Ben Campbell
2017-02-16 03:26:31 UTC
Ben Campbell has entered the following ballot position for
draft-ietf-oauth-jwsreq-12: Yes
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
- 4, "Since it is a JWT, JSON strings MUST be represented
in UTF-8. ": Is that a new requirement, or a statement of fact about
an existing JWT requirement?
- 5.2: I'm not sure all readers will understand the meaning of "feature
phone". Also, WAP and 2G don't seem all that relevant in 2017.
- 5.2.1, first sentence, "The URL MUST
be HTTPS URL.": Is that redundant to the similar requirement in the
previous section? That instance had an "unless" clause, but this one does
not.
--2nd paragraph: "... MUST have appropriate entropy for its lifetime."
Can you offer discussion (or a reference) for what constitutes
"appropriate entropy"?
-- 3rd paragraph: Is it reasonable that one would know if TLS would offer
adequate authentication at the time of the signing decision?
- 5.2.3, 2nd paragraph: "SHOULD use a unique URI": Why not MUST? Would it
ever be reasonable to not do this?
- 6.1, 2nd paragraph: What if validation fails?
- 13: Do you want this in the final RFC? If not, it would be wise to add
a note to the RFC editor to that effect.
draft-ietf-oauth-jwsreq-12: Yes
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
- 4, "Since it is a JWT, JSON strings MUST be represented
in UTF-8. ": Is that a new requirement, or a statement of fact about
an existing JWT requirement?
- 5.2: I'm not sure all readers will understand the meaning of "feature
phone". Also, WAP and 2G don't seem all that relevant in 2017.
- 5.2.1, first sentence, "The URL MUST
be HTTPS URL.": Is that redundant to the similar requirement in the
previous section? That instance had an "unless" clause, but this one does
not.
--2nd paragraph: "... MUST have appropriate entropy for its lifetime."
Can you offer discussion (or a reference) for what constitutes
"appropriate entropy"?
-- 3rd paragraph: Is it reasonable that one would know if TLS would offer
adequate authentication at the time of the signing decision?
- 5.2.3, 2nd paragraph: "SHOULD use a unique URI": Why not MUST? Would it
ever be reasonable to not do this?
- 6.1, 2nd paragraph: What if validation fails?
- 13: Do you want this in the final RFC? If not, it would be wise to add
a note to the RFC editor to that effect.