IETF Logo Mail Archive

Re: [jose] #27: member names MUST be unique needs additional text

"jose issue tracker" <trac+jose@trac.tools.ietf.org> Wed, 26 June 2013 00:41 UTC

Return-Path: <trac+jose@trac.tools.ietf.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65B8521F9AD1 for <jose@ietfa.amsl.com>; Tue, 25 Jun 2013 17:41:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nDR7AtxvclLn for <jose@ietfa.amsl.com>; Tue, 25 Jun 2013 17:41:21 -0700 (PDT)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [IPv6:2a01:3f0:1:2::30]) by ietfa.amsl.com (Postfix) with ESMTP id C878921F9A69 for <jose@ietf.org>; Tue, 25 Jun 2013 17:41:20 -0700 (PDT)
Received: from localhost ([127.0.0.1]:34889 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.80) (envelope-from <trac+jose@trac.tools.ietf.org>) id 1UrdnM-0006qz-RV; Wed, 26 Jun 2013 02:41:12 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: jose issue tracker <trac+jose@trac.tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: draft-ietf-jose-json-web-signature@tools.ietf.org, michael.jones@microsoft.com
X-Trac-Project: jose
Date: Wed, 26 Jun 2013 00:41:12 -0000
X-URL: http://tools.ietf.org/jose/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/jose/trac/ticket/27#comment:1
Message-ID: <076.a597050ecb4fb25084cec65f7174dc7e@trac.tools.ietf.org>
References: <061.bb7bbe0b618ec6b74904f48bdb9bb312@trac.tools.ietf.org>
X-Trac-Ticket-ID: 27
In-Reply-To: <061.bb7bbe0b618ec6b74904f48bdb9bb312@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: draft-ietf-jose-json-web-signature@tools.ietf.org, michael.jones@microsoft.com, jose@ietf.org
X-SA-Exim-Mail-From: trac+jose@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Resent-To: mbj@microsoft.com, n-sakimura@nri.co.jp, ve7jtb@ve7jtb.com
Resent-Message-Id: <20130626004120.C878921F9A69@ietfa.amsl.com>
Resent-Date: Tue, 25 Jun 2013 17:41:20 -0700
Resent-From: trac+jose@trac.tools.ietf.org
Cc: jose@ietf.org
Subject: Re: [jose] #27: member names MUST be unique needs additional text
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2013 00:41:21 -0000

#27: member names MUST be unique needs additional text


Comment (by michael.jones@microsoft.com):

 The JWS draft currently says:

         The Header Parameter Names within the JWS Header MUST be unique;
         JWSs with duplicate Header Parameter Names MUST be rejected.

 How about changing this to:

         The Header Parameter Names within the JWS Header MUST be unique;
         JWSs with duplicate Header Parameter Names MUST be rejected.
         This is necessary to prevent attacks in which the same JWS might
 be interpreted
         in different ways by different implementations and to prevent
 attackers
         from hiding extra content in duplicate member values.
         If the platform’s JSON parser does not reject input with duplicate
 member names,
         the input will first need to be separately parsed to reject these
 invalid inputs
         before using the platform’s parser.

-- 
-------------------------+-------------------------------------------------
 Reporter:               |       Owner:  draft-ietf-jose-json-web-
  ietf@augustcellars.com |  signature@tools.ietf.org
     Type:  defect       |      Status:  new
 Priority:  major        |   Milestone:
Component:  json-web-    |     Version:
  signature              |  Resolution:
 Severity:  -            |
 Keywords:               |
-------------------------+-------------------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/27#comment:1>
jose <http://tools.ietf.org/jose/>

v2.23.0 | Report a Bug | By Email