IETF Logo Mail Archive

Re: [jose] Proposed resolution of header criticality issue

"Vladimir Dzhuvinov / NimbusDS" <vladimir@nimbusds.com> Tue, 12 March 2013 06:44 UTC

Return-Path: <vladimir@nimbusds.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E01E21F8739 for <jose@ietfa.amsl.com>; Mon, 11 Mar 2013 23:44:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, GB_I_LETTER=-2]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZFhf-u3zPey5 for <jose@ietfa.amsl.com>; Mon, 11 Mar 2013 23:44:52 -0700 (PDT)
Received: from n1plwbeout07-02.prod.ams1.secureserver.net (n1plsmtp07-02-02.prod.ams1.secureserver.net [188.121.52.107]) by ietfa.amsl.com (Postfix) with SMTP id 3DCF021F8518 for <jose@ietf.org>; Mon, 11 Mar 2013 23:44:52 -0700 (PDT)
Received: (qmail 9858 invoked from network); 12 Mar 2013 06:44:50 -0000
Received: from unknown (HELO localhost) (188.121.52.244) by n1plwbeout07-02.prod.ams1.secureserver.net with SMTP; 12 Mar 2013 06:44:49 -0000
Received: (qmail 7210 invoked by uid 99); 12 Mar 2013 06:44:49 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
X-Originating-IP: 79.100.83.232
User-Agent: Workspace Webmail 5.6.33
Message-Id: <20130311234447.cc40c4f3d92d2001859047cd8cabb9ab.64d2aabe52.wbe@email07.europe.secureserver.net>
From: Vladimir Dzhuvinov / NimbusDS <vladimir@nimbusds.com>
To: jose@ietf.org
Date: Mon, 11 Mar 2013 23:44:47 -0700
Mime-Version: 1.0
Subject: Re: [jose] Proposed resolution of header criticality issue
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2013 06:44:55 -0000

How about "crt" instead of "crit", to fit the three-letter convention
for naming fields?

Vladimir

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir@nimbusds.com


-------- Original Message --------
Subject: [jose] Proposed resolution of header criticality issue
From: Karen O'Donoghue <odonoghue@isoc.org>
Date: Tue, March 12, 2013 12:31 am
To: jose@ietf.org

 
 Folks,
   
 A side meeting was held Sunday with a number of jose working group
participants to try to resolve the open issue related to header
criticality. The following are the proposed resolutions from the
meeting. Point 5 of the proposed resolution below is actually
independent of the other 4 points, and could be considered separately.
This will all be discussed in Wednesday's meeting. 
 
 In addition to the text below, there was some agreement to replace the
"understand" text with something a bit more explicit like "must
process". However, that text has not been rolled into the summary text
below yet. 
 
 Thank you to Jim Schaad, Mike Jones, John Bradley, Nat Sakimura, Martin
Thomas, Eric Rescorla, Matt Miller, and Richard Barnes for your efforts
(and my apologies if I missed someone). 
 
 Regards, 
 Karen
 
 1:  Change the language “Additional members MAY be present in the
JWK.  If present, they MUST be understood by implementations using
them.” to “Additional members MAY be present in the JWK.  If not
understood by implementations encountering them, they MUST be
ignored.”  (And make the same change for JWK Set as well.)
 
 2:  Characterize all existing JWS and JWE header fields as either must
be understood or may be ignored.  “alg”, “enc”, and “zip”
must be understood.  “kid”, “x5u”, “x5c”, “x5t”,
“jwk”, “jku”, “typ”, and “cty” can be ignored because
while not using them may result in the inability to process some
signatures or encrypted content, this will not result in a security
violation – just degraded functionality.  Other fields such as
“epk”, “apu”, “apv”, “epu”, and “epv” must be
understood and used when “alg” or “enc” values requiring them
are used, and otherwise they may be ignored.
 
 3.  Define a new header field that lists which additional fields not
defined in the base specifications must be understood and acted upon
when present.  For instance, an expiration-time extension field could be
marked as must-be-understood-and-acted-upon.  One possible name for this
would be “crit” (critical).  An example use, along with a
hypothetical “exp” (expiration-time) field is:
 
   {"alg":"ES256",
    "crit":["exp"],
    "exp”:1363284000
   }
 
 4.  All additional header fields not defined in the base specifications
and not contained in the “crit” list MUST be ignored if not
understood.
 
 5.  Define a new header field “asd” (application-specific data)
whose value is a JSON structure whose contents are opaque to and ignored
by JWS and JWE implementations but for which its contents MUST be
provided to applications using JWS or JWE, provided that the
signature/MAC validation or decryption operation succeeds.  The intended
use of this field is to have a standard place to provide
application-specific metadata about the payload or plaintext.
 
 


 

 _______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email