On Tue, Sep 24, 2019 at 04:33:18PM -0700, Benjamin Kaduk wrote: > Hi all, > > Thanks for the updates; they look good! > > Before I kick off the IETF LC, I just have two things I wanted to > double-check (we may not need a new rev before the LC): > > (1) In Section 3.2 (Representation of an Asymmetric Proof-of-Possession > Key), the last paragraph is a somewhat different from the main content, in > that it mentions using "COSE_Key" for an encrypted symmetric key, analogous > to the last paragraph of Section 3.2 of RFC 7800. I had wanted to see some > additional discussion, but we agreed that this was analogous to RFC 7800 > and we did not need to go "out of parity" with it on this point. So we > should be able to go ahead without new text here, but did we want to > explicitly refer back to that portion of RFC 7800 to make the connection > clear? > > (2) In https://github.com/cwt-cnf/i-d/pull/27/files we removed a large > chunk of text since it contained several things that are inaccurate. The > only things that were removed that I wanted to check if we should think > about keeping was the note that the same key might be referred to by > different key IDs in messages directed to different recipients. What do > people think about that?
Oops, and my notes were unfortunately misalgined to the terminal window size: (3) I think we were going to change the [JWT] reference to [CWT], in Section 4: Applications utilizing proof of possession SHOULD also utilize audience restriction, as described in Section 4.1.3 of [JWT], as it provides additional protections. Audience restriction can be used by recipients to reject messages intended for different recipients. That way we won't get asked to make [JWT] a normative reference. -Ben _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace