Orie Steele has entered the following ballot position for draft-ietf-anima-jws-voucher-14: Yes
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-anima-jws-voucher/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- # Orie Steele, ART AD, comments for draft-ietf-anima-jws-voucher-14 CC @OR13 * line numbers: - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-anima-jws-voucher-14.txt&submitcheck=True * comment syntax: - https://github.com/mnot/ietf-comments/blob/main/format.md * "Handling Ballot Positions": - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/ ## Comments Thanks to Jim Fenton for the ART ART review, and to the authors for addressing his previous comments. I would like to see his remaining nits on -14 addressed as well. ### typ ending in +json ``` 217 * The typ parameter is optional and used when more than one kind of 218 object could be present in an application data structure as 219 described in Section 4.1.9 of [RFC7515]. If present, the typ 220 parameter MUST contain the value voucher-jws+json. ``` AFAIK, this is the first case of a proposed standard where typ is used to indicate a JWS JSON type, usually I see typ values ending in +jwt and only in compact serialization. Thanks for asking for a review here: https://mailarchive.ietf.org/arch/msg/media-types/JIZhf_uffyMyQZAAUsy0V9mQIrA/ ### What happens when the trust anchor is in the x5c? ``` 234 To validate voucher signatures, all certificates of the certificate 235 chain are required up to the trust anchor. Note, to establish trust 236 the trust anchor SHOULD be provided out-of-band up front. ``` Why not state the trust anchor MUST NOT be present in x5c? What happens when this SHOULD is ignored. ### privacy considerations of jws headers ``` 268 The use of a JWS header brings no new privacy considerations. ``` I'm not sure I agree with this framing. The header could contain additional parameters beyond alg, typ and x5c. The decoded x5c might include additional attributes that impact privacy. ## Nits ### Decoded JWS Protected Header ``` 238 The following figure gives an example of a JWS Protected Header: ``` The protected header that is secured is base64url encoded, so when displaying JSON, you are displaying a decoded + pretty printed protected header. It is also potentially worth noting that the JSON you are showing as lots of new lines and spaces, which I would not expect in a minimal protected header. _______________________________________________ Anima mailing list -- anima@ietf.org To unsubscribe send an email to anima-le...@ietf.org
