c/ietf-wimse-ect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
36 Commits 1 Branch 1 Tag
bd2a5f819a0598e0b90146ed373f2a9eb931e49f
Commit Graph

4 Commits

Author SHA1 Message Date
Christian Nennemann
bd2a5f819a Fix build errors: duplicate anchors, missing ref, back-matter numbering 
- Add unique anchors for security subsections that collided with
  protocol section anchors (level-1/2/3, x509-binding, wimse-binding)
- Fix broken {{jwt-claims}} reference to {{exec-claims}}
- Fix I-D.oauth-transaction-tokens-for-agents reference (add manual
  entry since bibxml3 lookup fails)
- Remove RFC2119/8174 from YAML normative block (bcp14-tagged
  boilerplate adds them automatically)
- Add {:numbered="false"} to all back-matter subsections

Build now succeeds: XML, TXT, and HTML generated cleanly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-06 20:07:11 +01:00
Christian Nennemann
eb79c6998a Apply comprehensive review fixes to draft-nennemann-wimse-ect-01 
Critical fixes:
- Add RFC 2119/8174 to normative refs, move RFC 9449 to normative
- Rewrite level detection algorithm with precise parsing order
  (JWS first, then base64url-decode for L1)
- Add downgrade attack analysis and minimum-level policy requirement
- Complete application/wimse-exec+jwt IANA registration template
- Fix bare draft-00 citations, fix I-D reference anchor format
- Rewrite abstract to remove changelog language

Medium fixes:
- Add jti replay check to L1 verification procedure
- Add L3 async failure handling (notify downstream, treat as L2)
- Add L3 sync timeout retry/fallback guidance
- Add identity binding security subsection (JWK caching, OCSP
  failure policy, trust bundle refresh)
- Add audit ledger threats subsection (availability, split-view,
  receipt authenticity, async gap)
- Collapse redundant Section 9 into HTTP Error Handling
- Remove redundant L3 verification steps for iss/aud
- Add L2 use case (multi-vendor SaaS document pipeline)

Low fixes:
- Strengthen ext object limits from SHOULD NOT to MUST NOT
- Add level negotiation future work note
- Document L1 DAG validation limitation without ledger
- Add alg=none defense-in-depth note
- Strengthen self-assertion limitation for L1
- Add workflow topology leakage to privacy considerations
- Add cross-workflow correlation to privacy considerations
- Add RATS (RFC 9334) to related work
- Expand SCITT comparison with L3 audit ledger parallel
- Pin SPIFFE reference to specific version URL
- Clean up redundant {:numbered="false"} in back matter

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-06 19:58:04 +01:00
Christian Nennemann
139a4e85e2 Rename 'par' claim to 'pred' and fix area to SEC 
Rename the 'par' (Parent Task Identifiers) JWT claim to 'pred'
(Predecessor Task Identifiers) to avoid collision with RFC 9126
(Pushed Authorization Requests) which already registers 'par' in
the IANA JWT Claims registry. Fix IETF area from ART to SEC since
WIMSE is in the Security area.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-06 19:35:12 +01:00
Christian Nennemann
2d3af57923 Restructure repo: single source file with git tags for versioning 
Drop versioned directories and archive/ in favor of git tags (draft-00,
draft-01) for frozen submissions. Rename source to
draft-nennemann-wimse-ect.md (version comes from docname in front matter).
Update build.sh to extract docname automatically. Ignore generated outputs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-06 19:20:38 +01:00