I'm fine with us making both of the proposed changes.
Thanks,
-- Mike
-Original Message-
From: Benjamin Kaduk
Sent: Tuesday, September 24, 2019 4:35 PM
To: draft-ietf-ace-cwt-proof-of-possession@ietf.org
Cc: ace@ietf.org
Subject: Re: New Version Notification -
draft-ietf-ace-cwt-proof-of-possession-07.txt
On Tue, Sep 24, 2019 at 04:33:18PM -0700, Benjamin Kaduk wrote:
> Hi all,
>
> Thanks for the updates; they look good!
>
> Before I kick off the IETF LC, I just have two things I wanted to
> double-check (we may not need a new rev before the LC):
>
> (1) In Section 3.2 (Representation of an Asymmetric
> Proof-of-Possession Key), the last paragraph is a somewhat different
> from the main content, in that it mentions using "COSE_Key" for an
> encrypted symmetric key, analogous to the last paragraph of Section
> 3.2 of RFC 7800. I had wanted to see some additional discussion, but
> we agreed that this was analogous to RFC 7800 and we did not need to
> go "out of parity" with it on this point. So we should be able to go
> ahead without new text here, but did we want to explicitly refer back
> to that portion of RFC 7800 to make the connection clear?
>
> (2) In
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Fcwt-cnf%2Fi-d%2Fpull%2F27%2Ffilesdata=02%7C01%7CMichael.
> Jones%40microsoft.com%7C3db4c9b38e6a4b2a13e408d74147db9e%7C72f988bf86f
> 141af91ab2d7cd011db47%7C1%7C1%7C637049649201375862sdata=vAL0NqVzv
> sqDAt5JYv0HdtUomFc5ldKJQtla3dtL%2BuM%3Dreserved=0 we removed a large
> chunk of text since it contained several things that are inaccurate. The
> only things that were removed that I wanted to check if we should think about
> keeping was the note that the same key might be referred to by different key
> IDs in messages directed to different recipients. What do people think about
> that?
Oops, and my notes were unfortunately misalgined to the terminal window
size:
(3) I think we were going to change the [JWT] reference to [CWT], in Section 4:
Applications utilizing proof of possession SHOULD also utilize
audience restriction, as described in Section 4.1.3 of [JWT], as it
provides additional protections. Audience restriction can be used by
recipients to reject messages intended for different recipients.
That way we won't get asked to make [JWT] a normative reference.
-Ben
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace