Re: [jose] FW: Should we delete the "typ" header field
Richard Barnes <rlb@ipv.sx> Sun, 14 July 2013 20:32 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8D7D21F9CC7 for <jose@ietfa.amsl.com>; Sun, 14 Jul 2013 13:32:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.076
X-Spam-Level:
X-Spam-Status: No, score=-3.076 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, GB_I_INVITATION=-2, HTML_MESSAGE=0.001, J_CHICKENPOX_23=0.6, RCVD_IN_DNSWL_LOW=-1, SARE_OEM_S_DOL=1.2]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HUEmxq2CZiVv for <jose@ietfa.amsl.com>; Sun, 14 Jul 2013 13:32:49 -0700 (PDT)
Received: from mail-ob0-f171.google.com (mail-ob0-f171.google.com [209.85.214.171]) by ietfa.amsl.com (Postfix) with ESMTP id B7C2F21F9CA8 for <jose@ietf.org>; Sun, 14 Jul 2013 13:32:49 -0700 (PDT)
Received: by mail-ob0-f171.google.com with SMTP id dn14so13266929obc.16 for <jose@ietf.org>; Sun, 14 Jul 2013 13:32:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=5ZGCBWmxruu2VqqZFZXTl88zvrypHXzZGdf28j5Ccts=; b=SVMy43tXPEpbM6BZa2/2UAn3uDJoj4eAtX0wHs1m79HVikBK0NYv7I/xh5R2TL51iM Crf4iPiNCWHIvQ2nxOzszCwLqdAqk8UAXMypO9zoCHxkNxo4A+ds3lAZmpZbrdMi1Fgs YUA6zvE+vfeI3V3IFpvr0y4t/XBxg6cGtoYyEBX0HVpAOo4ziMHdaN3WQuPquKy7FwNt 3A5PLAEMC6VxlO4iFkNhwgZLQ5pXuhbP5eVJI14QXdnnqHLoKNfUjTxwazXC7eTnAG0f mkHlPwdbgl/m7nvXlgteROfyilFtWMX6zadQTiFcqHXEsDeElia2XNaDuq368LnQBV4W Sd4A==
MIME-Version: 1.0
X-Received: by 10.182.205.138 with SMTP id lg10mr41468263obc.6.1373833969209; Sun, 14 Jul 2013 13:32:49 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Sun, 14 Jul 2013 13:32:49 -0700 (PDT)
X-Originating-IP: [108.48.145.202]
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436B6BE677@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436B6B9547@TK5EX14MBXC283.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E1151C58C9F5@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B16804296739436B6BE677@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Sun, 14 Jul 2013 16:32:49 -0400
Message-ID: <CAL02cgTWSAxsR+s46UP+9Z8bOjf8poF1h+x_tQ1P6WJ1NfU=oQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11c290b8b723ec04e17ea501"
X-Gm-Message-State: ALoCoQnCIV4nE3Ou3ChCPaLBASHD5YkuAPjQEIVIDh414diUJryFtN4g/ilzxakiBYWGPWyJSofM
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] FW: Should we delete the "typ" header field
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jul 2013 20:32:54 -0000
I think James's point is that there's no point to using "typ": "JOSE". If you've already parsed the object far enough to read that field, you know it's a JOSE object. So we should just remove that value. --Richard On Sun, Jul 14, 2013 at 4:09 PM, Mike Jones <Michael.Jones@microsoft.com>wrote: > It can be application-specific if the application chooses to use that > value. I will plan change the sentence in question by adding the words “by > applications” as below to eliminate the potential ambiguity that you > identified:**** > > The type value *"JOSE" MAY be* used by applications**** > > to indicate that this object is a *JWS or* JWE using the *JWS Compact* > > * Serialization or the* JWE Compact Serialization.**** > > ** ** > > As for the choice of the names “JOSE” and “JOSE+JSON”, those reflect the > decision on the last call to change from the type-specific MIME types > application/jws, application/jwe, application/jws+json, and > application/jwe+json to the more inclusive names application/jose and > application/jose+json. Both the MIME types exist because the > serializations use different representations, and so their content types > need to be different.**** > > ** ** > > -- Mike**** > > ** ** > > *From:* Manger, James H [mailto:James.H.Manger@team.telstra.com] > *Sent:* Saturday, July 13, 2013 6:41 AM > *To:* Mike Jones; jose@ietf.org > > *Subject:* RE: [jose] FW: Should we delete the "typ" header field**** > > ** ** > > Mike,**** > > ** ** > > The “typ” changes (below) make no sense.**** > > The first sentence is marginally clearer that “typ” is some sort of label > for a higher-layer (above JOSE processing), eg values are > application-specific. But the very next sentence suggests “JOSE” as a > value! Argh!! How can that be “application-specific”? It is the definition > of not application-specific. Defining “JOSE+JSON” in the next sentence is > even worse. That makes It seem that “typ” is indicating the serialization, > which everyone (including yourself) have agreed is wrong.**** > > ** ** > > ** ** > > -- from > http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-jose-json-web-encryption-12.txt > **** > > ** ** > > *4.1.10.