Re: [jose] Whether implementations must understand all JOSE header fields

Mike Jones <> Thu, 20 December 2012 01:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E324621F8A09 for <>; Wed, 19 Dec 2012 17:51:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.754
X-Spam-Status: No, score=-2.754 tagged_above=-999 required=5 tests=[AWL=-0.156, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VsTAOloec8w1 for <>; Wed, 19 Dec 2012 17:51:31 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 722FF21F89CB for <>; Wed, 19 Dec 2012 17:51:29 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.586.12; Thu, 20 Dec 2012 01:51:22 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.586.12 via Frontend Transport; Thu, 20 Dec 2012 01:51:21 +0000
Received: from ([]) by ([]) with mapi id 14.02.0318.003; Thu, 20 Dec 2012 01:51:21 +0000
From: Mike Jones <>
To: "Manger, James H" <>, "" <>
Thread-Topic: [jose] Whether implementations must understand all JOSE header fields
Thread-Index: Ac3da4u39ZRiYSLMQBShe+M/5UR54QAALdFQAAH0xRAAByH0sAAkEbRAAApz+pAAAl46sA==
Date: Thu, 20 Dec 2012 01:51:20 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436697AEE2TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(51704002)(5343635001)(54356001)(74662001)(5343655001)(49866001)(77982001)(50986001)(16236675001)(44976002)(31966008)(59766001)(33656001)(56776001)(47446002)(51856001)(16406001)(55846006)(15202345001)(47736001)(512874001)(74502001)(46102001)(47976001)(56816002)(53806001)(54316002)(4396001)(76482001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB012; LANG:en;
X-Forefront-PRVS: 07013D7479
Subject: Re: [jose] Whether implementations must understand all JOSE header fields
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Dec 2012 01:51:32 -0000

The prefix for “alg” values would have exactly the same property as adding a new header parameter.  If the new alg value was not understood, the JWS would be useless to the receiver.  (Just as it would be useless if a new header value was used, if not understood.)  I’m not sure why the former is any more usable than the latter.

                                                                -- Mike

From: Manger, James H []
Sent: Wednesday, December 19, 2012 5:39 PM
To: Mike Jones;
Subject: RE: [jose] Whether implementations must understand all JOSE header fields

> “zip” is a perfect example of indicating a change of semantics with the presence of a new field.  The processing of a JWE without a “zip” field is different than the processing of it with one.  An implementation must understand the field to use the resulting JWE.  The same would be true of any JWS that used a “zip” extension.
> It would never be safe to ignore this field, whether defined as part of the base spec, or defined as an extension later.

I agree.
When I looked at a handful of publicly available JOSE implementations quite a while ago none enforced the “MUST understand everything” rule — so a zip-for-JWS extension would be dangerous for them. One implementation later added code to enforce the rule using one fixed list of all header fields defined in JW* — so a zip-for-JWS extension would be dangerous for that too.

We know the “MUST understand everything” rule makes it hard to deploy non-critical extensions.
It seems to me that the rule also makes it dangerous to deploy critical extensions.
About the only safe way to define a critical extension will be to define a prefix for “alg” values (eg "alg": "zip;RSA1_5"). I hope that isn’t the most practical option we leave for anyone wanting to extend JOSE.

James Manger