IETF Logo Mail Archive

Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

Mike Jones <Michael.Jones@microsoft.com> Mon, 15 September 2014 16:54 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 602E01A03A0; Mon, 15 Sep 2014 09:54:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3OlNx5-yPdQn; Mon, 15 Sep 2014 09:54:36 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0797.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::797]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F55F1A878D; Mon, 15 Sep 2014 09:21:20 -0700 (PDT)
Received: from BY2PR03CA065.namprd03.prod.outlook.com (10.141.249.38) by BY2PR03MB157.namprd03.prod.outlook.com (10.242.36.12) with Microsoft SMTP Server (TLS) id 15.0.1024.12; Mon, 15 Sep 2014 16:20:57 +0000
Received: from BL2FFO11FD016.protection.gbl (2a01:111:f400:7c09::139) by BY2PR03CA065.outlook.office365.com (2a01:111:e400:2c5d::38) with Microsoft SMTP Server (TLS) id 15.0.1029.13 via Frontend Transport; Mon, 15 Sep 2014 16:20:57 +0000
Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD016.mail.protection.outlook.com (10.173.160.224) with Microsoft SMTP Server (TLS) id 15.0.1019.14 via Frontend Transport; Mon, 15 Sep 2014 16:20:56 +0000
Received: from TK5EX14MBXC292.redmond.corp.microsoft.com ([169.254.1.60]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.193]) with mapi id 14.03.0195.002; Mon, 15 Sep 2014 16:20:04 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Tim Bray <tbray@textuality.com>, Stephen Kent <kent@bbn.com>
Thread-Topic: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
Thread-Index: AQHP0QAJrqBafxnciEq+15U92qOPJ5wCX4gg
Date: Mon, 15 Sep 2014 16:20:03 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439AECCCDD@TK5EX14MBXC292.redmond.corp.microsoft.com>
References: <CAHbuEH4Ccn2Z=8kEECzvgjmtshwsFoa-EH_NpkJPos7zirGeaQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AEC00DB@TK5EX14MBXC292.redmond.corp.microsoft.com> <5416FE10.3060608@bbn.com> <CAHBU6iu3GfsLCAint3z7risZUnVW4EK0WrGVW6Dv=gvppiHSxQ@mail.gmail.com>
In-Reply-To: <CAHBU6iu3GfsLCAint3z7risZUnVW4EK0WrGVW6Dv=gvppiHSxQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439AECCCDDTK5EX14MBXC292r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(377454003)(24454002)(189002)(199003)(33656002)(87936001)(81156004)(106466001)(19617315012)(85806002)(90102001)(26826002)(104016003)(19625215002)(68736004)(106116001)(46102001)(2656002)(107046002)(76482001)(16236675004)(69596002)(512874002)(15202345003)(15975445006)(50986999)(92566001)(71186001)(86362001)(54356999)(76176999)(92726001)(81342001)(81542001)(6806004)(99396002)(64706001)(44976005)(55846006)(19580405001)(79102001)(85852003)(83072002)(83322001)(19580395003)(19300405004)(20776003)(66066001)(4396001)(80022001)(77982001)(95666004)(230783001)(97736003)(74662001)(93886004)(84326002)(85306004)(86612001)(84676001)(31966008)(74502001)(77096002)(21056001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB157; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;UriScan:;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03355EE97E
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/AnH0DrVRlwABODfL7oL7ai0WefI
Cc: "draft-ietf-jose-json-web-key.all@tools.ietf.org" <draft-ietf-jose-json-web-key.all@tools.ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "jose@ietf.org" <jose@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Sep 2014 16:54:39 -0000

Thanks Tim – that was exactly the point that caused the working group to change to the current behavior.

From: Tim Bray [mailto:tbray@textuality.com]
Sent: Monday, September 15, 2014 9:13 AM
To: Stephen Kent
Cc: Mike Jones; Kathleen Moriarty; jose@ietf.org; jose-chairs@tools.ietf.org; draft-ietf-jose-json-web-key.all@tools.ietf.org; secdir@ietf.org
Subject: Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

On Mon, Sep 15, 2014 at 7:56 AM, Stephen Kent <kent@bbn.com<mailto:kent@bbn.com>> wrote:

Also, in a reply to Tim, I think you argued that people have already implemented JOSE and so
we ought not make any changes at this late stage. If that's what you said, I disagree emphatically.
The IETF always warns implementers that specs may change until an RFC is published, and thus
one implements a pre-RFC spec at risk.

​No; In theory I would entirely support requiring receivers of malformed messages to reject them.

In practice, it’s problematic to say that the format is JSON, and then to require any particular policy concerning duplicate keys, because existing software generally doesn’t handle them in a consistent manner, and in particular may not even inform receiving software that dupes existed.




Steve

_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose



--
- Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray)

v2.23.0 | Report a Bug | By Email