Re: [Ace] New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt

2019-09-24 Thread Mike Jones 
I'm fine with us making both of the proposed changes.

Thanks,
-- Mike

-Original Message-
From: Benjamin Kaduk  
Sent: Tuesday, September 24, 2019 4:35 PM
To: draft-ietf-ace-cwt-proof-of-possession@ietf.org
Cc: ace@ietf.org
Subject: Re: New Version Notification - 
draft-ietf-ace-cwt-proof-of-possession-07.txt

On Tue, Sep 24, 2019 at 04:33:18PM -0700, Benjamin Kaduk wrote:
> Hi all,
> 
> Thanks for the updates; they look good!
> 
> Before I kick off the IETF LC, I just have two things I wanted to 
> double-check (we may not need a new rev before the LC):
> 
> (1) In Section 3.2 (Representation of an Asymmetric 
> Proof-of-Possession Key), the last paragraph is a somewhat different 
> from the main content, in that it mentions using "COSE_Key" for an 
> encrypted symmetric key, analogous to the last paragraph of Section 
> 3.2 of RFC 7800.  I had wanted to see some additional discussion, but 
> we agreed that this was analogous to RFC 7800 and we did not need to 
> go "out of parity" with it on this point.  So we should be able to go 
> ahead without new text here, but did we want to explicitly refer back 
> to that portion of RFC 7800 to make the connection clear?
> 
> (2) In 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Fcwt-cnf%2Fi-d%2Fpull%2F27%2Ffilesdata=02%7C01%7CMichael.
> Jones%40microsoft.com%7C3db4c9b38e6a4b2a13e408d74147db9e%7C72f988bf86f
> 141af91ab2d7cd011db47%7C1%7C1%7C637049649201375862sdata=vAL0NqVzv
> sqDAt5JYv0HdtUomFc5ldKJQtla3dtL%2BuM%3Dreserved=0 we removed a large 
> chunk of text since it contained several things that are inaccurate.  The 
> only things that were removed that I wanted to check if we should think about 
> keeping was the note that the same key might be referred to by different key 
> IDs in messages directed to different recipients.  What do people think about 
> that?

Oops, and my notes were unfortunately misalgined to the terminal window
size:

(3) I think we were going to change the [JWT] reference to [CWT], in Section 4:

   Applications utilizing proof of possession SHOULD also utilize
   audience restriction, as described in Section 4.1.3 of [JWT], as it
   provides additional protections.  Audience restriction can be used by
   recipients to reject messages intended for different recipients.

That way we won't get asked to make [JWT] a normative reference.

-Ben

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt

2019-09-24 Thread Benjamin Kaduk 
On Tue, Sep 24, 2019 at 04:33:18PM -0700, Benjamin Kaduk wrote:
> Hi all,
> 
> Thanks for the updates; they look good!
> 
> Before I kick off the IETF LC, I just have two things I wanted to
> double-check (we may not need a new rev before the LC):
> 
> (1) In Section 3.2 (Representation of an Asymmetric Proof-of-Possession
> Key), the last paragraph is a somewhat different from the main content, in
> that it mentions using "COSE_Key" for an encrypted symmetric key, analogous
> to the last paragraph of Section 3.2 of RFC 7800.  I had wanted to see some
> additional discussion, but we agreed that this was analogous to RFC 7800
> and we did not need to go "out of parity" with it on this point.  So we
> should be able to go ahead without new text here, but did we want to
> explicitly refer back to that portion of RFC 7800 to make the connection
> clear?
> 
> (2) In https://github.com/cwt-cnf/i-d/pull/27/files we removed a large
> chunk of text since it contained several things that are inaccurate.  The
> only things that were removed that I wanted to check if we should think
> about keeping was the note that the same key might be referred to by
> different key IDs in messages directed to different recipients.  What do
> people think about that?

Oops, and my notes were unfortunately misalgined to the terminal window
size:

(3) I think we were going to change the [JWT] reference to [CWT], in
Section 4:

   Applications utilizing proof of possession SHOULD also utilize
   audience restriction, as described in Section 4.1.3 of [JWT], as it
   provides additional protections.  Audience restriction can be used by
   recipients to reject messages intended for different recipients.

That way we won't get asked to make [JWT] a normative reference.

-Ben

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace