that it makes sense to talk about the human-readable > > source representation in this context. That said, there is some > > parallelism with respect to StringOrURI, as presumably the intent is > > to require that all strings containing a colon also be valid URIs. > > > > Good point. Authors, please put these adjustments in your working copy of > the draft and ack the changes made here. > > Thank you, > Kathleen > > > > -- > > Best regards, > Kathleen >
- [secdir] Secdir last call review of draft-ietf-ac… Kyle Rose
- Re: [secdir] Secdir last call review of draft-iet… Kathleen Moriarty
- Re: [secdir] Secdir last call review of draft-iet… Mike Jones
- Re: [secdir] Secdir last call review of draft-iet… Mike Jones
- Re: [secdir] Secdir last call review of draft-iet… Kyle Rose