Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)

John Bradley <> Wed, 19 November 2014 21:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4230D1A8909 for <>; Wed, 19 Nov 2014 13:52:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UFsr_Wy3gMnk for <>; Wed, 19 Nov 2014 13:52:32 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8E8641A88F4 for <>; Wed, 19 Nov 2014 13:52:32 -0800 (PST)
Received: by with SMTP id i13so1093929qae.13 for <>; Wed, 19 Nov 2014 13:52:31 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=DBYVQKixMT8L8n0KrjSjKpR5BGbots8kzAZwu5/dmdc=; b=RQa22Av81+uJx0mJSky819I8f6tqIDUbb5ogDbfLIBklo2oYyFb24KmVk0SICj9v4V UqhlsBMfaDIvQ+K2VosemL1+TImhjKvHAFmvGHlgOF/gOEYwhsRFGO9Gn/neQIMeLusF lCHu0/inyTZRKRFLkbjsmCO4TNmrA+UHmE+YmNl7gBQUSYX3c9kj2d4NSb2zP9TdwFzJ 1HFLj/qGHrwiG8yK2ccrgCBLsORZ3IDFimygZccb45juJl9VOsQAfw3DpsK2P8AXc9rb uRh8Mvs7gCuKqXjsTPislykpoLbCFuwyn7sB3LzvDzaXqw25/5mWGL1xhfkBuzQBTIQ4 ZTbw==
X-Gm-Message-State: ALoCoQkailvfLKkmmULUPNlcCLvw5K45S4qcc9W4SSulxUtSWkO3xbpTjDr0EzlJfrurrixkMOIh
X-Received: by with SMTP id d32mr55518103qge.37.1416433951739; Wed, 19 Nov 2014 13:52:31 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id c88sm451067qgc.6.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Nov 2014 13:52:30 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: John Bradley <>
In-Reply-To: <>
Date: Wed, 19 Nov 2014 16:52:29 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <008a01cfe161$f0ec5090$d2c4f1b0$> <> <> <> <>
To: Michael Jones <>
X-Mailer: Apple Mail (2.1993)
Cc: "" <>, Pete Resnick <>, Kathleen Moriarty <>, The IESG <>, "" <>, Jim Schaad <>, "" <>
Subject: Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Nov 2014 21:52:37 -0000

OK with me.

> On Nov 19, 2014, at 4:49 PM, Mike Jones <> wrote:
> Below I'm responding only to the remaining issue about "rejecting JWSs".   Pete, please let me know if the proposed language works for you.
>>>>>>> 5.2:
>>>>>>> Strike the last sentence of the second paragraph. There's no
>>>>>>> requirement here. If none of them validate, I can do what I want
>>>>>>> with the JWS. I needn't "reject" it. I might just mark it as "invalid".
>>>>>>> [Get rid of all talk of "rejecting" throughout this document.
>>>>>>> Again, I will note that the signatures are not valid, but
>>>>>>> rejecting is a local implementation detail.]
>>>>>> As discussed during the telechat and on subsequent threads, the
>>>>>> terms "accept" and "reject" are commonly used in this way, for
>>>>>> instance, in RFC 5820.  As Kathleen wrote after the call, "For the
>> "reject"
>>>>>> language, Pete said on the call that he would go through each one
>>>>>> to see where it might be application specific and will suggest changes.
>>>>>> Thanks in advance, Pete.".
>> So I've gone through all of the "reject"s in the document, and I think I see a
>> way to allay my concern without significantly changing the
>> language: Instead of saying "reject the JWS" as it does in most places, I
>> believe it would be much clearer if it simply said "reject the signature" as it
>> does in 4.1.6. Then you're clearly not saying "rejecting the data", as I'm afraid
>> certain sorts of applications developers will interpret it. In some instances,
>> you'll need to say something like "reject the signature of a JWS with foobar",
>> but I don't think that significantly changes the intended meaning.
> It turns out that way back in draft -15, in response to issue #35 (, we'd already changed statements about "rejecting the JWS" in contexts of signature failures to statements about  the JWS Signature being invalid.  So those uses of "reject the JWS" that remained were actually about rejecting the whole thing - not about rejecting the signature.  I'm revisiting that history because your suggested language about "reject the signature" doesn't actually convey the correct meaning in the remaining contexts.
> But I understand and agree with your intent - which is to say that implementations will determine that some JWSs are invalid, rather than the "rejection" being some kind of cataclysmic failure.  To achieve this intent, I've instead changed the language "reject the JWS" to "consider the JWS to be invalid" in my current editor's draft.  Let me know if that works for you.
> I've made the parallel changes in the JWE draft as well.
> 				Thanks again,
> 				-- Mike
> _______________________________________________
> jose mailing list