The proposed resolution below has been incorporated in the -28 draft. Hopefully you can clear your DISCUSS on that basis.
Thanks again, -- Mike > -----Original Message----- > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones > Sent: Saturday, October 11, 2014 12:54 PM > To: Richard Barnes > Cc: draft-ietf-oauth-json-web-to...@tools.ietf.org; oauth- > cha...@tools.ietf.org; The IESG; oauth@ietf.org > Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web- > token-27: (with DISCUSS and COMMENT) > > > From: Richard Barnes [mailto:r...@ipv.sx] > > Sent: Friday, October 10, 2014 2:37 PM > > To: Mike Jones > > Cc: The IESG; oauth-cha...@tools.ietf.org; oauth@ietf.org; > > draft-ietf-oauth-json-web-to...@tools.ietf.org > > Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on > > draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT) > > > > On Mon, Oct 6, 2014 at 3:54 AM, Mike Jones > <michael.jo...@microsoft.com> wrote: > > Thanks for your review, Richard. My responses are inline below... > > > > > -----Original Message----- > > > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Richard > > > Barnes > > > Sent: Wednesday, October 01, 2014 7:57 PM > > > To: The IESG > > > Cc: oauth-cha...@tools.ietf.org; oauth@ietf.org; > > > draft-ietf-oauth-json-web- to...@tools.ietf.org > > > Subject: [OAUTH-WG] Richard Barnes' Discuss on > > > draft-ietf-oauth-json-web- > > > token-27: (with DISCUSS and COMMENT) > > > > > > Richard Barnes has entered the following ballot position for > > > draft-ietf-oauth-json-web-token-27: Discuss > > > > > > When responding, please keep the subject line intact and reply to > > > all email addresses included in the To and CC lines. (Feel free to > > > cut this introductory paragraph, however.) > > > > > > > > > Please refer to > > > http://www.ietf.org/iesg/statement/discuss-criteria.html > > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > > > > The document, along with other ballot positions, can be found here: > > > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ > > > > > > > > > > > > -------------------------------------------------------------------- > > > -- > > > DISCUSS: > > > -------------------------------------------------------------------- > > > -- > > > > > > Section 7. > > > In order to prevent confusion between secured and Unsecured JWTs, > > > the validation steps here need to call for the application to specify > > > which is > required. > > > > Per my response on your JWS comments, this is already handed in a more > general way in the JWS validation steps. Specifically, the last paragraph of > Section 5.2 is: > > > > "Finally, note that it is an application decision which algorithms are > > acceptable > in a given context. Even if a JWS can be successfully validated, unless the > algorithm(s) used in the JWS are acceptable to the application, it SHOULD > reject > the JWS." > > > > I've cleared this DISCUSS in the interest of having this fight over in JWS > > thread. > But I also added the following COMMENT: > > "It would be good for this document to pass on the note from JWS about > selecting which algorithms are acceptable, and in particular, whether > unsecured > JWTs are acceptable." > > Thanks for clearing the DISCUSS. I'm fine repeating the note about acceptable > algorithms in the JWT spec, assuming others are. > > > I would therefore request that you likewise withdraw this DISCUSS on that > basis. > > -- Mike > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth