I just saw http://www.ietf.org/mail-archive/web/oauth/current/msg12218.htmlfrom Hannes noting reviews on draft-ietf-oauth-json-web-token and was surprised that mine wasn't included. So I went looking for it and apparently I didn't actually send it to the list. But I did find it and am including what I wrote and tried but failed to send back in September. Sorry about that.
And here it s: Below are my review comments on the JSON Web Token Document that I (had forgotten until reminded by Hannes yesterday) committed to reviewing at the meeting in Berlin. Review of draft-ietf-oauth-json-web-token-11: * The sentence about the suggested pronunciation being 'jot' is in both the intro and the abstract. Seems like just once would be sufficient. * Should "Base64url Encoding" in the Terminology section also mention the omission/prohibition of line wrapping? * References to sections or appendices in other documents often don't have the correct href value. For example, "Base64url Encoding" in the Terminology section has this problem for Section 3.2, which should point to RFC 4648 and Appendix C, which should go to JWS but both refer to the local document. There are many other instances of the same issue. I assume this is due to some tool in the xml2rfc or I-D upload process (and I know I have it in some of the drafts I author) but is this the kind of thing that the RFC editor will take care of? * I continue to struggle to understand how the type and content type Header parameters and the type claim can or will be used in a meaningful and reliable way. I can't help but wonder if it couldn't be simplified. For example. what if we only had the cty header and defined a cty value for a JWT Claims Set - couldn't all the same things be conveyed? * There are a number of the reserved claims that say the use of the claim is OPTIONAL while also stating that the "JWT MUST be rejected" if some condition about the claim doesn't hold. There seems to be some potential ambiguity here regarding whether (in the absence of tighter context-dependent requirements, which is what generalized JWT libraries need to be built for) the optionality applies only to the producer or also to the consumer of a JWT. My guess is that the claims are optional to include for the producer but, if they are present, they must be validated by the consumer and the JWT must be rejected if whatever condition isn't satisfied. Do I have that right? Regardless, I think there is some ambiguity as currently written that should be clarified. Note that some of these comments relate to or even apply directly to JWS and JWE as well. Which I suppose underscores the point James made a while ago about progressing this document so far ahead of the JOSE drafts. On Tue, Sep 10, 2013 at 8:26 AM, Tschofenig, Hannes (NSN - FI/Espoo) < hannes.tschofe...@nsn.com> wrote: > Hi again, > > I also checked the minutes from IETF#87 regarding the JWT and here are the > action items: > > ** I issued a WGLC, as discussed during the meeting: > http://www.ietf.org/mail-archive/web/oauth/current/msg11894.html > > ** We got some reviews from James, and Prateek. Thanks, guys! > Here are the reviews: > http://www.ietf.org/mail-archive/web/oauth/current/msg11905.html (James) > http://www.ietf.org/mail-archive/web/oauth/current/msg12003.html (Prateek) > > During the meeting a few others, namely Torsten, Karen, Paul Hoffman, and > Brian volunteered to provide their review comments. Please send your review > to the list. > > ** I will have to do my shepherd write-up as well. > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
