On 02/10/14 17:25, Mike Jones wrote: > OK - I'll start prefixing my text with "Mike> ".
Many thanks. S > > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farr...@cs.tcd.ie] > Sent: Thursday, October 02, 2014 8:49 AM > To: Mike Jones; Alissa Cooper; The IESG > Cc: oauth-cha...@tools.ietf.org; > draft-ietf-oauth-json-web-to...@tools.ietf.org; oauth@ietf.org > Subject: Re: [OAUTH-WG] Alissa Cooper's Discuss on > draft-ietf-oauth-json-web-token-27: (with DISCUSS) > > > Mike, > > I cannot tell which is your text and which not. > > Can you please use a better quoting style? These docs are going to be a total > PITA to handle otherwise. > > Thanks, > S. > > > On 02/10/14 16:14, Mike Jones wrote: >> Responding to the DISCUSS below… >> >> >> >> -----Original Message----- >> From: Alissa Cooper [mailto:ali...@cooperw.in] >> Sent: Wednesday, October 01, 2014 12:25 PM >> To: The IESG >> Cc: oauth-cha...@tools.ietf.org; >> draft-ietf-oauth-json-web-to...@tools.ietf.org >> Subject: Alissa Cooper's Discuss on >> draft-ietf-oauth-json-web-token-27: (with DISCUSS) >> >> >> >> Alissa Cooper has entered the following ballot position for >> >> draft-ietf-oauth-json-web-token-27: Discuss >> >> >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut >> this introductory paragraph, however.) >> >> >> >> >> >> Please refer to >> http://www.ietf.org/iesg/statement/discuss-criteria.html >> >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> >> >> >> The document, along with other ballot positions, can be found here: >> >> http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ >> >> >> >> >> >> >> >> ---------------------------------------------------------------------- >> >> DISCUSS: >> >> ---------------------------------------------------------------------- >> >> >> >> == Section 12 == >> >> >> >> "A JWT may contain privacy-sensitive information. When this is the >> >> case, measures must be taken to prevent disclosure of this >> >> information to unintended parties." >> >> >> >> It seems to me that this should be a normative MUST, particularly in light >> of the fact that claims are being defined that are meant to directly >> identify users (e.g., sub) and other claims defined here or later could do >> so as well. >> >> >> >> There seems to be debate whether a 2119 language should be used other than >> when describing protocol requirements. Jim Schaad (the JOSE chair) believes >> that they shouldn’t and these documents have followed that convention. >> >> >> >> "One way to achieve this is to use >> >> an encrypted JWT. Another way is to ensure that JWTs containing >> >> unencrypted privacy-sensitive information are only transmitted over >> >> encrypted channels or protocols, such as TLS." >> >> >> >> Since sensitive JWTs should be protected from both intermediary >> observation and from being sent to unintended recipients, I would >> >> suggest: >> >> >> >> One way to achieve this is to use an encrypted JWT and authenticate the >> recipient. Another way is to ensure that JWTs containing unencrypted >> privacy-sensitive information are only transmitted over encrypted channels >> or protocols that also support endpoint authentication, such as TLS. >> >> >> >> Thanks for this suggested language. We can incorporate something like that. >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