* "typ" (Type) Header Parameter**** > > ** ** > > The "typ" (type) header parameter is *MAY be* used to declare the type > of**** > > this**** > > object. *complete JWE object in an application-specific manner in* > > * contexts where this is useful to the application. This parameter has* > > * no effect upon the JWE processing.* The type value "JWE" is *"JOSE" > MAY be* used**** > > to indicate that this object is a *JWS or* JWE using the *JWS Compact* > > * Serialization or the* JWE Compact Serialization. The type value > "JWE+JSON"**** > > is**** > > *"JOSE+JSON" MAY be* used to indicate that this object is a *JWS or*JWE > **** > > using the *JWS JSON Serialization or the* JWE JSON Serialization.**** > > Other type values MAY be used, and if not understood, SHOULD be**** > > ignored. The "typ" value is a case sensitive string. Use of this**** > > header parameter is OPTIONAL.**** > > ** ** > > MIME Media Type [RFC2046] values MAY be used as "typ" values.**** > > ** ** > > "typ" values SHOULD either be registered in the IANA JSON Web**** > > Signature and Encryption Type Values registry [JWS] or be a value**** > > that contains a Collision Resistant Namespace.**** > > ** ** > > ** ** > > --**** > > James Manger**** > > ** ** > > *From:* Mike Jones [mailto:Michael.Jones@microsoft.com<Michael.Jones@microsoft.com>] > > *Sent:* Saturday, 13 July 2013 1:32 AM > *To:* Manger, James H; jose@ietf.org > *Subject:* RE: [jose] FW: Should we delete the "typ" header field**** > > ** ** > > I’ve applied the proposed changes in the -12 drafts.**** > > ** ** > > -- Mike**** > > ** ** > > *From:* Mike Jones > *Sent:* Thursday, May 30, 2013 12:22 AM > *To:* 'Manger, James H'; jose@ietf.org > *Subject:* RE: [jose] FW: Should we delete the "typ" header field**** > > ** ** > > I agree, given this thread, that clarified wording is in order along the > lines of that which you suggest. Thanks for writing it. I’ll put doing so > on my to-do list.**** > > ** ** > > The purpose of the “JWS” and “JWE” types is to provide standard > identifiers for applications that may want to use them, either in the “typ” > field or the “cty” field (the values of which are in the same namespace). > I’ll plan to similarly clarify that the semantics of “cty” are > application-specific and the contents of “cty” do not affect the JOSE > processing.**** > > ** ** > > Best wishes,** > ** > > -- Mike**** > > ** ** > > *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org<jose-bounces@ietf.org>] > *On Behalf Of *Manger, James H > *Sent:* Thursday, May 30, 2013 12:17 AM > *To:* jose@ietf.org > *Subject:* [jose] FW: Should we delete the "typ" header field**** > > ** ** > > > The purpose of “typ” is your 3.**** > > ** ** > > Then why define "typ":"JWS", "typ":"JWS+JSON", "typ":"JWE", and > "typ":"JWE+JSON"?**** > > These values cause confusion as they only make sense for purposes [1] and > [2].**** > > ** ** > > The text describing "typ" says it declares the “type of this object”.**** > > This clearly also causes massive confusion. The object is obviously a JOSE > message; it is also obviously a JWS or JWE; it might also be a JWT, or a > missile launch instruction, or a meeting invitation, or anything. “type” > and “object” are too generic for readers to get the same understanding.*** > * > > ** ** > > At a minimum it should be radically rephrased. Perhaps:**** > > “The "xxx" header parameter can be used to hold an application-specific > string identifying the meaning of a JOSE message to an application. This > parameter has no affect on JOSE processing.”**** > > ** ** > > --**** > > James Manger**** > > ** ** > > *From:* Mike Jones [mailto:Michael.Jones@microsoft.com<Michael.Jones@microsoft.com>] > > *Sent:* Thursday, 30 May 2013 4:45 PM > *To:* Manger, James H; jose@ietf.org > *Subject:* RE: [jose] Should we delete the "typ" header field**** > > ** ** > > The purpose of “typ” is your 3.**** > > ** ** > > There can already be no confusion about 1 because they’re syntactically > completely different. 2 is unnecessary because the “alg” value (or the > existence of “enc”) already distinguishes between JWS and JWE semantics.** > ** > > ** ** > > -- Mike**** > > ** ** > > *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org<jose-bounces@ietf.org>] > *On Behalf Of *Manger, James H > *Sent:* Wednesday, May 29, 2013 11:08 PM > *To:* jose@ietf.org > *Subject:* Re: [jose] Should we delete the "typ" header field**** > > ** ** > > > Can anybody justify why this field should be present in the document – > or should it just disappear?**** > > ** ** > > It seems there are at least 3 different meanings given to "typ" in the > header of a JOSE message:**** > > ** ** > > [1] The "typ" value indicates the serialization of the JOSE message. For > example, "typ":"JWE" and "typ":"JWE+JSON" distinguish the compact > (dot-separated-b64-blobs) and JSON serializations.