Re: [jose] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)
Warren Kumari <warren@kumari.net> Wed, 17 September 2014 11:40 UTC
Return-Path: <warren@kumari.net>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BD0D1A00F5 for <jose@ietfa.amsl.com>; Wed, 17 Sep 2014 04:40:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vdOP3SUIvTs8 for <jose@ietfa.amsl.com>; Wed, 17 Sep 2014 04:40:09 -0700 (PDT)
Received: from mail-wi0-f171.google.com (mail-wi0-f171.google.com [209.85.212.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E3F31A011D for <jose@ietf.org>; Wed, 17 Sep 2014 04:40:07 -0700 (PDT)
Received: by mail-wi0-f171.google.com with SMTP id bs8so1022582wib.10 for <jose@ietf.org>; Wed, 17 Sep 2014 04:40:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=nXns91o69u7OIojyqugWnOQpJEqDh9CG7mMTbHGSw0Q=; b=W+8t4xEHm0hmKuuP5E8gVK3Xt8hXSAS2mUd6KWbmkj+qqTfo+HE1mWIu740TDx+Qu6 KsyUBh1dWtDZlAxTGvx7i5UIP2zL1fhvNPYIGH+w+vNdScTEjZZVHUTpW5a68gOBUu35 VrUHkiHTOfU3KJwWAzdP/y9UL6rqU8fuJYJqXR1m3m0jKJEmTITeL8UvO0rokbNEy8n6 bh0pbEY2xWACnHUvlY619PGBvoFwkndP102Rg3poEtfYLLW/RT9y7OyT0jCLhiU6r/KO rJlLtbHmMa7dxZZ3/9Blzuu8fK4U9ZrverPlkxtGnX0rGvePJJUDdPS+OrqTe6Ghs16i VY1Q==
X-Gm-Message-State: ALoCoQmiG4JbFR6nLlAgqr+dn8o5diPhZqtTZT5qJbhecC+EurSUYXLrS9UI/PZs07GQRwdJZExL
MIME-Version: 1.0
X-Received: by 10.194.24.169 with SMTP id v9mr2699538wjf.114.1410954005479; Wed, 17 Sep 2014 04:40:05 -0700 (PDT)
Received: by 10.194.62.39 with HTTP; Wed, 17 Sep 2014 04:40:05 -0700 (PDT)
In-Reply-To: <CAL02cgQvPX+znWqJmL+OroCwJbV1TvWBKCOEJbjEWPvJZmHp7g@mail.gmail.com>
References: <CA+k3eCTpBi7Xh87JFkApYvJ1Bd8Kk6VfY0QH67UAVShjFx9G5A@mail.gmail.com> <CAL02cgQvPX+znWqJmL+OroCwJbV1TvWBKCOEJbjEWPvJZmHp7g@mail.gmail.com>
Date: Wed, 17 Sep 2014 07:40:05 -0400
Message-ID: <CAHw9_iJaU2QT=N1upprggyLp9_JJEXrGS2yPguDczf9FqgsM5A@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="047d7b45101a4a9ea60503415491"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/7o7VR5P0wAAmpumLCGy9wjdVAtA
X-Mailman-Approved-At: Wed, 17 Sep 2014 04:44:08 -0700
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-oauth-json-web-token.all@tools.ietf.org" <draft-ietf-oauth-json-web-token.all@tools.ietf.org>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>, Brian Campbell <bcampbell@pingidentity.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [jose] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Sep 2014 11:40:11 -0000
On Tuesday, September 16, 2014, Richard Barnes <rlb@ipv.sx> wrote: > I will re-iterate here my strong preference that an "unsecured" or > "plaintext" JWS object be syntactically distinct from a real JWS object. > E.g. by having two dot-separated components instead of three. > So, *I* was just grumping about the term used in the draft, but yes, these should (IMO, etc) be different. I'm also still uncomfortable about the "you can have the same information in the "secured" and "unsecured" section, but the secured one shold be trusted more bit. This seems like it will end in fail. (Apologies if this was already discussed and I missed it, and for rushed tone of mail, traveling...) W > Beyond that, seems like just shuffling deck chairs. > > On Mon, Sep 8, 2014 at 12:10 PM, Brian Campbell < > bcampbell@pingidentity.com > <javascript:_e(%7B%7D,'cvml','bcampbell@pingidentity.com');>> wrote: > >> cc'ing JOSE on a minor JWT review comment that might impact JWS/JWA. >> >> I agree that "plaintext” is not the most intuitive wording choice and >> that "unsecured" might better convey what's going on with the "none" JWS >> algorithm. >> >> Mike mentioned that, if this change is made in JWT, there are parallel >> changes in JWS. But note that there are also such changes in JWA (more than >> in JWS actually). >> >> On Fri, Sep 5, 2014 at 6:28 PM, Mike Jones <Michael.Jones@microsoft.com >> <javascript:_e(%7B%7D,'cvml','Michael.Jones@microsoft.com');>> wrote: >> >>> -----Original Message----- >>> From: Warren Kumari [mailto:warren@kumari.net >>> <javascript:_e(%7B%7D,'cvml','warren@kumari.net');>] >>> Sent: Monday, September 01, 2014 3:40 PM >>> To: secdir@ietf.org <javascript:_e(%7B%7D,'cvml','secdir@ietf.org');>; >>> draft-ietf-oauth-json-web-token.all@tools.ietf.org >>> <javascript:_e(%7B%7D,'cvml','draft-ietf-oauth-json-web-token.all@tools.ietf.org');> >>> Subject: Review of: draft-ietf-oauth-json-web-token >>> >>> I'm a little confused by something in the Terminology section (Section >>> 2): >>> >>> Plaintext JWT >>> >>> A JWT whose Claims are not integrity protected or encrypted. >>> >>> The term plaintext to me means something like "is readable without >>> decrypting / much decoding" (something like, if you cat the file to a >>> terminal, you will see the information). Integrity protecting a string >>> doesn't make it not easily readable. If this document / JOSE uses >>> "plaintext" differently (and a quick skim didn't find anything about >>> >>> this) it might be good to clarify. Section 6 *does* discuss plaintext >>> JWTs, but doesn't really clarify the (IMO) unusual meaning of the term >>> "plaintext" here. >>> >>> >>> >>> I’ve discussed this with the other document editors and we agree with >>> you that “plaintext” is not the most intuitive wording choice in this >>> context. Possible alternative terms are “Unsecured JWT” or “Unsigned >>> JWT”. I think that “Unsecured JWT” is probably the preferred term, since >>> JWTs that are JWEs are also unsigned, but they are secured. Working group >>> – are you OK with this possible terminology change? (Note that the >>> parallel change “Plaintext JWS” -> “Unsecured JWS” would also be made in >>> the JWS spec.) >>> >>> >>> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org <javascript:_e(%7B%7D,'cvml','jose@ietf.org');> >> https://www.ietf.org/mailman/listinfo/jose >> >> > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [jose] alternative term to "plaintext" for the "n… Brian Campbell
- Re: [jose] alternative term to "plaintext" for th… Richard Barnes
- Re: [jose] alternative term to "plaintext" for th… Warren Kumari
- Re: [jose] alternative term to "plaintext" for th… Mike Jones
- Re: [jose] alternative term to "plaintext" for th… Warren Kumari
- Re: [jose] alternative term to "plaintext" for th… Mike Jones
- Re: [jose] alternative term to "plaintext" for th… Mike Jones