Roman Danyliw has entered the following ballot position for draft-ietf-oauth-selective-disclosure-jwt-20: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Thomas Fossati for the GENART review. Thanks for addressing my DISCUSS and COMMENT feedback with -20. Below is additional recommendations based on the DISCUSS feedback: ** Section 7.1 1. Decide which Disclosures to release to the Verifier, obtaining consent if necessary. Thanks for revising this text in -20. I would recommend making it clear that the means to get this “consent” is out of scope for this document. ** Section 9.1 Any of the JWS asymmetric digital signature algorithms registered in [IANA.JWS.Algorithms] that meet the security requirements described in the last paragraph of Section 5.2 of [RFC7515] can be used, including post-quantum algorithms, when they are ready. The last paragraph of Section 5.2 of RFC7515 says: Finally, note that it is an application decision which algorithms may be used in a given context. Even if a JWS can be successfully validated, unless the algorithm(s) used in the JWS are acceptable to the application, it SHOULD consider the JWS to be invalid. [on -19] -- This text from RFC7515 appears to be saying that the application decides and there aren’t any new security requirements. [response] Hard to disagree with that observation. Do you think some change is needed as a result? That bit in Section 9.1 was mostly (I think) intended to reassure readers that post-quantum algorithms showing up in the alg registry will be usable. [on -20] No comment on the phrase “… including post-quantum algorithms, when they are ready”. I’m reacting to the reference to RFC7515, as it seems misleading to me. Practically, it doesn’t impost any requirements, so why mention it? Would this be clearer: NEW (roughly) Per the last paragraph of Section 5.2 of [RFC7515], it is an application-specific decision to choose the appropriate JWS digital signature algorithm from [IANA.JWS.Algorithms]. _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