**** > > ** ** > > [2] The "typ" value indicates the high-level semantics of the JOSE > structure. For example, "typ":"JWE" and "typ":"JWS" distinguish the > semantics defined in the separate JWE and JWS specifications.**** > > ** ** > > [3] The "typ" value indicates the application-layer semantics of the > message. For example, "typ":"JWT" value indicates that the message conveys > a set of claims (as a JSON object) wrapped as a JOSE message (either > unprotected, signed, MACed, encrypted, or signed then encrypted) that use > the compact serialization.**** > > ** ** > > Indicating the serialization [1] does not seem helpful as the recipient > needs to know the serialization before they can extract the header to see > the "typ" value. Indicating the serialization is actually harmful as it > tightly couples a message to one serialization, whereas serialization is > generally thought of as a transport-layer choice that is independent of the > message security or semantics.**** > > ** ** > > Indicating the high-level semantics of the JOSE structure [2] is slightly > useful so a message can be switched to different code according to its > structure. It is not that useful, however, as further switching is required > to distinguish different modes (eg unprotected vs asymmetric signature vs > MAC). This meaning only helps if the field is made mandatory, and the > presence/absence of the "enc" field or looking up the class of the "alg" > value are not specified as alternatives.**** > > ** ** > > Being able to indicate application-layer semantics [3] could theoretically > be useful. Perhaps the "profile" attribute or "rel=’profile’" link relation > in HTML5 is analogous. In this case JOSE should not define values for the > field. "JWS", "JWS+JSON", "JWE", and "JWE+JSON" make no sense as > application-layer semantics — and certainly not inside the JOSE message.** > ** > > ** ** > > Most (all?) of the many specs mentioning the "typ" field make it optional, > and if they suggest particular "typ" values those are only “MAY”s or > “SHOULD”s — not “MUST”s. Consequently, apps cannot rely on "typ" regardless > of its meaning.**** > > ** ** > > ** ** > > My suggestions:**** > > ** ** > > * For [1], define two media types to distinguish the two serializations, > not a header field.**** > > ** ** > > * 1st preference for [3], drop it from JOSE specs; let an application > using JOSE (eg JWT) define a field (and value) for this. If the application > defines the field in a generic fashion for reuse by other applications that > is a nice bonus.**** > > ** ** > > * 2nd preference for [3], define a field (but no values) that can hold an > application-layer semantics identifier – but only put this definition in a > spec that defines JOSE messages as a whole (not specs specific to JWE or > JWS). Use a different name: "app" or "profile" or "mean"ing or "pur"pose.* > *** > > ** ** > > * For [2], define a mandatory field that indicates the semantics of the > JOSE structure at a low enough level that a JOSE implementation built on > top of a crypto library could (almost) work without needing to recognize > the "alg" value. "typ" would have been a reasonable name for this field but > is now too polluted with confusion. How about "t"?**** > > Consider for instance a JOSE implementation that only supports > "alg":"HS256". To add support for "alg":"HS3" (HMAC with SHA-3) minimal (if > any) new code is needed in a JOSE layer: perhaps an extra table entry > mapping the JOSE label "HS3" to a crypto library label (eg "HmacSHA3"). > "t":"mac" can accompany both these algs. To support "alg":"RS512", in > contrast, requires calls to different crypto library functions (knowing the > difference between public & private keys for instance). This deserves a > separate value, say, "t":"sig".**** > > ** ** > > --**** > > James Manger**** > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] FW: Should we delete the "typ" header … Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Manger, James H
- Re: [jose] Should we delete the "typ" header field Mike Jones
- [jose] FW: Should we delete the "typ" header field Manger, James H
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Richer, Justin P.
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Anthony Nadalin
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Brian Campbell
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Manger, James H
- Re: [jose] Should we delete the "typ" header field Axel.Nennker
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Richard Barnes
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Jim Schaad
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H