[jose] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)

Brian Campbell <bcampbell@pingidentity.com> Mon, 08 September 2014 16:10 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 09B8C1A88AE for <jose@ietfa.amsl.com>; Mon, 8 Sep 2014 09:10:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id o_QAOES85CdX for <jose@ietfa.amsl.com>; Mon, 8 Sep 2014 09:10:57 -0700 (PDT)
Received: from na6sys009bog019.obsmtp.com (na6sys009bog019.obsmtp.com []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57F401A88AC for <jose@ietf.org>; Mon, 8 Sep 2014 09:10:56 -0700 (PDT)
Received: from mail-ig0-f173.google.com ([]) (using TLSv1) by na6sys009bob019.postini.com ([]) with SMTP ID DSNKVA3VD6evynlaY3g7n5RfQyNmbyXgoXV6@postini.com; Mon, 08 Sep 2014 09:10:56 PDT
Received: by mail-ig0-f173.google.com with SMTP id h18so3011009igc.0 for <jose@ietf.org>; Mon, 08 Sep 2014 09:10:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=uuv/49iVYSChMtiBCB0n6CimZAflL9W7lSDBtbzd4+I=; b=Gem5EcRhn907ZsVbcHde3aqzfc9PXOLhdUzHnzVaYuFtCkYYFDFyCD9VfmJ2YHfHbn 187LgIsuL3SYJZTF/TOIszoU56LHZeCj9ZDvSVhv3GxLvtg8jy28k1g6TbTmBwMXipZL Y/yIKbTvpSVjK8wp3k+f52MnfEfRXchoZiiDtXb6V0krmL5a+4DoY/XrFaBtIAyvEhzJ G+mWLoTVhoAfzJ3m4peJAxrKYOopGysNCTOTwqOSG2iLg/LgHLEbgelvakWsxbYGazKE p25Gzt6BZH8rubdekq9JnM6f0lqtsKXioqnBmBs7M6khKgKPmy0/yGszVWFc19DeEmQF JQ2A==
X-Gm-Message-State: ALoCoQmjAZRYssNvXTKbV1SuTMdVJSEOqQn1Gr2oURkjxIY/Xr3pItfN9pubcLd5tIRhZh5Zr8OCbzCk982bSbBnLbZS6NNcsQ2fwpNRAPGRmC0RfxHl0A/8OqUi3EAgH5EHDS0agVkf
X-Received: by with SMTP id 8mr9009672ics.57.1410192650265; Mon, 08 Sep 2014 09:10:50 -0700 (PDT)
X-Received: by with SMTP id 8mr9009655ics.57.1410192650158; Mon, 08 Sep 2014 09:10:50 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 8 Sep 2014 09:10:19 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 08 Sep 2014 10:10:19 -0600
Message-ID: <CA+k3eCTpBi7Xh87JFkApYvJ1Bd8Kk6VfY0QH67UAVShjFx9G5A@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a1134476cfa619c0502900fd8"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/AuYHBM4McN9ELhfg_vSRmWEbIHk
Cc: "draft-ietf-oauth-json-web-token.all@tools.ietf.org" <draft-ietf-oauth-json-web-token.all@tools.ietf.org>, Warren Kumari <warren@kumari.net>, "oauth@ietf.org" <oauth@ietf.org>, "jose@ietf.org" <jose@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: [jose] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 16:10:59 -0000

cc'ing JOSE on a minor JWT review comment that might impact JWS/JWA.

I agree that "plaintext” is not the most intuitive wording choice and that
"unsecured" might better convey what's going on with the "none" JWS

Mike mentioned that, if this change is made in JWT, there are parallel
changes in JWS. But note that there are also such changes in JWA (more than
in JWS actually).

On Fri, Sep 5, 2014 at 6:28 PM, Mike Jones <Michael.Jones@microsoft.com>

>  -----Original Message-----
> From: Warren Kumari [mailto:warren@kumari.net]
> Sent: Monday, September 01, 2014 3:40 PM
> To: secdir@ietf.org; draft-ietf-oauth-json-web-token.all@tools.ietf.org
> Subject: Review of: draft-ietf-oauth-json-web-token
> I'm a little confused by something in the Terminology section (Section 2):
> Plaintext JWT
> A JWT whose Claims are not integrity protected or encrypted.
> The term plaintext to me means something like "is readable without
> decrypting / much decoding" (something like, if you cat the file to a
> terminal, you will see the information). Integrity protecting a string
> doesn't make it not easily readable. If this document / JOSE uses
> "plaintext" differently (and a quick skim didn't find anything about
> this) it might be good to clarify. Section 6 *does* discuss plaintext
> JWTs, but doesn't really clarify the (IMO) unusual meaning of the term
> "plaintext" here.
> I’ve discussed this with the other document editors and we agree with you
> that “plaintext” is not the most intuitive wording choice in this context.
> Possible alternative terms are “Unsecured JWT” or “Unsigned JWT”.  I think
> that “Unsecured JWT” is probably the preferred term, since JWTs that are
> JWEs are also unsigned, but they are secured.  Working group – are you OK
> with this possible terminology change?  (Note that the parallel change
> “Plaintext JWS” -> “Unsecured JWS” would also be made in the JWS spec.)