Re: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12

Mike Jones <Michael.Jones@microsoft.com> Fri, 02 March 2018 18:48 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5993126C25; Fri, 2 Mar 2018 10:48:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gI5DkxqB3guY; Fri, 2 Mar 2018 10:48:01 -0800 (PST)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0133.outbound.protection.outlook.com [104.47.33.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54710126C22; Fri, 2 Mar 2018 10:48:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eK7gB8ljVcUpSezstEpC5YbWUvF2sb8DGE2ryxvTQ6c=; b=DgunAFo7k+yvL1JK7piyLT23Sz/WXb5Ec4PgtPgwNoqDFGlE1YPUqVZs9QCWBhyFBbk+u/4XY2A/m4Aa1Pc6kdBnDtmlQX64e333I0pIovXi2hbB1C3rwzeUspPmVVbheXWxcripvuptmqRawm/+ptRcyeSKNVPZFwZXU4rdcog=
Received: from SN6PR2101MB0943.namprd21.prod.outlook.com (52.132.114.20) by SN6PR2101MB0974.namprd21.prod.outlook.com (52.132.114.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.3; Fri, 2 Mar 2018 18:47:59 +0000
Received: from SN6PR2101MB0943.namprd21.prod.outlook.com ([fe80::9866:f6b5:e2d6:50]) by SN6PR2101MB0943.namprd21.prod.outlook.com ([fe80::9866:f6b5:e2d6:50%2]) with mapi id 15.20.0567.006; Fri, 2 Mar 2018 18:47:59 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Kyle Rose <krose@krose.org>
CC: IETF SecDir <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-ace-cbor-web-token.all@ietf.org" <draft-ietf-ace-cbor-web-token.all@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-ace-cbor-web-token-12
Thread-Index: AQHTslKnGqkTlElBUUmHtMtpYOQ4daO9Q/YAgAAFIJA=
Date: Fri, 2 Mar 2018 18:47:59 +0000
Message-ID: <SN6PR2101MB094333949BEB83BCCC5B3D98F5C50@SN6PR2101MB0943.namprd21.prod.outlook.com>
References: <CAJU8_nWatM=_reHiUMcshA0twHMSKrmgSkaorgtaOkbUb-1uuQ@mail.gmail.com> <CAHbuEH4M2QqtSYMZFeqMs_-TfCE8ZvvsuxmBA9j0kBcnN2hBMw@mail.gmail.com>
In-Reply-To: <CAHbuEH4M2QqtSYMZFeqMs_-TfCE8ZvvsuxmBA9j0kBcnN2hBMw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-03-02T18:47:57.6281908Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:c::42e]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR2101MB0974; 7:L4s5yNaoHlybbdLFpip7LAa2gxl41GDHJFwM07AvKn9JBxZ8cUilO2k1Y47NRKMqka3fIjjTH1kqmJqlZhi4arQYvDZxKOlUgs1EWjwBHZaBWjZFrj8sxU6X+4DYIenIRp7HXysYmeZH5Tj7yDkzw/f8XU9YAR7Ej/MdANPzfGBmcy80AruX/CLU3q9TqwR1iwD0iq7OqnzwzvMFEGeXFAAD0cJNyegHeRwqBUmqGVUU8JhpZXwbh9FrC/DoOq6t
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 006927b9-d8cf-46d6-d49b-08d5806e1ed6
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020); SRVR:SN6PR2101MB0974;
x-ms-traffictypediagnostic: SN6PR2101MB0974:
x-microsoft-antispam-prvs: <SN6PR2101MB097471F5645E868BB149401FF5C50@SN6PR2101MB0974.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(85827821059158);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(61425038)(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231220)(944501236)(52105095)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041288)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(6072148)(201708071742011); SRVR:SN6PR2101MB0974; BCL:0; PCL:0; RULEID:; SRVR:SN6PR2101MB0974;
x-forefront-prvs: 05991796DF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(39380400002)(376002)(396003)(366004)(346002)(189003)(13464003)(199004)(110136005)(6246003)(305945005)(229853002)(7736002)(74316002)(68736007)(54906003)(53936002)(5660300001)(6116002)(10290500003)(3660700001)(8676002)(6436002)(55016002)(81166006)(81156014)(39060400002)(9686003)(2900100001)(316002)(4326008)(106356001)(2950100002)(25786009)(8936002)(99286004)(5250100002)(14454004)(2906002)(72206003)(86612001)(478600001)(3280700002)(22452003)(10090500001)(7696005)(59450400001)(186003)(6506007)(53546011)(102836004)(76176011)(33656002)(46003)(105586002)(8990500004)(97736004)(86362001)(6346003); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR2101MB0974; H:SN6PR2101MB0943.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-message-info: fD2WQkz8wEUFihaGHN6JLVAUdNmXQuZuUpG+gE4VBJlGjYDCrnchA+5unMtf5MHyNNolrJSXk8oHsHyyG3/vyww0n/2HiORq3SNQ49gyGG+w2awco2rMygf8Mo5XQPpBm0olkaSs/jfupSvovTD2YF/QDeGQ7I98UWJmtrOUdtM=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 006927b9-d8cf-46d6-d49b-08d5806e1ed6
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2018 18:47:59.3696 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR2101MB0974
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/gnejWI2M71SOW-ybI3YQg-FU1YM>
Subject: Re: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Mar 2018 18:48:04 -0000

Thanks, Kyle.  I'll plan to update the document accordingly.

				-- Mike

-----Original Message-----
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; 
Sent: Friday, March 2, 2018 10:29 AM
To: Kyle Rose <krose@krose.org>;
Cc: IETF SecDir <secdir@ietf.org>;; The IESG <iesg@ietf.org>;; draft-ietf-ace-cbor-web-token.all@ietf.org
Subject: Re: Secdir last call review of draft-ietf-ace-cbor-web-token-12

Thanks for your review, Kyle!

On Fri, Mar 2, 2018 at 1:16 PM, Kyle Rose <krose@krose.org>; wrote:
> Reviewer: Kyle Rose
> Review result: Ready with nits
>
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the 
> security area directors.  Document editors and WG chairs should treat 
> these comments just like any other last call comments.
>
> This draft specifies a means for representing claims in CBOR, and for 
> using COSE to encrypt and authenticate such claims. The listed 
> security considerations seem to cover the same ground as the 
> respective slices of the corresponding JWT references: the COSE RFC 
> 8152 covers issues of trust establishment, as well as the vagaries of 
> signature algorithms and key reuse, in more depth.
>
> My only nit for this document is the repeated use of the phrasing 
> "...has the same meaning, syntax, and processing rules as..." 
> throughout section
> 3.1: specifically, the inclusion of "syntax". For example, it doesn't 
> seem to make sense to talk about the syntax of a CBOR NumericDate 
> being the same as, or different from, the syntax of a JSON 
> NumericDate: clearly, the binary representation is different, and it's 
> not at all clear that it makes sense to talk about the human-readable 
> source representation in this context. That said, there is some 
> parallelism with respect to StringOrURI, as presumably the intent is 
> to require that all strings containing a colon also be valid URIs.
>

Good point.  Authors, please put these adjustments in your working copy of the draft and ack the changes made here.

Thank you,
Kathleen



-- 

Best regards,
Kathleen