Re: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices
Hi Carsten, In preparing a description of the changes made for WGLC, I reread your comments below and saw that we failed to do the update to the RFC 8174 template. I've made a note of it and will plan to do so when we next edit the document. Responding to your point about the "+jwt" structured syntax registration - this registration is being done by https://tools.ietf.org/html/draft-ietf-secevent-token-11#section-7.2. This document will be discussed on this week's telechat. I believe that all your other points below have been addressed. Thanks again, -- Mike -Original Message- From: OAuth On Behalf Of Carsten Bormann Sent: Tuesday, April 17, 2018 4:59 AM To: Hannes Tschofenig Cc: oauth Subject: Re: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices On Apr 17, 2018, at 12:24, Carsten Bormann wrote: > > ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) That also gives rise to: Minor technical comment: 2.3 claims that JSON can be in different encodings. This is no longer really the case with RFC 8259 (see Section 8.1). Please fix the wording to remove the untrue claim (no pun intended). Major technical comment: Section 3.9 recommends the use of media types of the form application/example+jwt. I don’t find a registration for the RFC 6839 structured syntax suffix "+jwt". If this recommendation is desired, this document will need to register it (preferred) or refer to a document that does. Nit: Section 1.2 could use the newer template (as per RFC 8174) here. Nit: Section 3.6: s/use/use or admit the use of/ Nit: Section 3.8: s/not/not present or not/ I think these are all solved in an obvious way, and once done I strongly support this document to go forward. Grüße, Carsten ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices
Thanks Mike! Hannes and I will review the document and get back to you on this next week. Regards, Rifaat On Tue, May 8, 2018 at 3:26 AM, Mike Jones wrote: > Dear OAuth chairs, > > The editors of the JWT BCP published https://tools.ietf.org/html/ > draft-ietf-oauth-jwt-bcp-02 to address all the WGLC feedback received and > https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-03 to add an > acknowledgement. Given that the WGLC expired 1.5 weeks ago and all the > comments have been addressed, the editors believe that it's time to request > publication. Could you please take the necessary chair actions to do so? > > I know that I'm personally finding more and more circumstances in which > I'm referring people to content in this draft BCP and so it seems to me > that it would be useful to get it published soon as a real BCP. > > Thanks again, > -- Mike > > P.S. Thanks again to Kathleen for urging us to create this BCP, based on > the increasingly widespread use of JWT within the IETF! > > -Original Message- > From: OAuth On Behalf Of Hannes Tschofenig > Sent: Monday, April 16, 2018 10:49 AM > To: oauth > Subject: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current > Practices > > Hi all, > > this is a last call for comments on > https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-01 > > Please have your comments in no later than April 30th. > > Do remember to send a note in if you have read the document and have no > other comments other than "its ready to go" - we need those as much as we > need "I found a problem". > > Ciao > Hannes & Rifaat > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices
Dear OAuth chairs, The editors of the JWT BCP published https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-02 to address all the WGLC feedback received and https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-03 to add an acknowledgement. Given that the WGLC expired 1.5 weeks ago and all the comments have been addressed, the editors believe that it's time to request publication. Could you please take the necessary chair actions to do so? I know that I'm personally finding more and more circumstances in which I'm referring people to content in this draft BCP and so it seems to me that it would be useful to get it published soon as a real BCP. Thanks again, -- Mike P.S. Thanks again to Kathleen for urging us to create this BCP, based on the increasingly widespread use of JWT within the IETF! -Original Message- From: OAuth On Behalf Of Hannes Tschofenig Sent: Monday, April 16, 2018 10:49 AM To: oauth Subject: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices Hi all, this is a last call for comments on https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-01 Please have your comments in no later than April 30th. Do remember to send a note in if you have read the document and have no other comments other than "its ready to go" - we need those as much as we need "I found a problem". Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices
On Apr 17, 2018, at 12:24, Carsten Bormann wrote: > > ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) That also gives rise to: Minor technical comment: 2.3 claims that JSON can be in different encodings. This is no longer really the case with RFC 8259 (see Section 8.1). Please fix the wording to remove the untrue claim (no pun intended). Major technical comment: Section 3.9 recommends the use of media types of the form application/example+jwt. I don’t find a registration for the RFC 6839 structured syntax suffix "+jwt". If this recommendation is desired, this document will need to register it (preferred) or refer to a document that does. Nit: Section 1.2 could use the newer template (as per RFC 8174) here. Nit: Section 3.6: s/use/use or admit the use of/ Nit: Section 3.8: s/not/not present or not/ I think these are all solved in an obvious way, and once done I strongly support this document to go forward. Grüße, Carsten ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices
I haven’t read the document yet, but idnits did some reading for me: ** The document seems to lack a Security Considerations section. ** The abstract seems to contain references ([RFC7519]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) I’ll get to the content later… Grüße, Carsten ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices
The JWT BCP spec is ready to publish. -- Mike -Original Message- From: OAuth On Behalf Of Hannes Tschofenig Sent: Monday, April 16, 2018 10:49 AM To: oauth Subject: [OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices Hi all, this is a last call for comments on https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-01 Please have your comments in no later than April 30th. Do remember to send a note in if you have read the document and have no other comments other than "its ready to go" - we need those as much as we need "I found a problem". Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] Working Group Last Call: JSON Web Token Best Current Practices
Hi all, this is a last call for comments on https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-01 Please have your comments in no later than April 30th. Do remember to send a note in if you have read the document and have no other comments other than "its ready to go" - we need those as much as we need "I found a problem". Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
