Re: [secdir] sector review of draft-ietf-jose-jwk-thumbprint-05

Mike Jones <> Thu, 11 June 2015 22:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 04B111B33FC; Thu, 11 Jun 2015 15:49:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 40xYul3oEOo8; Thu, 11 Jun 2015 15:48:59 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 561A81B2CDE; Thu, 11 Jun 2015 15:48:59 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 11 Jun 2015 22:48:57 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 11 Jun 2015 22:48:56 +0000
Received: from ([]) by ([]) with mapi id 15.01.0195.005; Thu, 11 Jun 2015 22:48:56 +0000
From: Mike Jones <>
To: Jim Schaad <>, "'Adam W. Montville'" <>, 'The IESG' <>, "" <>, "" <>
Thread-Topic: sector review of draft-ietf-jose-jwk-thumbprint-05
Thread-Index: AQHQogJgaphBjlti2Uu758g0GQEF3p2nztYwgAAbCACAAAIooA==
Date: Thu, 11 Jun 2015 22:48:56 +0000
Message-ID: <>
References: <> <> <003d01d0a496$f2ee7d70$d8cb7850$>
In-Reply-To: <003d01d0a496$f2ee7d70$d8cb7850$>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:4898:80e0:ee43::6]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:AYEqWEKMsIR735iijZguQIO/3fBy0wOAK1Wvno6YzDay4Xff2MRu8ip1s+Zd/ab5bZMZRWiBG652pwE2oKtVNfZZA56WlAjyvGOBmJEzzLnlADZtVzGB3h8b55Fx+oWutHYDYTYkp9kIrezQc1A9UA==; 24:nY8eTOe6E5sFYdz1y7KsOwHjf6waqGLTF3nw9C1Xh0AfD8QshthpyWd0B+eSLP165W3u5GcPXzkFGX+U3FY9Zc1znuT6BDNXPCdJ4Z71HBs=; 20:ofKEWT6Z78h1GPdCFV8N1zisBgkcLud2rCrvTqMmfwH02skL6hmiZ5XIKAMLxuCFNjDwxhdQnqsZ50rpBC/kNQ==
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB191;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 0604AFA86B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(71364002)(43784003)(51704005)(13464003)(377454003)(2900100001)(76576001)(40100003)(189998001)(87936001)(2950100001)(5001960100002)(74316001)(76176999)(50986999)(54356999)(86612001)(15975445007)(77096005)(102836002)(86362001)(19580405001)(19580395003)(99286002)(2201001)(5002640100001)(122556002)(92566002)(106116001)(230783001)(2501003)(33656002)(2656002)(77156002)(5001770100001)(5003600100002)(62966003)(46102003)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441;; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jun 2015 22:48:56.7117 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
X-Microsoft-Exchange-Diagnostics: 1; BY2PR03MB191; 2:a7aVzZ3VDfZyoHyi7SYhdyrVDRO+BE1TCLexbpPHDN1Zc6nXnYO1wgd6vWp0sip0; 3:KPLb0++UwaXKzdZYhQmsmhbwT/+BQB1ZRwGfJs1tOxVyJjnUR2sxAj3H4TpAoCSIVf7updHjauakkuTMUPlmbdhvPxeS7mAtCy4WEC5l3VJ6Xn7GOllSs74N5L58gqEReI7PHoKrmqLNR8oMzrN2rw==; 23:zowL651Lhm2Z0rnh87EkAD9dzCOOkrPz51N2i9rwLom8JMYaR07rJBkptxOKU9ixt9Il0ZVHj7ccY/LTmxdcmUq2OZRsyY3dB4qZfk1/YAw+jJwUp09yrs0n2Ermp462cTgGi8xEwYohIdYG+E0Vhb0GP3oFKL+yaWQ6ToK8Qdc3UGEsBbmtdy5pvCTeXwnX8r4S0kI8cyNbvlkC2veiVygIqE6I+6gzCnLGhwFdHfHfNGDJsRIwdqJbf802BIb8
Archived-At: <>
Cc: "" <>
Subject: Re: [secdir] sector review of draft-ietf-jose-jwk-thumbprint-05
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Jun 2015 22:49:02 -0000

The registration instructions don't appear to be stored with the registry at  The closest there is there is the Reference field, which specifies [RFC7515], which I assume is how the designated experts are expected to retrieve the instructions.

Does anyone on the thread know if it's possible to add a copy of the registration instructions in the registry itself?  If so, then we'd have a mechanism by which we could update them, as Jim suggested.

				-- Mike

-----Original Message-----
From: Jim Schaad [] 
Sent: Thursday, June 11, 2015 3:36 PM
To: Mike Jones; 'Adam W. Montville'; 'The IESG';;
Subject: RE: sector review of draft-ietf-jose-jwk-thumbprint-05

> -----Original Message-----
> From: Mike Jones []
> Sent: Thursday, June 11, 2015 2:25 PM
> To: Adam W. Montville; The IESG;; draft-ietf-jose-jwk- 
> Cc:
> Subject: RE: sector review of draft-ietf-jose-jwk-thumbprint-05
> Hi Adam,
> Thanks for the secdir review.
> > From: Adam W. Montville []
> > Sent: Monday, June 08, 2015 8:46 AM
> > To: The IESG;; 
> >
> > Subject: sector review of draft-ietf-jose-jwk-thumbprint-05
> > Hi,
> > I have reviewed this document as part of the security directorate's 
> > ongoing
> effort to review all IETF documents being processed by the IESG. These 
> comments were written primarily for the benefit of the security area directors.
> Document editors and WG chairs should treat these comments just like 
> any other last call comments.
> >
> > I believe the document is ready with (potential) issues.  The “with 
> > issues” might
> be due to ignorance on my part.  The draft does a very good job of 
> explaining the canonical form of a JSON Web Key that can be used for 
> establishing a thumbprint under varying circumstances, complete with 
> what I found to be helpful examples.
> >
> > The primary issue I have is that it’s unclear how relying parties 
> > are going to
> know which hash algorithm has been used.  The examples use SHA-256, 
> but I’m not seeing where SHA-256 might be specified as a MUST or even a SHOULD.
> Moreover, the example output ultimately shows only the Base-64 
> encoding of the resulting hash, which says nothing about the algorithm 
> used to identify a key.
> Earlier drafts had included fields whose names were intended to 
> communicate the information about the hash function used - see the 
> "jkt" field definitions in
> - but several working group reviewers suggested that these fields were 
> unnecessary and that the typical usage would be as "kid" (key ID) 
> field values.  With that removal, it falls onto the application to 
> specify the hash algorithm for its particular usage.
> This isn't as bad as you might think, however, because typically the 
> consumer of the "kid" doesn't need to know the algorithm because it 
> won't be reproducing the computation.  It just relies on the fact that 
> a unique key ID value was generated for the key and compares "kid" 
> values as opaque strings to find the appropriate key.  In this usage, 
> the producer of the key is the only party that needs to know the hash algorithm that it is using.  I hope this helps.
> > Additionally, in Section 4, “JSON and Unicode Considerations” some 
> > “should”s
> are used, but I’m not reading them as SHOULDs.  Should they be 
> SHOULDs?  For example, the start of the third paragraph in that 
> section: “if new JWK members are defined that use non-ASCII member 
> names, their definitions should specify the exact Unicode code point 
> sequences used to represent them.”  It’s not clear to me whether this 
> is a strong statement or just a recommendation - it seems that this 
> draft could help the future by making stronger statements to encourage future interoperability.
> For the other JOSE specifications, our chair Jim Schaad took the 
> position that RFC 2119 keywords should be reserved for testable 
> protocol behaviors and that other uses of the English word "should" 
> should not use "SHOULD".  The authors followed that convention in this 
> document.  I do understand that other authors and working groups have 
> taken different positions in this regard.  If there are particular 
> uses that you still feel should be changed to use RFC 2119 keywords, please call them out.

If we really wanted to make sure that the recommendation was followed, then it would make sense to adjust the IANA reviewers instructions for the registry.  Putting a SHOULD or a MUST in this document would not have any effect since it does not define a protocol and might not be seen by anybody defining a new header field.


> > Kind regards,
> > Adam
> 				Thanks again!
> 				-- Mike