[jose] Re: Review of draft-ietf-jose-deprecate-none-rsa15-02

[Neil Madden]

Hi Michael, Thanks for the review, I appreciate it! Apologies for the late reply - family holiday. Responses inline below.  On 24 Jul 2025, at 10:35, Michael Jones <michael_b_jo...@hotmail.com> wrote:  Thanks for writing the document, Neil.  Here’s my review comments based on reading draft-ietf-jose-deprecate-none-rsa15-02.   1.1. The 'none' algorithm: I suggest sorting the list of CVEs by date. Will do.    1.1. The 'none' algorithm: After the sentence beginning “Although there are some legitimate use-cases for Unsecured JWS”, I suggest adding this text: One of the legitimate use cases for Unsecured JWSs is OpenID Connect ID Tokens secured by sending them over a TLS connection, as described in Section 2 of [OpenID.Core].  Another legitimate use is unsigned request objects, as described in Section 6.1 of [OpenID.Core]. I’m open to adding something along these lines. I’ll raise a PR.    The reference for [OpenID.Core] is: <reference anchor="OpenID.Core" target=https://openid.net/specs/openid-connect-core-1_0.html>   <front>     <title>OpenID Connect Core 1.0</title>       <author fullname="Nat Sakimura" initials="N." surname="Sakimura">       <organization abbrev="NAT.Consulting (was at NRI)">NAT.Consulting</organization>     </author>       <author fullname="John Bradley" initials="J." surname="Bradley">       <organization abbrev="Yubico (was at Ping Identity)">Yubico</organization>     </author>       <author fullname="Michael B. Jones" initials="M.B." surname="Jones">       <organization abbrev="Self-Issued Consulting (was at Microsoft)">Self-Issued Consulting</organization>     </author>       <author fullname="Breno de Medeiros" initials="B." surname="de Medeiros">       <organization abbrev="Google">Google</organization>     </author>       <author fullname="Chuck Mortimore" initials="C." surname="Mortimore">       <organization abbrev="Disney (was at Salesforce)">Disney</organization>     </author>       <date day="15" month="December" year="2023"/>   </front> </reference> Thanks.    4.2. Updated Review Instructions for Designated Experts: I suggest changing the somewhat inaccessible phrase “reasonably conjectured” to “believed”. Yeah, that’s probably better. I wanted to make sure the interpretation is “general consensus among experts”.    4.2. Updated Review Instructions for Designated Experts: Capitalize “section” in references to section numbers and likewise capitalize “chapter”.  (I believe the RFC Editor will do this to follow IETF style guidelines, so you might as well do it now.) Will do.    Appendix A. Acknowledgments: Please change “Michael Jones” to “Michael B. Jones”.  I use my middle initial in professional contexts because there are so many people in the world who share my name.  Thanks! Of course, happy to change this.  Best wishes, Neil

_______________________________________________
jose mailing list -- jose@ietf.org
To unsubscribe send an email to jose-le...@ietf.org