Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
Justin Richer <jricher@mitre.org> Thu, 20 June 2013 15:22 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5DE021F9D6F for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 08:22:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.51
X-Spam-Level:
X-Spam-Status: No, score=-6.51 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MXeR7FUrFnKN for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 08:21:54 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 4FABD21F9D2F for <jose@ietf.org>; Thu, 20 Jun 2013 08:21:53 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 87F131F0BD7; Thu, 20 Jun 2013 11:21:52 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 477C41F0BC9; Thu, 20 Jun 2013 11:21:52 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 20 Jun 2013 11:21:51 -0400
Message-ID: <51C31DCE.8080309@mitre.org>
Date: Thu, 20 Jun 2013 11:20:46 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943678735D4@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgQUpbYLatgiaXa8T9oMMi+sA5KxEiocETLTEDXskTtqDQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678794EF@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943678794EF@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="------------060309090501090506080604"
X-Originating-IP: [129.83.31.56]
Cc: Richard Barnes <rlb@ipv.sx>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2013 15:22:15 -0000
And I'd like to point out that we need this method anyway because you won't always have a mimetype along with the JOSE object -- they can be sent as HTTP headers, query parameters, any number of things really. -- Justin On 06/20/2013 11:19 AM, Mike Jones wrote: > > There is a defined algorithm to distinguish between the JWS and JWE > objects in the third paragraph of > http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-11#section-4. > > -- Mike > > *From:*Richard Barnes [mailto:rlb@ipv.sx] > *Sent:* Thursday, June 20, 2013 8:15 AM > *To:* Mike Jones > *Cc:* jose@ietf.org > *Subject:* Re: [jose] Should we keep or remove the JOSE JWS and JWE > MIME types? > > Multiplexing JWE and JWS under a single JOSE media type only makes > sense if there's a defined algorithm to demux them. So if you want to > do this, you would need to write down the algorithm. > > Personally, it seems simpler and clearer to me to just have the four > current types, so that you know which type of object you're dealing > with, and in what serialization, without having to do content sniffing. > > On Tue, Jun 18, 2013 at 9:26 PM, Mike Jones > <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> wrote: > > The JWS and JWE documents currently define these MIME types for the > convenience of applications that may want to use them: > > application/jws > > application/jws+json > > application/jwe > > application/jwe+json > > That being said, I'm not aware of any uses of these by applications at > present. Thus, I think that makes it fair game to ask whether we want > to keep them or remove them -- in which case, if applications ever > needed them, they could define them later. > > Another dimension of this question for JWS and JWE is that it's not > clear that the four types application/jws, application/jws+json, > application/jwe, and application/jwe+json are even the right ones. It > might be more useful to have generic application/jose and > application/jose+json types, which could hold either JWS or JWE > objects respectively using the compact or JSON serializations > (although I'm not advocating adding them at this time). > > Having different JWS versus JWE MIME types apparently did contribute > to at least Dick's confusion about the purpose of the "typ" field, so > deleting them could help eliminate this possibility of confusion in > the future. Thus, I'm increasingly convinced we should get rid of the > JWS and JWE types and leave it up to applications to define the types > they need, when they need them. > > Do people have use cases for these four MIME types now or should we > leave them to future specs to define, if needed? > > -- Mike > > P.S. For completeness, I'll add that the JWK document also defines > these MIME types: > > application/jwk+json > > application/jwk-set+json > > There are already clear use cases for these types, so I'm not > advocating deleting them, but wanted to call that out explicitly. For > instance, when retrieving a JWK Set document referenced by a "jku" > header parameter, I believe that the result should use the > application/jwk-set+json type. (In fact, I'll add this to the specs, > unless there are any objections.) Likewise, > draft-miller-jose-jwe-protected-jwk-02 already uses > application/jwk+json. Both could also be as "cty" values when > encrypting JWKs and JWK Sets, in contexts where that that would be useful. > > > _______________________________________________ > jose mailing list > jose@ietf.org <mailto:jose@ietf.org> > https://www.ietf.org/mailman/listinfo/jose > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- [jose] Should we keep or remove the JOSE JWS and … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Jim Schaad
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Matt Miller (mamille2)
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Jim Schaad
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Edmund Jay
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Brian Campbell
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … John Bradley
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- Re: [jose] Should we keep or remove the JOSE JWS … Tony Hansen