IETF Logo Mail Archive

Re: [jose] POLL(s): header criticality

"Salvatore D'Agostino" <sal@idmachines.com> Fri, 08 February 2013 22:43 UTC

Return-Path: <sal@idmachines.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1101521F8BE4 for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 14:43:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9ab9o2XXTCn for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 14:43:16 -0800 (PST)
Received: from atl4mhob04.myregisteredsite.com (atl4mhob04.myregisteredsite.com [209.17.115.42]) by ietfa.amsl.com (Postfix) with ESMTP id 64B7D21F8BE0 for <jose@ietf.org>; Fri, 8 Feb 2013 14:43:15 -0800 (PST)
Received: from mailpod1.hostingplatform.com (mailpod1.networksolutionsemail.com [206.188.198.65]) by atl4mhob04.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id r18MhERX024292 for <jose@ietf.org>; Fri, 8 Feb 2013 17:43:14 -0500
Received: (qmail 22542 invoked by uid 0); 8 Feb 2013 22:43:13 -0000
Received: from unknown (HELO salPC) (sal@idmachines.com@71.174.33.134) by 0 with ESMTPA; 8 Feb 2013 22:43:13 -0000
From: Salvatore D'Agostino <sal@idmachines.com>
To: jose@ietf.org
References: <510FCA42.5000704@isoc.org> <51156921.1070909@oracle.com>
In-Reply-To: <51156921.1070909@oracle.com>
Date: Fri, 08 Feb 2013 17:43:12 -0500
Message-ID: <0a8101ce064d$ad4d3610$07e7a230$@com>
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac4GQFck9AxT6aYGQwe6Uk3oyFfRbAADHB/w
Content-Language: en-us
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0A7D_01CE0623.C06D3E90"
Subject: Re: [jose] POLL(s): header criticality
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2013 22:43:17 -0000

Yes
Yes
No strong opinion

-----Original Message-----
From: Prateek Mishra [mailto:prateek.mishra@oracle.com]
Sent: Friday, February 08, 2013 4:08 PM
To: jose@ietf.org
Subject: Re: [jose] POLL(s): header criticality

FIRST POLL : Yes

- cause JOSE headers are security artifacts; when present, they must not be 
ignored by a processor of JOSE objects

SECOND POLL: Yes

- the language here is a bit confusing, i think the distinction sought here is 
between a deployment instance versus a static component (library). If I 
understand the intent here, the suggestion is that a deployment instance of a 
JOSE processor should treat JOSE-defined headers as critical.

THIRD POLL: C

- high-level list of ignorable headers (vs. adding annotation to each
header)

> Folks,
>
> I am wrestling with how to help drive consensus on the topic of
> criticality of headers. For background, please review the current
> specification text, the minutes to the Atlanta meeting (IETF85), and
> the mailing list (especially the discussion in December with (Subj:
> Whether implementations must understand all JOSE header fields)). We
> need to come to closure on this issue in order to progress the
> specifications.
>
> As a tool to gather further information on determining a way forward,
> the following polls have been created. Please respond before 11
> February 2013.
>
> Thanks,
> Karen
>
> *******************
> FIRST POLL: Should all header fields be critical for implementations
> to understand?
>
> YES - All header fields must continue to be understood by
> implementations or the input must be rejected.
>
> NO - A means of listing that specific header fields may be safely
> ignored should be defined.
>
> ********************
> SECOND POLL: Should the result of the first poll be "YES", should text
> like the following be added? "Implementation Note: The requirement to
> understand all header fields is a requirement on the system as a whole
> - not on any particular level of library software. For instance, a
> JOSE library could process the headers that it understands and then
> leave the processing of the rest of them up to the application. For
> those headers that the JOSE library didn't understand, the
> responsibility for fulfilling the 'MUST understand' requirement for
> the remaining headers would then fall to the application."
>
> YES - Add the text clarifying that the "MUST understand" requirement
> is a requirement on the system as a whole - not specifically on JOSE
> libraries.
>
> NO - Don't add the clarifying text.
>
> ************************
> THIRD POLL: Should the result of the first poll be "NO", which syntax
> would you prefer for designating the header fields that may be ignored
> if not understood?
>
> A - Define a header field that explicitly lists the fields that may be
> safely ignored if not understood.
>
> B - Introduce a second header, where implementations must understand
> all fields in the first but they may ignore not-understood fields in
> the second.
>
> C - Other??? (Please specify in detail.)
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email