Mike, Are you about ready to post an update so we can clear some of the discusses and comments that have been agreed to (like the comment added below when the discuss of Richard's was removed)?
It will help ADs if we are able to reduce and work on the rest. I find sooner rather than later to be easier so they don't need to figure out the issues again to clear things that have been agreed upon. It doesn't need to be over the weekend :-) Thank you! Kathleen Sent from my iPhone On Oct 11, 2014, at 3:54 PM, Mike Jones <michael.jo...@microsoft.com> wrote: >> From: Richard Barnes [mailto:r...@ipv.sx] >> Sent: Friday, October 10, 2014 2:37 PM >> To: Mike Jones >> Cc: The IESG; oauth-cha...@tools.ietf.org; oauth@ietf.org; >> draft-ietf-oauth-json-web-to...@tools.ietf.org >> Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on >> draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT) >> >> On Mon, Oct 6, 2014 at 3:54 AM, Mike Jones <michael.jo...@microsoft.com> >> wrote: >> Thanks for your review, Richard. My responses are inline below... >> >>> -----Original Message----- >>> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Richard Barnes >>> Sent: Wednesday, October 01, 2014 7:57 PM >>> To: The IESG >>> Cc: oauth-cha...@tools.ietf.org; oauth@ietf.org; draft-ietf-oauth-json-web- >>> to...@tools.ietf.org >>> Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web- >>> token-27: (with DISCUSS and COMMENT) >>> >>> Richard Barnes has entered the following ballot position for >>> draft-ietf-oauth-json-web-token-27: Discuss >>> >>> When responding, please keep the subject line intact and reply to all email >>> addresses included in the To and CC lines. (Feel free to cut this >>> introductory >>> paragraph, however.) >>> >>> >>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html >>> for more information about IESG DISCUSS and COMMENT positions. >>> >>> >>> The document, along with other ballot positions, can be found here: >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ >>> >>> >>> >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> Section 7. >>> In order to prevent confusion between secured and Unsecured JWTs, the >>> validation steps here need to call for the application to specify which is >>> required. >> >> Per my response on your JWS comments, this is already handed in a more >> general way in the JWS validation steps. Specifically, the last paragraph >> of Section 5.2 is: >> >> "Finally, note that it is an application decision which algorithms are >> acceptable in a given context. Even if a JWS can be successfully validated, >> unless the algorithm(s) used in the JWS are acceptable to the application, >> it SHOULD reject the JWS." >> >> I've cleared this DISCUSS in the interest of having this fight over in JWS >> thread. But I also added the following COMMENT: >> "It would be good for this document to pass on the note from JWS about >> selecting which algorithms are acceptable, and in particular, whether >> unsecured JWTs are acceptable." > > Thanks for clearing the DISCUSS. I'm fine repeating the note about > acceptable algorithms in the JWT spec, assuming others are. > >> I would therefore request that you likewise withdraw this DISCUSS on that >> basis. > > -- Mike > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
