Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)

Mike Jones <> Thu, 02 October 2014 17:11 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AE4791A898D; Thu, 2 Oct 2014 10:11:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HJ4ep3UsQaEv; Thu, 2 Oct 2014 10:11:24 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fc10::1:748]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 783701A8A16; Thu, 2 Oct 2014 10:10:13 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1039.15; Thu, 2 Oct 2014 17:09:49 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1044.10 via Frontend Transport; Thu, 2 Oct 2014 17:09:48 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1029.15 via Frontend Transport; Thu, 2 Oct 2014 17:09:47 +0000
Received: from ([]) by ([]) with mapi id 14.03.0195.002; Thu, 2 Oct 2014 17:09:07 +0000
From: Mike Jones <>
To: Pete Resnick <>
Thread-Topic: Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
Thread-Index: AQHP3j+4k95o/lu2P0+aZTjDdiu7bZwcyeOAgAAA0wCAADbjgIAAAGdQgAAFWoCAAALyoA==
Date: Thu, 02 Oct 2014 17:09:07 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439BAB4383TK5EX14MBXC288r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(24454002)(164054003)(377454003)(479174003)(199003)(189002)(46102003)(80022003)(95666004)(15975445006)(81156004)(92566001)(92726001)(512954002)(106466001)(106116001)(44976005)(64706001)(99396003)(19580395003)(6806004)(19580405001)(20776003)(68736004)(107046002)(69596002)(66066001)(54356999)(76176999)(50986999)(76482002)(120916001)(10300001)(86612001)(86362001)(104016003)(4396001)(71186001)(19617315012)(230783001)(15202345003)(55846006)(19300405004)(110136001)(87936001)(85306004)(93886004)(16236675004)(31966008)(2656002)(21056001)(84326002)(77096002)(26826002)(19625215002)(97736003)(84676001)(85852003)(33656002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB158;; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB158;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03524FBD26
Received-SPF: Pass ( domain of designates as permitted sender); client-ip=;;
Authentication-Results: spf=pass (sender IP is;
Cc: Kathleen Moriarty <>, "" <>, The IESG <>, "" <>, "" <>
Subject: Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Oct 2014 17:11:27 -0000

Replies prefixed by "Mike>".

From: Pete Resnick []
Sent: Thursday, October 02, 2014 9:57 AM
To: Mike Jones
Cc: Kathleen Moriarty;; The IESG;
Subject: Re: Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)

On 10/2/14 11:42 AM, Mike Jones wrote:

On 10/2/14 9:37 AM, Kathleen Moriarty wrote:

On Thu, Oct 2, 2014 at 9:20 AM, Pete Resnick <<>> wrote:

If there's anything in Section 8 that is not in 4.1.2 and needs to be, fine, move that information into 4.1.2. But TLS is not required globally. It is only required for jku. Section 8 says that TLS is required globally. AFAICT, that's not a requirement.

It is also needed for "x5u" (X.509 URL), at least in some cases.  It's more efficient editorially to have common text about TLS requirements for these multiple uses than to duplicate the text into multiple subsections.

On the telechat, we left this one as needing the WG's help here to figure out exactly where TLS is needed and making sure the requirements are clear rather than a blanket statement.  jku is one spot where it is required and the other is when there is privacy related data .  Can the WG figure out the full list and then we'll update the draft as such?

We could cite Section 8 from all the places that TLS is used, if you believe that that would help implementers pay attention, Pete.

So long as section 8 says, "Where TLS is used, it MUST do X Y Z", and the "MUST use TLS; see section 8 for how" is in the section with jky (and x5u if needed), that's cool. Just don't say "MUST use TLS" in section 8.

Mike> Sounds good.  Thanks, Pete.

                                                            -- Mike



Pete Resnick <><>

Qualcomm Technologies, Inc. - +1 (858)651-4478