Comments on this version of the draft. Section 7 - Step 6 & 7 - I do not know if it is legal to have a CWT CBOR tag at this point
Section 7 - In Step 7 - it must be a valid CBOR map not just a valid CBOR object. Appendix A.3 - I was unable to reproduce the example. I assume that this means that a deterministic signature algorithm is not being used. While a verifier cannot tell if one is being used, the COSE document does strongly suggest that one be used. Additionally, it helps in testing if one is used so that a signature creator can be more easily tested. Appendix A.5 - I was unable to reproduce the example. Specially the tag value does not match with the one that I compute. Appendix A.6 - I did not try to reproduce given that a) I would not generate the same signature and b) the example A.5 failed. Minor: In section 1.1 s/In COSE/In CBOR/ - this is a comment on CBOR not on COSE In section 2: s/CBOR encoded claim key/CBOR claim key/ * I am unsure why you would think that encoded is needed here. * Should this be CWT rather than CBOR? * Why is section 3.1 "Claim Names" rather than "Claim Keys" In section 2: Is there a reason not to define CWT claim value in this section In section 3.1.1 and on - the following might be considered cleaner s/except that the format MUST be a/except that the value MUST be of type/ Section 9.1.2 - I would suggest assigning a name to the reserved entry -----Original Message----- From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of internet-dra...@ietf.org Sent: Monday, June 5, 2017 6:27 PM To: i-d-annou...@ietf.org Cc: ace@ietf.org Subject: [Ace] I-D Action: draft-ietf-ace-cbor-web-token-05.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Authentication and Authorization for Constrained Environments of the IETF. Title : CBOR Web Token (CWT) Authors : Michael B. Jones Erik Wahlström Samuel Erdtman Hannes Tschofenig Filename : draft-ietf-ace-cbor-web-token-05.txt Pages : 23 Date : 2017-06-05 Abstract: CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT), but uses CBOR rather than JSON. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-cbor-web-token/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-05 https://datatracker.ietf.org/doc/html/draft-ietf-ace-cbor-web-token-05 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-cbor-web-token-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace