search

hannestschofenig / tschofenig-ids

Repository for Internet Drafts
11 stars 25 forks source link

AD review draft-ietf-cose-key-thumbprint-04 #95

Open OR13 opened 3 months ago

OR13 commented 3 months ago

In the Security Considerations:

To promote interoperability among implementations, the SHA-256 hash algorithm is mandatory to implement.

Using thumbprints with passwords (i.e. low-entropy secrets) is dangerous and MUST be avoided.

OR13 commented 3 months ago

Piling on a comment from DE review:

in the text around the examples there is one instance of “link break” and a mention of line breaks inserted where there actually are none. Just wanted to mention this for any new revision that may need to be created.

OR13 commented 3 months ago
OR13 commented 3 months ago

@ko-isobe @hannestschofenig Not sure when the right time is to address these, or if we are expecting more comments

OR13 commented 3 months ago

adding comments from IANA:

(BEGIN IANA COMMENTS)

IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-cose-key-thumbprint-04. If any part of this review is inaccurate, please let us know.

IANA has a question about each of the actions requested in the IANA Considerations section of this document.

IANA understands that, upon approval of this document, there are two actions which we must complete.

First, in the CWT Confirmation Methods registry in the CBOR Web Token (CWT) Claims registry group located at:

https://www.iana.org/assignments/cwt/

a single new registration will be made as follows:

Confirmation Method Name: ckt
Confirmation Method Description: COSE Key Thumbprint
JWT Confirmation Method Name: jkt
Confirmation Key: [ TBD-at-Registration ]
Confirmation Value Type: binary string
Change Controller: IESG
Reference: [ RFC-to-be ]

IANA Question --> In the past, the IESG has preferred that the IETF be used as the change controller (a document is in process). Can this be changed?

As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have initiated the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

Second, in the OAuth URI Registry in the OAuth Parameters registry group located at:

https://www.iana.org/assignments/oauth-parameters/

a single new registration will be made as follows:

URN: urn:ietf:params:oauth:ckt
Common Name: COSE Key Thumbprint URI
Change Controller: IESG
Reference: [ RFC-to-be ]

IANA Question --> Once again, the IESG has preferred that the IETF be used as the change controller (a document is in process). Can this be changed?

As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have initiated the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

We understand that these are the only actions required to be completed upon approval of this document.

NOTE: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

(END IANA COMMENTS)
OR13 commented 2 months ago

We need to address this feedback and publish a new version

OR13 commented 2 months ago

https://github.com/hannestschofenig/tschofenig-ids/pull/96