JWK Thumbprint URI
draft-ietf-oauth-jwk-thumbprint-uri-03

[Ballot comment]
One suggestion: This document cites BCP 14, and then barely uses it (there's just one "MUST", and nothing else).  In my view, you could replace "MUST be" with "are" and then drop all the BCP 14 boilerplate, with the same effect.

[Ballot comment]
Thank you to the authors and WG for this document -- I was somewhat apprehensive about reviewing it, because I'm clearly not an expert on OAUTH / JWK... however, I was pleasantly surprised to discover just how readable (and short :-)) it is, and that even I could understand it.

Also, much thanks to Scott Bradner for his OpsDir review (https://datatracker.ietf.org/doc/review-ietf-oauth-jwk-thumbprint-uri-01-opsdir-lc-bradner-2022-05-08/) and suggestion on how to address it.

[Ballot comment]
# GEN AD review of draft-ietf-oauth-jwk-thumbprint-uri-02

CC @larseggert

Thanks to Robert Sparks for the General Area Review Team (Gen-ART) review
(https://mailarchive.ietf.org/arch/msg/gen-art/OUPrqEJ7DNFPcaL9Goc7-7rZy_4).

## Comments

### Inclusive language

Found terminology that should be reviewed for inclusivity; see
https://www.rfc-editor.org/part2/#inclusive_language for background and more
guidance:

* Term `invalid`; alternatives might be `not valid`, `unenforceable`, `not
  binding`, `inoperative`, `illegitimate`, `incorrect`, `improper`,
  `unacceptable`, `inapplicable`, `revoked`, `rescinded`

## Nits

All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

### Boilerplate

Document still refers to the "Simplified BSD License", which was corrected in
the TLP on September 21, 2021. It should instead refer to the "Revised BSD
License".

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT].

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments
[IRT]: https://github.com/larseggert/ietf-reviewtool

[Ballot comment]
Hi,

I just wanted to confirm that the names of "Hash Name String" in the IANA registry are always such that they can be directly used in URLs without encoding.  RFC 6920, section 9.4, didn't seem to specify any restriction, but text if the rest of that RFC (that I'm not really familiar with) seems to suggest/indicate that they use a restricted character set and hence are safe to directly embed.

Thanks,
Rob

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-oauth-jwk-thumbprint-uri-01. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there is a single action which we must complete.

In the OAuth URI registry on the OAuth Parameters registry page located at:

https://www.iana.org/assignments/oauth-parameters/

a new registration is to be made as follows:

URN: urn:ietf:params:oauth:jwk-thumbprint
Common Name: JWK Thumbprint URI
Change Controller: IESG
Reference: [ RFC-to-be ]

As this document requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

The IANA Functions Operator understands that this is the only action required to be completed upon approval of this document.

Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

Michelle Thangtamsatid
IANA Services Specialist

The following Last Call announcement was sent out (ends 2022-05-09):

From: The IESG
To: IETF-Announce
CC: draft-ietf-oauth-jwk-thumbprint-uri@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rifaat.s.ietf@gmail.com
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (JWK Thumbprint URI) to Proposed Standard


The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document: - 'JWK Thumbprint URI'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2022-05-09. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This specification registers a kind of URI that represents a JSON Web
  Key (JWK) Thumbprint value.  JWK Thumbprints are defined in RFC 7638.
  This enables JWK Thumbprints to be used, for instance, as key
  identifiers in contexts requiring URIs.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwk-thumbprint-uri/



No IPR declarations have been submitted directly on this I-D.

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header?

The request is for Proposed Standard, since the document defines a new type of URI.

(2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections:

Technical Summary:

This specification defines a kind of URI that represents a JSON Web Key (JWK) Thumbprint value. JWK Thumbprints are defined in RFC 7638.

Working Group Summary:

At the working group’s suggestion during the initial WGLC, the document was revised to provide cryptographic agility using identifiers from an existing IANA registry.  There were only statements of support during the final WGLC.

Document Quality:

The specification is being normatively used by an OpenID Foundation specification, which has at least one implementation.  A number of people reviewed the document over multiple rounds of reviews and provided feedback on the mailing list, which was addressed by the editors.  Everyone voicing an opinion on the final version supported publication.

Personnel:

The document shepherd is Rifaat Shekh-Yusef.
The responsible Area Director is Roman Danyliw.

(3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

The document shepherd reviewed this document and the authors addressed all my concerns. I believe the document is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

No concerns

(5) Do portions of the document need review from a particular or from a broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place.

A security review is always recommended.

(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

The document shepherd has no such concerns.

(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why?

Mike
https://mailarchive.ietf.org/arch/msg/oauth/EYxuuk6uTklPx-zaNneFT-65H0Y/

Kristina
https://mailarchive.ietf.org/arch/msg/oauth/us2hVgyGuJfmzW1Oy74CTFkPs3Q/

(8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

No

(9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

There was a solid WG consensus that included feedback and support from multiple parties from different constituencies.

(10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.)

No

(11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough.

The following line exceeds the 72 character limit.
urn:ietf:params:oauth:jwk-thumbprint:sha-256:NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs


(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

No such reviews are necessary.

(13) Have all references within this document been identified as either normative or informative?

Yes

(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion?

No

(15) Are there downward normative references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure.

No

(16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary.

No

(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 8126).

The document registers a new value in an existing IANA registry.  The document does not create any new registries.

(18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

None

(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, YANG modules, etc.

None were needed.

(20) If the document contains a YANG module, has the module been checked with any of the recommended validation tools (https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in RFC8342?

The document contains no YANG module.

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header?

The request is for Proposed Standard, since the document defines a new type of URI.

(2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections:

Technical Summary:

This specification defines a kind of URI that represents a JSON Web Key (JWK) Thumbprint value. JWK Thumbprints are defined in RFC 7638.

Working Group Summary:

At the working group’s suggestion during the initial WGLC, the document was revised to provide cryptographic agility using identifiers from an existing IANA registry.  There were only statements of support during the final WGLC.

Document Quality:

The specification is being normatively used by an OpenID Foundation specification, which has at least one implementation.  A number of people reviewed the document over multiple rounds of reviews and provided feedback on the mailing list, which was addressed by the editors.  Everyone voicing an opinion on the final version supported publication.

Personnel:

The document shepherd is Rifaat Shekh-Yusef.
The responsible Area Director is Roman Danyliw.

(3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

The document shepherd reviewed this document and the authors addressed all my concerns. I believe the document is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

No concerns

(5) Do portions of the document need review from a particular or from a broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place.

A security review is always recommended.

(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

The document shepherd has no such concerns.

(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why?

Mike
https://mailarchive.ietf.org/arch/msg/oauth/EYxuuk6uTklPx-zaNneFT-65H0Y/

Kristina
https://mailarchive.ietf.org/arch/msg/oauth/us2hVgyGuJfmzW1Oy74CTFkPs3Q/

(8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

No

(9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

There was a solid WG consensus that included feedback and support from multiple parties from different constituencies.

(10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.)

No

(11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough.

The following line exceeds the 72 character limit.
urn:ietf:params:oauth:jwk-thumbprint:sha-256:NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs


(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

No such reviews are necessary.

(13) Have all references within this document been identified as either normative or informative?

Yes

(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion?

No

(15) Are there downward normative references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure.

No

(16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary.

No

(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 8126).

The document registers a new value in an existing IANA registry.  The document does not create any new registries.

(18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

None

(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, YANG modules, etc.

None were needed.

(20) If the document contains a YANG module, has the module been checked with any of the recommended validation tools (https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in RFC8342?

The document contains no YANG module.