Re: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12

Kyle Rose <krose@krose.org> Tue, 06 March 2018 02:24 UTC

Return-Path: <krose@krose.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02DB712EAB4 for <secdir@ietfa.amsl.com>; Mon, 5 Mar 2018 18:24:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0DZDhQDEi1L for <secdir@ietfa.amsl.com>; Mon, 5 Mar 2018 18:24:04 -0800 (PST)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B85A1275F4 for <secdir@ietf.org>; Mon, 5 Mar 2018 18:24:04 -0800 (PST)
Received: by mail-qk0-x235.google.com with SMTP id o25so23176255qkl.7 for <secdir@ietf.org>; Mon, 05 Mar 2018 18:24:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/wmISbOZoZMDtLpmpRGPsZLnoaxITkybA59LjzbgYw0=; b=Oub4SjDohKQYfSfUTSpZlOO5WHpx8bsZetKEdd5NqJEZw3pok+0abo4mBN9xOU7mXm vxIPrIi+tGbAm5RNsDkEFJCer1cDkVU2Ie0w6PGUw+b41VxHO0TC3iytOOA78iG9mHVV Sy8krujveTTqHJSgGKL2KJY2IU+qEDHkIbMEA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/wmISbOZoZMDtLpmpRGPsZLnoaxITkybA59LjzbgYw0=; b=a5z8BFw7oZg036dZaDfY7LFYw5vMW6s0vOS2Fd0oTF8musVtHFKtOhJS4v7zHc1Els FY7/5Zc1+Ao34gzM5o5XKiiWchMboXGXFacvM7WIxNIU2N3ItMP8pCuoB3fIjwE69yAe 5Y/E6mjnvFBLCIZ6ArV1ial+Aomd12qW6KclZ5Omm+58ziT4oebxET1xx25tOXdqa4Zi koFhJGIa/cJz5x/ftkzdfGwPLVFiZcJC1EcJ5rJEMsuxJQOaOQwCJl/0MBjzx3gYQzaf kHKK15MnK2zNlmcgykqwy/8xxzWy6nYP6XkwuGNtE7ZIkTK6dDE4UK1zem0eGGW/qgZT JVkA==
X-Gm-Message-State: AElRT7G+zqMsYO5SZhXOqMTlUDnEPUyDlRpv2RCI+E6w0ynBtNSe7Gt5 YJqHZSamrdhHL1mp+Wj8eLWtJkNRe5zd9h6U5gCJMA==
X-Google-Smtp-Source: AG47ELtmWxBQmWMCf0Pkf6vgZWrzv4wevXYVYxh7K5UZuKJRGuNUCHEAEKOxh9vF8Ko+Kbhe8YGQjHpuDRUYP8oJEKg=
X-Received: by 10.55.215.205 with SMTP id t74mr24599254qkt.259.1520303043626; Mon, 05 Mar 2018 18:24:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.215.204 with HTTP; Mon, 5 Mar 2018 18:24:03 -0800 (PST)
X-Originating-IP: [2001:470:1f07:121:4874:d9ff:fead:6ea5]
In-Reply-To: <SN6PR2101MB09439F177FD5939966DC5EF1F5D90@SN6PR2101MB0943.namprd21.prod.outlook.com>
References: <CAJU8_nWatM=_reHiUMcshA0twHMSKrmgSkaorgtaOkbUb-1uuQ@mail.gmail.com> <CAHbuEH4M2QqtSYMZFeqMs_-TfCE8ZvvsuxmBA9j0kBcnN2hBMw@mail.gmail.com> <SN6PR2101MB094333949BEB83BCCC5B3D98F5C50@SN6PR2101MB0943.namprd21.prod.outlook.com> <SN6PR2101MB09439F177FD5939966DC5EF1F5D90@SN6PR2101MB0943.namprd21.prod.outlook.com>
From: Kyle Rose <krose@krose.org>
Date: Mon, 5 Mar 2018 21:24:03 -0500
Message-ID: <CAJU8_nXco0Tht2GRcPN23GCO=UCwyuWe8gYLS3FyYPTVmWqRrA@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: IETF SecDir <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-ace-cbor-web-token.all@ietf.org" <draft-ietf-ace-cbor-web-token.all@ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a1149a22cdde0f80566b5228c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/gCLEMdyLMbWXe2GDybGAhC4fIoU>
Subject: Re: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 02:24:11 -0000

I just perused the relevant parts of the diff. LGTM.

Thanks,
Kyle


On Mon, Mar 5, 2018 at 7:45 PM, Mike Jones <Michael.Jones@microsoft.com>;
wrote:

> Hi Kyle,
>
> You’ll find changes that address your review comments in
> https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13.  See
> https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13#appendix-C
> for a summary of the changes made.
>
> Thanks again for your useful review!
>
>                                                           -- Mike
>
> -----Original Message-----
> From: Mike Jones
> Sent: Friday, March 2, 2018 10:48 AM
> To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>;; Kyle Rose <
> krose@krose.org>;
> Cc: IETF SecDir <secdir@ietf.org>;; The IESG <iesg@ietf.org>;;
> draft-ietf-ace-cbor-web-token.all@ietf.org
> Subject: RE: Secdir last call review of draft-ietf-ace-cbor-web-token-12
>
> Thanks, Kyle.  I'll plan to update the document accordingly.
>
>                                 -- Mike
>
> -----Original Message-----
> From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>;
> Sent: Friday, March 2, 2018 10:29 AM
> To: Kyle Rose <krose@krose.org>;
> Cc: IETF SecDir <secdir@ietf.org>;; The IESG <iesg@ietf.org>;;
> draft-ietf-ace-cbor-web-token.all@ietf.org
> Subject: Re: Secdir last call review of draft-ietf-ace-cbor-web-token-12
>
> Thanks for your review, Kyle!
>
> On Fri, Mar 2, 2018 at 1:16 PM, Kyle Rose <krose@krose.org>; wrote:
> > Reviewer: Kyle Rose
> > Review result: Ready with nits
> >
> > I have reviewed this document as part of the security directorate's
> > ongoing effort to review all IETF documents being processed by the
> > IESG.  These comments were written primarily for the benefit of the
> > security area directors.  Document editors and WG chairs should treat
> > these comments just like any other last call comments.
> >
> > This draft specifies a means for representing claims in CBOR, and for
> > using COSE to encrypt and authenticate such claims. The listed
> > security considerations seem to cover the same ground as the
> > respective slices of the corresponding JWT references: the COSE RFC
> > 8152 covers issues of trust establishment, as well as the vagaries of
> > signature algorithms and key reuse, in more depth.
> >
> > My only nit for this document is the repeated use of the phrasing
> > "...has the same meaning, syntax, and processing rules as..."
> > throughout section
> > 3.1: specifically, the inclusion of "syntax". For example, it doesn't
> > seem to make sense to talk about the syntax of a CBOR NumericDate
> > being the same as, or different from, the syntax of a JSON
> > NumericDate: clearly, the binary representation is different, and it's
> > not at all clear that it makes sense to talk about the human-readable
> > source representation in this context. That said, there is some
> > parallelism with respect to StringOrURI, as presumably the intent is
> > to require that all strings containing a colon also be valid URIs.
> >
>
> Good point.  Authors, please put these adjustments in your working copy of
> the draft and ack the changes made here.
>
> Thank you,
> Kathleen
>
>
>
> --
>
> Best regards,
> Kathleen
>