Re: [jose] Should we delete the "typ" header field
"Jim Schaad" <ietf@augustcellars.com> Thu, 30 May 2013 01:15 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1BCD21F939E for <jose@ietfa.amsl.com>; Wed, 29 May 2013 18:15:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.449
X-Spam-Level:
X-Spam-Status: No, score=-3.449 tagged_above=-999 required=5 tests=[AWL=0.149, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 164qmMeR7yP6 for <jose@ietfa.amsl.com>; Wed, 29 May 2013 18:15:01 -0700 (PDT)
Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id AF17021F93DC for <jose@ietf.org>; Wed, 29 May 2013 18:15:01 -0700 (PDT)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id AF4CE38EF2; Wed, 29 May 2013 18:14:59 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>, 'Dick Hardt' <dick.hardt@gmail.com>, 'John Bradley' <ve7jtb@ve7jtb.com>
References: <02b701ce5cb8$46ae77e0$d40b67a0$@augustcellars.com> <CAD9ie-vK3gY9b9GQrbUa=TACy5KVA1uPH_u_utucoKzVynjuiA@mail.gmail.com> <02f501ce5cc5$ec9a2200$c5ce6600$@augustcellars.com> <CAD9ie-uV-THE0+oL-dNUB0qXF7sx8jHMZDCz8vGESmUHWV=LMg@mail.gmail.com> <C84C740C-CA7F-40F4-829B-1A1C09EF357F@ve7jtb.com> <CAD9ie-tgN7NyEU4_AP=KvcJZWSY_iOk85YYR_7zndb5ZGcP3Bw@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C5D3E@TK5EX14MBXC285.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943677C5D3E@TK5EX14MBXC285.redmond.corp.microsoft.com>
Date: Wed, 29 May 2013 18:14:09 -0700
Message-ID: <035301ce5cd2$fec5da70$fc518f50$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0354_01CE5C98.526CF5E0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQL+gOaQctokYsIF5NqCLBrsp9OxugIREdBOAZxwGYYA+xTLLwEDZ2t9AYFeTdABaU0S0pZ37sBQ
Content-Language: en-us
Cc: jose@ietf.org
Subject: Re: [jose] Should we delete the "typ" header field
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 01:15:07 -0000
Interesting fragment from the signature draft section 4.1.9 For example, the JSON Web Token (JWT) [JWT <http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-11#ref-JWT> ] specification uses the "cty" value "JWT" to indicate that the Payload is a JSON Web Token (JWT). From: Mike Jones [mailto:Michael.Jones@microsoft.com] Sent: Wednesday, May 29, 2013 5:42 PM To: Dick Hardt; John Bradley Cc: Jim Schaad; jose@ietf.org Subject: RE: [jose] Should we delete the "typ" header field Actually, John, the text in the JWT spec is <http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08#section-5.1> : <http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08#section-5.1> 5.1. "typ" (Type) Header Parameter The "typ" (type) header parameter is used to declare the type of this object. If present, it is RECOMMENDED that its value be either "JWT" or "urn:ietf:params:oauth:token-type:jwt" to indicate that this object is a JWT. The "typ" value is a case sensitive string. Use of this header parameter is OPTIONAL. The reason I'm pointing this out is that your message could be read to mean that the JWT spec requires the use of the "typ" parameter, which it doesn't. What it does do is RECOMMEND values to use, should they be useful in context. It needs to remain OPTIONAL. Answering Dick's question "What else would it unwrap to?" - if you have a nested JWT, it could unwrap to a JWT which was the Payload or Plaintext value, rather than a JWT Claims Set. -- Mike From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Dick Hardt Sent: Wednesday, May 29, 2013 5:30 PM To: John Bradley Cc: Jim Schaad; jose@ietf.org Subject: Re: [jose] Should we delete the "typ" header field On Wed, May 29, 2013 at 5:25 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: In the JWT spec the value of "typ" SHOULD be "jwt". That indicates as Mike stated that it is a JWT in compact format that has as its body a jwt claim set. If the claim set is signed then encrypted, the inner JWT has a a typ of jwt and no cty , and the outer one has a typ of JWT and a cty of jws. I'm doing symmetric encryption with an integrity check, so I don't have a JWT in a JWE If a JOSE object has a typ of jws then one would assume that it is a jws in compact serialization with some other body type then a jwt claimset. I think this is somewhat a symptom of the JWT and JOSE specs getting split into different WG. So Mike can correct me but I don't think putting jwe or jws in typ is the intended use of that element if you are in fact sending JWT. I understand where Jim is coming from I think of JWT as a jwt claim-set and JWE and JWS as the outer layer, where JWT thinks of itself as a total security token definition including overall processing rules for security tokens, with a standard envelope segment and JWE or JWS encoding as determined by the alg. That is confusing to me. In security token processing knowing that what you have will unwrap to a JWT claim-set , rather than to some other thing is quite important. What else would it unwrap to? John B. On 2013-05-29, at 7:56 PM, Dick Hardt <dick.hardt@gmail.com> wrote: I use it all the time and my code would barf if it was not there. I think it should be required rather than be a hint if it is going ot be there. On Wed, May 29, 2013 at 4:40 PM, Jim Schaad <ietf@augustcellars.com> wrote: I think the values just changed However the way you are using it would be an argument to say that it should be a required field. Are you just using it as a hint if it exists and then looking at the rest of the fields if it is not present? Jim From: Dick Hardt [mailto:dick.hardt@gmail.com] Sent: Wednesday, May 29, 2013 3:49 PM To: Jim Schaad Cc: jose@ietf.org Subject: Re: [jose] Should we delete the "typ" header field Well, I have been using, but now realize the spec changed or I was confused. I had been setting "typ" to be either "JWE" or "JWS" depending on the type of token I was creating or parsing as it was easier than looking at "alg" As currently defined, I don't see value in "typ". -- Dick On Wed, May 29, 2013 at 3:02 PM, Jim Schaad <ietf@augustcellars.com> wrote: In reading the documents, I am trying to understand the justification for having the "typ" header parameter in the JOSE documents. The purpose of the field is to hold the type of the object. In the past, I believe that values which should now be placed in the cty field (such as "JWT") were placed in this field as well. However the parameter is optional and an implementation cannot rely on its being present. This means that for all practical purposes all of the code to determine the value of the type field from the values of the alg and enc fields. If the field was mandatory then this code would disappear at a fairly small space cost and I can understand why the parameter would be present. Can anybody justify why this field should be present in the document - or should it just disappear? Jim _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose -- -- Dick -- -- Dick _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose -- -- Dick
- [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] FW: Should we delete the "typ" header … Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Manger, James H
- Re: [jose] Should we delete the "typ" header field Mike Jones
- [jose] FW: Should we delete the "typ" header field Manger, James H
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Richer, Justin P.
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Anthony Nadalin
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Brian Campbell
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Manger, James H
- Re: [jose] Should we delete the "typ" header field Axel.Nennker
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Richard Barnes
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Jim Schaad
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H