Examples of Protecting Content Using JSON Object Signing and Encryption (JOSE)
RFC 7520
Yes
(Kathleen Moriarty)
No Objection
(Adrian Farrel)
(Alia Atlas)
(Martin Stiemerling)
(Pete Resnick)
(Spencer Dawkins)
Note: This ballot was opened for revision 07 and is now closed.
Kathleen Moriarty Former IESG member
Yes
Yes
(for -07)
Richard Barnes Former IESG member
Yes
Yes
(2014-12-17 for -07)
Note: I have personally validated the examples in Sections 3.1, 3.3, 4.1, 4.2, and 4.3. I used them in tests for a JWK/JWS library. (The only difference between the text and the test case is that I had to add a "jwk" header field, because my code doesn't support lookup based on "kid".) https://github.com/bifurcation/gose/blob/master/jose_test.go#L36 Now we just need RosettaCode entries for JOSE operations :) http://rosettacode.org/wiki/HTTP Section 1.1.: """ Unless otherwise noted, the JWE plaintext or JWS payload content does include " " (U+0020 SPACE) characters. Line breaks (U+000A LINE FEED) replace some " " (U+0020 SPACE) characters to improve readability but are not present in the JWE plaintext or JWS payload. """ I think Barry commented on this in his pre-review, but it would be good to clarify this. Perhaps you could describe the examples as a sequence of quoted strings, which the user should concatenate? For example, in Section 4: """ "It\xe2\x80\x99s a dangerous business, Frodo, going out your " "door. You step onto the road, and if you don't keep your feet, " "there\xe2\x80\x99s no knowing where you might be swept off " "to." """ I agree with Alissa that "progenitor" is inapt. "Private key corresponding to" is the typical phrasing.
Adrian Farrel Former IESG member
No Objection
No Objection
(for -07)
Alia Atlas Former IESG member
No Objection
No Objection
(for -07)
Alissa Cooper Former IESG member
No Objection
No Objection
(2014-12-15 for -07)
I would suggest using a simpler word than "progenitor" in 3.2 and 3.4 (unless it's a term of art, but it doesn't seem like it is).
Barry Leiba Former IESG member
No Objection
No Objection
(2014-12-13 for -07)
I've already made these comments by email, and discussed them with Matt. I'm quite satisfied that they're in hand, and no further response is needed. My experience is that any time there is a significant number of examples, some of them will be wrong. My experience is also that readers will find those errors and will delight in filing errata reports. The shepherd writeup says that the compact encodings, at least, have been checked for correctness, and I'm trusting that this is adequate. But please have pity on the Sec ADs and their successors, who will have to deal with the inevitable errata, and quadruple check things. And make sure that errors are not introduced during RFC Editor processing. Do a more-careful-than-usual check during AUTH48. In particular, it is very importantant that the RFC Editor perform no editing at all on the cleartext payloads. For example: It\xe2\x80\x99s a dangerous business, Frodo, going out your door. You step onto the road, and if you don't keep your feet, there\xe2\x80\x99s no knowing where you might be swept off to. If the RFC Editor's editing should double-space the sentences, your examples based on the published cleartext would then be wrong. Please make sure the the RFC Editor understands that they must not alter that text in any way... and then please check that during AUTH48. -- Appendix A -- Not that it matters terribly, but during AUTH48, you might coordinate with the RFC Editor to make sure that single spacing (not double, as now) is used after the periods in "J. R. R. Tolkien". Kathleen might put this into an RFC Editor note.
Benoît Claise Former IESG member
No Objection
No Objection
(2014-12-17 for -07)
The authors engaged in the discussion with the OPS-DIR reviewer Jouni on the points below. Thanks Few minor nits & comments: o IDnits spits out warnings. I recon all of them are of kind that will be corrected by t he RFC Editor -> no worries. o The document uses example domains "hobbiton.example" and alike. According to RFC2606 & 6761 the example domains are "example.com" etc. These should be corrected UNLESS they cause too much trouble regenerating outputs into examples... o line 325 "coordiates" should probably be "coordinates". o I would take acronyms (e.g. "(JWS)") away from the abstract.
Joel Jaeggli Former IESG member
No Objection
No Objection
(2014-12-18 for -07)
ok with the outcome of the opsdir review.
Martin Stiemerling Former IESG member
No Objection
No Objection
(for -07)
Pete Resnick Former IESG member
No Objection
No Objection
(for -07)
Spencer Dawkins Former IESG member
No Objection
No Objection
(for -07)
Stephen Farrell Former IESG member
No Objection
No Objection
(2014-12-17 for -07)
- 3.3, 1st para says private where it should say public - thanks for addressing the (heroic:-) secdir review [1], I think in the end you got everything rigth? [1] https://www.ietf.org/mail-archive/web/secdir/current/msg05249.html