Re: [jose] POLL(s): header criticality

Dick Hardt <> Wed, 06 February 2013 17:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 04F0A21F897A for <>; Wed, 6 Feb 2013 09:03:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KsWevNtI0A2Y for <>; Wed, 6 Feb 2013 09:03:19 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 6067C21F85CC for <>; Wed, 6 Feb 2013 09:03:19 -0800 (PST)
Received: by with SMTP id fa10so941215pad.41 for <>; Wed, 06 Feb 2013 09:03:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=dHrnPDt7Ta8BK1ZVtdBwycA9vo7EiqE9XqmvFZjZicg=; b=XqDbg83ZT8HyR6vUZGAw6pykGDBEnz3yYMKigGs5g7qcRnR4UGz2oNDoij5ZG3a4rQ CqOiM+qs4atW+zbj8DdIr1ZOVx6bqo/asK9lU+yDWdoYky/yQg3QfRr6gwXRoj9TBJBm 2+3ykPMCfybGL9fxZTqg3EPg51zbzsgnUQusfe88754fP6phbIHo1qXaI6NeA+KGyqf8 swreI2E4uZRhnP9jfxZvDi8/KZlAQjGTu9qqwb0Vsbkt3dhCVW7BLcQscgaVEKJAwgMx X0hNs58Q9xhwHA0exH3eOY0XC7Z3VhW/8qiBRkmP9LvtjMgC8p0ZaSELJEPLxLG9cUpi 0Y4g==
X-Received: by with SMTP id a2mr77482283paw.65.1360170198829; Wed, 06 Feb 2013 09:03:18 -0800 (PST)
Received: from [] ( []) by with ESMTPS id q2sm1439658pav.0.2013. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 06 Feb 2013 09:03:15 -0800 (PST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Dick Hardt <>
In-Reply-To: <>
Date: Wed, 06 Feb 2013 09:03:12 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
X-Mailer: Apple Mail (2.1499)
Subject: Re: [jose] POLL(s): header criticality
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 Feb 2013 17:03:20 -0000




On Feb 4, 2013, at 6:48 AM, Karen O'Donoghue <> wrote:

> Folks,
> I am wrestling with how to help drive consensus on the topic of criticality of headers. For background, please review the current specification text, the minutes to the Atlanta meeting (IETF85), and the mailing list (especially the discussion in December with (Subj: Whether implementations must understand all JOSE header fields)). We need to come to closure on this issue in order to progress the specifications.
> As a tool to gather further information on determining a way forward, the following polls have been created. Please respond before 11 February 2013.
> Thanks,
> Karen
> *******************
> FIRST POLL: Should all header fields be critical for implementations to understand?
> YES – All header fields must continue to be understood by implementations or the input must be rejected.
> NO – A means of listing that specific header fields may be safely ignored should be defined.
> ********************
> SECOND POLL: Should the result of the first poll be "YES", should text like the following be added? “Implementation Note: The requirement to understand all header fields is a requirement on the system as a whole – not on any particular level of library software. For instance, a JOSE library could process the headers that it understands and then leave the processing of the rest of them up to the application. For those headers that the JOSE library didn’t understand, the responsibility for fulfilling the ‘MUST understand’ requirement for the remaining headers would then fall to the application.”
> YES – Add the text clarifying that the “MUST understand” requirement is a requirement on the system as a whole – not specifically on JOSE libraries.
> NO – Don’t add the clarifying text.
> ************************
> THIRD POLL: Should the result of the first poll be "NO", which syntax would you prefer for designating the header fields that may be ignored if not understood?
> A – Define a header field that explicitly lists the fields that may be safely ignored if not understood.
> B – Introduce a second header, where implementations must understand all fields in the first but they may ignore not-understood fields in the second.
> C - Other??? (Please specify in detail.)
> _______________________________________________
> jose mailing list