IETF Logo Mail Archive

Re: [jose] Namespace

Mike Jones <Michael.Jones@microsoft.com> Tue, 11 December 2012 02:33 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 326C421F86BE for <jose@ietfa.amsl.com>; Mon, 10 Dec 2012 18:33:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.065
X-Spam-Level:
X-Spam-Status: No, score=-3.065 tagged_above=-999 required=5 tests=[AWL=-0.467, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mri+0IJZn0JZ for <jose@ietfa.amsl.com>; Mon, 10 Dec 2012 18:33:18 -0800 (PST)
Received: from NA01-BL2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com [65.55.169.24]) by ietfa.amsl.com (Postfix) with ESMTP id BD8FA21F86AD for <jose@ietf.org>; Mon, 10 Dec 2012 18:33:17 -0800 (PST)
Received: from BL2FFO11FD008.protection.gbl (10.173.161.201) by BL2FFO11HUB005.protection.gbl (10.173.160.225) with Microsoft SMTP Server (TLS) id 15.0.578.12; Tue, 11 Dec 2012 02:33:15 +0000
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD008.mail.protection.outlook.com (10.173.161.4) with Microsoft SMTP Server (TLS) id 15.0.578.12 via Frontend Transport; Tue, 11 Dec 2012 02:33:14 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.240]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.02.0318.003; Tue, 11 Dec 2012 02:32:43 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] Namespace
Thread-Index: AQHNy8bGSoKXsVYl70eExe2oESJ5YZgS950A
Date: Tue, 11 Dec 2012 02:32:43 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366924E98@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <0DC3825F-D600-4239-8283-FB7E2CAC4514@gmx.net> <2F1412B7-4585-4372-9B2F-FA852DA759A8@gmx.net>
In-Reply-To: <2F1412B7-4585-4372-9B2F-FA852DA759A8@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.71]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394366924E98TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(53754002)(51704002)(43784002)(13464002)(47736001)(47976001)(50986001)(56816002)(77982001)(49866001)(5343655001)(59766001)(55846006)(5343635001)(44976002)(33656001)(76482001)(46102001)(4396001)(16236675001)(16406001)(74502001)(53806001)(54356001)(15202345001)(54316002)(56776001)(31966008)(47446002)(512954001)(74662001)(51856001); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB005; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 069255B8B8
Subject: Re: [jose] Namespace
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2012 02:33:21 -0000

I've repeated my reply to your Namespace comment on the OAuth list below.  My comments are in green.



                                                                Thanks again,

                                                                -- Mike



- Namespace



The document defines a couple of claims. Quite naturally one wants to provide extension points since others will quite likely come up with new claims in the near future. The obvious approach would be to use an IANA registry to maintain uniqueness of the labels but without using a namespace declaration concept like XML does.



For some reason that does not seem to be enough to use IANA alone: the document introduces three types of claims, namely Reserved Claim Names, Public Claim Names, and Private Claim Names



No mechanism is stated how these claims can be differentiated but essentially everything is allowed. Section 2 ("Terminology") says that the claims that are not registered through IANA may be Domain Names, Object Identifiers (OIDs), UUIDs, etc.



Later in Section 4.2 it is said that public claims could be a URI, which is again different to what is said in Section 2.



Furthermore, Private Claims (as defined in Section 4.3) do not seem to have the requirement for uniqueness anymore even though Section 4 says that claim names in a JWT have to be unique.



The danger is obviously that two parties define claim names that have different semantic. This will lead to confusion. When claims with the same names are added to a JWT then, per specification, the receiver will have to fail.



If people are following the spec and using (IANA) reserved claim names, or public claim names (those containing a collision-resistant namespace), then the same names will always have the same semantics.  IANA is used for reserved claim names, where conflicts would otherwise be likely.  IANA is unnecessary for public claim names, because the collision-resistant namespace in the claim name prevents duplication.



Do we really need to support claims where uniqueness cannot be guaranteed?



Private claim names are there because in some contexts, the communication is between a fixed or constrained set of parties between whom private agreements are a perfectly acceptable namespace allocation solution.  Indeed, it wouldn't make much sense to register the meanings of claims with IANA that will only be used in a closed environment.



Can we decide on a few namespace concepts rather than leaving the list open-ended? What are the JOSE guys going to do about this issue?



The same namespace allocation strategy is being used by JOSE.



Btw, is it allowed to use JavaScript reserved keywords as claim names?



Yes



-----Original Message-----
From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Monday, November 26, 2012 3:11 AM
To: jose@ietf.org
Cc: Hannes Tschofenig
Subject: [jose] Namespace



Hi all,



I posted a review of the JWT document to the OAuth mailing list but one specific issue is probably more relevant for JOSE than for OAuth.



The namespace concept form the JOSE header parameters has been copied to the "body" for the OAuth JWT spec:



Begin forwarded message:



> - Namespace

>

> The document defines a couple of claims. Quite naturally one wants to provide extension points since others will quite likely come up with new claims in the near future. The obvious approach would be to use an IANA registry to maintain uniqueness of the labels but without using a namespace declaration concept like XML does.

>

> For some reason that does not seem to be enough to use IANA alone: the document introduces three types of claims, namely Reserved Claim Names, Public Claim Names, and Private Claim Names

>

> No mechanism is stated how these claims can be differentiated but essentially everything is allowed. Section 2 ("Terminology") says that the claims that are not registered through IANA may be Domain Names, Object Identifiers (OIDs), UUIDs, etc.

>

> Later in Section 4.2 it is said that public claims could be a URI, which is again different to what is said in Section 2.

>

> Furthermore, Private Claims (as defined in Section 4.3) do not seem to have the requirement for uniqueness anymore even though Section 4 says that claim names in a JWT have to be unique.

>

> The danger is obviously that two parties define claim names that have different semantic. This will lead to confusion. When claims with the same names are added to a JWT then, per specification, the receiver will have to fail.

>

> Do we really need to support claims where uniqueness cannot be guaranteed?

> Can we decide on a few namespace concepts rather than leaving the list open-ended? What are the JOSE guys going to do about this issue?

>

> Btw, is it allowed to use JavaScript reserved keywords as claim names?

>



In a summary, has someone looked at the way how the header parameters are reserved? Does this make sense to you?



Ciao

Hannes







_______________________________________________

jose mailing list

jose@ietf.org<mailto:jose@ietf.org>

https://www.ietf.org/mailman/listinfo/jose

v2.14.0 | Report a Bug | By Email