Re: [jose] #15: Broken examples in JWE / JWS
"Jim Schaad" <ietf@augustcellars.com> Sat, 23 March 2013 01:16 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7122821F88A2 for <jose@ietfa.amsl.com>; Fri, 22 Mar 2013 18:16:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.288
X-Spam-Level:
X-Spam-Status: No, score=-3.288 tagged_above=-999 required=5 tests=[AWL=0.310, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8j-eHKlKrFtQ for <jose@ietfa.amsl.com>; Fri, 22 Mar 2013 18:16:15 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 8783421F8620 for <jose@ietf.org>; Fri, 22 Mar 2013 18:16:15 -0700 (PDT)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id CE4F92CA15; Fri, 22 Mar 2013 18:16:14 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Richard Barnes' <rlb@ipv.sx>
References: <049.dec2e6a11006261f47529bfcdfa8c51d@trac.tools.ietf.org> <064.854734170572ce8e0ba10611390025ce@trac.tools.ietf.org> <012701ce274a$8e17ca30$aa475e90$@augustcellars.com> <CAL02cgQ00JWPph9irvkcyqHi=gOMVt4W9J47e_UMWxdr=1_=MQ@mail.gmail.com>
In-Reply-To: <CAL02cgQ00JWPph9irvkcyqHi=gOMVt4W9J47e_UMWxdr=1_=MQ@mail.gmail.com>
Date: Fri, 22 Mar 2013 18:15:40 -0700
Message-ID: <013c01ce2763$ef72d950$ce588bf0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_013D_01CE2729.4317D1E0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQF2cmojIl9Hs38WmUYs74iwLrRDCgIF6v1oAm/xY+kByW55f5kv6DvQ
Content-Language: en-us
Cc: draft-ietf-jose-json-web-encryption@tools.ietf.org, jose@ietf.org
Subject: Re: [jose] #15: Broken examples in JWE / JWS
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2013 01:16:16 -0000
This may or may not be a flaw in the specification. However the item you created in the tracker does not reflect what you have put here. I think you would be better served by saying that there is a flaw in the specifications in that there should be a MUST that some type of key or key reference is required in a JWS or JWE. I would note that your example code should be more complex in that it does not deal with jku or any of the x* methods of referencing keys. Jim From: Richard Barnes [mailto:rlb@ipv.sx] Sent: Friday, March 22, 2013 4:09 PM To: Jim Schaad Cc: draft-ietf-jose-json-web-encryption@tools.ietf.org; jose@ietf.org Subject: Re: [jose] #15: Broken examples in JWE / JWS I admit that they are not broken according to the current spec. However, I have a lot of trouble figuring out how I would write code to process them. If "kid" or "jwk" MUST be present to indicate what key I should use, then I can have deterministic code: if (/* recognized "kid" or "jwk" value */) { /* use it */ } else { /* FAIL. can't process this object */ } As the spec stands, I have no idea what to put in that "else" clause. I'm clearly not supposed to fail, because the parameters are optional. But what else? if (/* recognized "kid" or "jwk" value */) { /* use it */ } else { /* insert special magic here */ } This is actually what SPI is supposed to clear up. SPI would provide an explicit third branch for the special magic to live in. if (/* recognized "kid" or "jwk" value */) { /* use it */ } else if (/* recognized SPI value */) { /* process using stored parameters */ } else { /* FAIL. can't process this object */ } But without the concept of SPI, the spec is broken because of the non-determinism noted above. --Richard On Fri, Mar 22, 2013 at 6:13 PM, Jim Schaad <ietf@augustcellars.com> wrote: My inclination is that this response is correct. What make you think that the key or key reference is required and cannot be implied? Jim > -----Original Message----- > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of > jose issue tracker > Sent: Friday, March 22, 2013 2:37 PM > To: draft-ietf-jose-json-web-encryption@tools.ietf.org; ignisvulpis@gmail.com > Cc: jose@ietf.org > Subject: Re: [jose] #15: Broken examples in JWE / JWS > > #15: Broken examples in JWE / JWS > > > Comment (by ignisvulpis@gmail.com): > > I think this is not an issue. The examples are NOT broken and they do not > need a fix. > I suggest to close this ticket. > The draft should definitely not make these illegal. These objects are perfect > examples for a valid JWS/JWE. > > -- > -------------------------+---------------------------------------------- > -------------------------+--- > Reporter: rlb@ipv.sx | Owner: draft-ietf-jose-json-web- > Type: defect | encryption@tools.ietf.org > Priority: minor | Status: new > Component: json-web- | Milestone: > encryption | Version: > Severity: - | Resolution: > Keywords: | > -------------------------+---------------------------------------------- > -------------------------+--- > > Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/15#comment:1> > jose <http://tools.ietf.org/jose/> > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- [jose] #15: Broken examples in JWE / JWS jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Jim Schaad
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS Jim Schaad
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Brian Campbell
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS Mike Jones
- Re: [jose] #15: Broken examples in JWE / JWS Jim Schaad
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS Dick Hardt
- Re: [jose] #15: Broken examples in JWE / JWS Mike Jones
- Re: [jose] #15: Broken examples in JWE / JWS Dick Hardt
- Re: [jose] #15: Broken examples in JWE / JWS Dick Hardt
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: At least one key indicator should… jose issue tracker