It may be worth noting that the JWT registry expert review completed with no issues yesterday. As Laurence noted, if there's specific language that generated this concern we may be able to avoid similar future interpretations with a few edits. On 8/9/23, 2:18 PM, "lgl securitytheory.com" <lgl@xxxxxxxxxxxxxxxxxx <mailto:lgl@xxxxxxxxxxxxxxxxxx>> wrote: Hi Linda, Haven’t been through this part of a document publication yet, so hope I’m doing this right by replying to all. Someone clue me if I’m doing it wrong. My comments are below. LL > On Aug 9, 2023, at 1:38 PM, Linda Dunbar via Datatracker <noreply@xxxxxxxx <mailto:noreply@xxxxxxxx>> wrote: > > Reviewer: Linda Dunbar > Review result: Has Issues > > I have reviewed this document as part of the Ops area directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the Ops area directors. > Document editors and WG chairs should treat these comments just like any other > last-call comments. > > Summary: the document illustrates using the CBOR Web Token (CWT) or JSON Web > Token (JWT) as the Entity Attestation Token for various entities, such as > devices, hardware components, software modules, etc. > > One issue I don't see is how to extend to the entities that are not illustrated > in the document? Like future "Foo" with a expiration date? Does it mean that > IANA needs to keep track of all those entity names? Is it really necessary? > Many entities are only valid in a special deployment environment. As long as > both parties agree upon the JSON format, why need to bother IANA? We’re probably not thinking of “entity” in the same way. For EAT, an entity is usually a piece of manufactured stuff like a Cisco Model XXX router, a Samsung Galaxy YYY model phone or an Intel Core iX chip. There is no request in EAT that IANA track specific devices, equipment and such. We are asking for some claims to be added to the existing CWT and JWT IANA registries, but those are not entities and they are not even requests for new registries. Most of what is requested of IANA for this EAT document is a one-time addition to existing registries. Maybe you can point out the section number in the document that is leading you to ask your questions to help us understand your concern? Thanks LL -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
