Thanks for taking the time to review the document and for your useful suggestions, Ines! FYI, we published https://www.ietf.org/archive/id/draft-ietf-cose-cwt-claims-in-headers-07.html to address the Last Call comments received. I've responded to your comments inline below, with responses prefixed by "Mike>". -----Original Message----- From: Ines Robles via Datatracker <noreply@xxxxxxxx> Sent: Tuesday, October 17, 2023 1:45 PM To: gen-art@xxxxxxxx Cc: cose@xxxxxxxx; draft-ietf-cose-cwt-claims-in-headers.all@xxxxxxxx; last-call@xxxxxxxx Subject: Genart last call review of draft-ietf-cose-cwt-claims-in-headers-06 Reviewer: Ines Robles Review result: Ready with Issues I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <https://wiki.ietf.org/en/group/gen/GenArtFAQ>. Document: draft-ietf-cose-cwt-claims-in-headers-06 Reviewer: Ines Robles Review Date: 2023-10-17 IETF LC End Date: 2023-10-20 IESG Telechat date: Not scheduled for a telechat Summary: This document describes how to include CBOR Web Token (CWT) claims in the header parameters of any COSE structure. The document is well written, I have minor issues, nits indicated below. Major issues: None Minor issues: 1- Section 3: "Some of the registered CWT claims may contain privacy-sensitive information. Therefore care must be taken when expressing CWT claims in COSE headers." --> What kind of care?, there is some specific guidelines to follow? could you add an example? or add some reference? Mike> We expanded the description in the Privacy Considerations section. 2- Section 4: Detached Signatures: The security section does not delve into the security considerations of using detached signatures. Since detached signatures are one focus of the functionality, it might be helpful to discuss the security implications specific to them. Mike> We added a Security Consideration on detached signatures. Claims in Headers: Considering that some claims can be available before decryption or without inspecting the payload, perhaps it would be nice to discuss the risks associated with exposing claims in this manner, or add reference? Mike> We added a Privacy Consideration about unencrypted claims in header parameters. Data Consistency: Is there a security angle to ensuring that claims present both in the payload and header are identical, beyond just verification?. Mike> We added a Security Consideration about claims that are present in both the payload and the header of a CWT. It seems that these items are not included in the security considerations of RFC 8392, What do you think? Mike> See the enhanced Privacy Considerations and Security Considerations sections. Nits/editorial comments: 3- It would be nice to expand JWT the first time of use -> JSON Web Token (JWT) Mike> Done! 4- It would be nice to have a caption for Table 1 Mike> Neither of the authors could figure out how to do this. https://thesynack.com/posts/markdown-captions/ says "The truth is that, as of now, captions are not part of the original Markdown specifications, nor are they part of the more modern CommonMark specifications." Once we're working with the RFC Editor on XML source, we can add it then. 5- Table 1: "TBD (requested assignment 13)", the 13 was assigned to kcwt, so maybe suggest another value? Mike> Now 15 Thanks for this document, Mike> You're welcome! Ines. Thanks again, -- Mike -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
