Skip to main content

Last Call Review of draft-ietf-oauth-jwt-bcp-04
review-ietf-oauth-jwt-bcp-04-genart-lc-carpenter-2019-03-30-00

Request Review of draft-ietf-oauth-jwt-bcp
Requested revision No specific revision (document currently at 07)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2019-04-08
Requested 2019-03-25
Authors Yaron Sheffer , Dick Hardt , Michael B. Jones
I-D last updated 2019-03-30
Completed reviews Secdir Last Call review of -04 by Radia Perlman (diff)
Genart Last Call review of -04 by Brian E. Carpenter (diff)
Genart Telechat review of -06 by Brian E. Carpenter (diff)
Assignment Reviewer Brian E. Carpenter
State Completed
Request Last Call review on draft-ietf-oauth-jwt-bcp by General Area Review Team (Gen-ART) Assigned
Reviewed revision 04 (document currently at 07)
Result Ready w/issues
Completed 2019-03-30
review-ietf-oauth-jwt-bcp-04-genart-lc-carpenter-2019-03-30-00
Gen-ART Last Call review of draft-ietf-oauth-jwt-bcp-04

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Document: draft-ietf-oauth-jwt-bcp-04.txt
Reviewer: Brian Carpenter
Review Date: 2019-03-31
IETF LC End Date: 2019-04-08
IESG Telechat date:  

Summary: Ready with (minor) issues
--------

Minor issues:
-------------

> 2.3.  Multiplicity of JSON encodings
>
>   Previous versions of the JSON format [RFC8259] allowed several
>   different character encodings: UTF-8, UTF-16 and UTF-32.  This is not
>   the case anymore, with the latest standard only allowing UTF-8.
>   However older implementations may result in the JWT being
>   misinterpreted by its recipient.

Why is that a security issue?

> 3.6.  Avoid Length-Dependent Encryption Inputs
...
>  ...It is
>  RECOMMENDED to avoid any compression of data before encryption since
>  such compression often reveals information about the plaintext.

I'd like a citation for that, because it isn't intuitive. (And compression
after encryption is pointless, of course.)

> 3.10.  Do Not Trust Received Claims

Both the recommendations in this section seem imprecise. Maybe there
should be some hints about the verification processes.