Re: [jose] POLL(s): header criticality

I'll second James' vote:

1. NO
2. NO
3. C -- one critical field; the definition of each value for this
field implies what else you need to understand; if you want to add a
new field that MUST be understood, just use a new value for the one
critical field.

Cheers,

Dirkjan

On Thu, Feb 7, 2013 at 12:04 PM, Manger, James H
<James.H.Manger@team.telstra.com> wrote:
> 1. NO
>
> 2. NO
>
> 3. C -- one critical field; the definition of each value for this field
> implies what else you need to understand; if you want to add a new field
> that MUST be understood, just use a new value for the one critical field.
>
>
>
>
>
> I second Richard's comment about YES to 2.
>
> What would a JOSE library API look like if all fields MUST be understood by
> “the system”? Does the “top” layer tell the library what it understands;
> does the library return a list of unrecognized fields?
>
>
>
> --
>
> James Manger
>
>
>
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
> Richard Barnes
> Sent: Thursday, 7 February 2013 6:02 AM
> To: odonoghue@isoc.org; jose@ietf.org
>
>
> Subject: Re: [jose] POLL(s): header criticality
>
>
>
> tl;dr:
>
> FIRST POLL:   NO
> SECOND POLL:  NO
> THIRD POLL:   B
>
> Further notes:
>
> On SECOND POLL: Voting "Yes" on the SECOND POLL is equivalent to voting "NO"
> on the FIRST POLL.  If the requirement isn't placed on any particular
> element of the system, then nobody will implement it, and there will be no
> control.
>
> On THIRD POLL: I don't care all that much about the specific syntax, but I
> have a strong preference that these non-critical fields be excluded from the
> integrity check that is applied to the header.  So I would prefer something
> like what Dick suggested, but encoded as a separate element of a JW* object.
> As Breno notes, this can be done in a backwards compatible way.  (I voted
> "B" because I understood "A" to imply something like Mike's earlier
> proposal, which would have just had a list of field names.)
>
> In any case, I would encourage the chairs to focus on the first poll, and
> view any results in the second and third as informative for further
> discussion of wording or syntax.
>
>
>
>
>
> On Wed, Feb 6, 2013 at 1:47 PM, Nat Sakimura <sakimura@gmail.com> wrote:
>
> FIRST POLL:  NO
>
> SECOND POLL:  YES
> THIRD POLL:  A
>
>
>
> 2013/2/4 Karen O'Donoghue <odonoghue@isoc.org>
>
> Folks,
>
> I am wrestling with how to help drive consensus on the topic of criticality
> of headers. For background, please review the current specification text,
> the minutes to the Atlanta meeting (IETF85), and the mailing list
> (especially the discussion in December with (Subj: Whether implementations
> must understand all JOSE header fields)). We need to come to closure on this
> issue in order to progress the specifications.
>
> As a tool to gather further information on determining a way forward, the
> following polls have been created. Please respond before 11 February 2013.
>
> Thanks,
> Karen
>
> *******************
> FIRST POLL: Should all header fields be critical for implementations to
> understand?
>
> YES – All header fields must continue to be understood by implementations or
> the input must be rejected.
>
> NO – A means of listing that specific header fields may be safely ignored
> should be defined.
>
> ********************
> SECOND POLL: Should the result of the first poll be "YES", should text like
> the following be added? “Implementation Note: The requirement to understand
> all header fields is a requirement on the system as a whole – not on any
> particular level of library software. For instance, a JOSE library could
> process the headers that it understands and then leave the processing of the
> rest of them up to the application. For those headers that the JOSE library
> didn’t understand, the responsibility for fulfilling the ‘MUST understand’
> requirement for the remaining headers would then fall to the application.”
>
> YES – Add the text clarifying that the “MUST understand” requirement is a
> requirement on the system as a whole – not specifically on JOSE libraries.
>
> NO – Don’t add the clarifying text.
>
> ************************
> THIRD POLL: Should the result of the first poll be "NO", which syntax would
> you prefer for designating the header fields that may be ignored if not
> understood?
>
> A – Define a header field that explicitly lists the fields that may be
> safely ignored if not understood.
>
> B – Introduce a second header, where implementations must understand all
> fields in the first but they may ignore not-understood fields in the second.
>
> C - Other??? (Please specify in detail.)
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>
>
>
>
> --
> Nat Sakimura (=nat)
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>