IETF Logo Mail Archive

Re: [jose] Stephen Farrell's Discuss on draft-ietf-jose-jws-signing-input-options-08: (with DISCUSS and COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 17 December 2015 15:39 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8901F1B2ECF; Thu, 17 Dec 2015 07:39:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dCUUZwovHaFB; Thu, 17 Dec 2015 07:39:27 -0800 (PST)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7D6C1B2ECD; Thu, 17 Dec 2015 07:39:26 -0800 (PST)
Received: by mail-wm0-x22d.google.com with SMTP id l126so26926885wml.0; Thu, 17 Dec 2015 07:39:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BL+rRjWIuJtXd6dmpQrzvNzZ6cdYh7WpGIpJmqtISS0=; b=AVZX4/D1yCNGK7q1QqZGPV0EXFN8Bi+5HYXn7JLGI/rl4CNf9XX4DRg4QyuFBcSKuF yO1gmpOyuXslujFOCGTuoIYKkvfh6PaKiEX5GG4vOveTMo/Hr6Pkbdh+ZD1R8VutJpxz /ZXI7Gg+ph4XOg8X26oW9E2tUMpQJIy4yBHBDbhQ0ce+Y+2OOD/og9qcosO2alCmumjL xfvjA/u/3DCJlUszbNqGNWOfknLh5hrSR6qWdsCF3k7ye9pIh2tRPjw060rB22Gm8QBO yHAUmZwDz5trlMbKWyf1NPgpygvqoh6xoLGDvBH2F526aGztl8OA8o2q3Aqgs2IqnB/m NdoQ==
MIME-Version: 1.0
X-Received: by 10.28.21.204 with SMTP id 195mr4567037wmv.17.1450366765273; Thu, 17 Dec 2015 07:39:25 -0800 (PST)
Received: by 10.28.52.130 with HTTP; Thu, 17 Dec 2015 07:39:25 -0800 (PST)
In-Reply-To: <B8649513-3B05-417F-B551-46FFDA5689C2@ve7jtb.com>
References: <20151217112025.22801.65457.idtracker@ietfa.amsl.com> <BY2PR03MB4429A8A55EB13BCF8227BEBF5E00@BY2PR03MB442.namprd03.prod.outlook.com> <5672B939.4020507@cs.tcd.ie> <BY2PR03MB442F5A1BDF03E7997843CF0F5E00@BY2PR03MB442.namprd03.prod.outlook.com> <5672BD41.3000804@cs.tcd.ie> <2A23B5AE-6E82-4A44-A0D8-3D7970C57438@ve7jtb.com> <B8649513-3B05-417F-B551-46FFDA5689C2@ve7jtb.com>
Date: Thu, 17 Dec 2015 10:39:25 -0500
Message-ID: <CAHbuEH4yrcqmJ0uWvv2iZXZjdKGSOzcAH34i6uU2QpSyuUq=ug@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/DVYXeCNV0Dp9y0XTVReGXoYH24M>
Cc: "jose-chairs@ietf.org" <jose-chairs@ietf.org>, "ietf@augustcellars.com" <ietf@augustcellars.com>, Michael Jones <Michael.Jones@microsoft.com>, "draft-ietf-jose-jws-signing-input-options@ietf.org" <draft-ietf-jose-jws-signing-input-options@ietf.org>, "jose@ietf.org" <jose@ietf.org>, The IESG <iesg@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [jose] Stephen Farrell's Discuss on draft-ietf-jose-jws-signing-input-options-08: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 15:39:29 -0000

On Thu, Dec 17, 2015 at 9:32 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
> Sorry I just recounted, it is a extra 20 bytes per message with the encoded header and not 6.
>
> That is a bit more but probably not worth dying over.   I still prefer the smaller option.

If we could get to a consensus on this and which text is preferred,
that would be helpful.

Thanks!
Kathleen


>
> John B.
>
>> On Dec 17, 2015, at 3:04 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>
>> I prefer making crit only required if the producer is not certain that all potential recipients understand/the extension.
>>
>> However it would not be the end of the world for me from a size perspective if crit was always required.  Trading 6 octets for saving 1/4 of the body size is not a bad trade off.
>>
>> The issue for me is more always requiring something to be sent that is known to not be used.
>>
>> So I am on the not forcing crit side but could live with the consensus if it goes the other way.
>>
>> John B.
>>
>>> On Dec 17, 2015, at 2:48 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>>>
>>>
>>> Great. For completeness, the alternative proposed by James Manger
>>> (which I'd also prefer) was:
>>>
>>>  The "crit" Header Parameter MUST be included with "b64" in its set
>>>  of values to ensure the JWS is rejected (instead of being
>>>  misinterpreted) by implementations that do not understand this
>>>  specification.
>>>
>>> My discuss then is asking if, after all this discussion, the WG
>>> prefer the above or that below. I'll take the WG chairs word on what
>>> they conclude as the outcome.
>>>
>>> S.
>>>
>>> On 17/12/15 13:44, Mike Jones wrote:
>>>> Sure, I'm obviously fine asking the working group what they think of the new text.  Working group - this new text at https://tools.ietf.org/html/draft-ietf-jose-jws-signing-input-options-08#section-6 is:
>>>>
>>>>  6.  Using "crit" with "b64"
>>>>
>>>>  If a JWS using "b64" with a value of "false" might be processed by
>>>>  implementations not implementing this extension, then the "crit"
>>>>  Header Parameter MUST be included with "b64" in its set of values to
>>>>  cause such implementations to reject the JWS.  Conversely, if used in
>>>>  environments in which all participants implement this extension, then
>>>>  "crit" need not be included, since its inclusion would have no
>>>>  effect, other than increasing the JWS size and processing costs.
>>>>
>>>>                             Thanks all,
>>>>                             -- Mike
>>>>
>>>>> -----Original Message-----
>>>>> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
>>>>> Sent: Thursday, December 17, 2015 2:32 PM
>>>>> To: Mike Jones <Michael.Jones@microsoft.com>; The IESG <iesg@ietf.org>
>>>>> Cc: ietf@augustcellars.com; jose-chairs@ietf.org; draft-ietf-jose-jws-signing-
>>>>> input-options@ietf.org; jose@ietf.org
>>>>> Subject: Re: Stephen Farrell's Discuss on draft-ietf-jose-jws-signing-input-
>>>>> options-08: (with DISCUSS and COMMENT)
>>>>>
>>>>>
>>>>> Hiya,
>>>>>
>>>>> On 17/12/15 13:20, Mike Jones wrote:
>>>>>> Thanks for your review, Stephen.  Replies inline below...
>>>>>>
>>>>>>> -----Original Message----- From: Stephen Farrell
>>>>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Thursday, December 17,
>>>>>>> 2015 12:20 PM To: The IESG <iesg@ietf.org> Cc:
>>>>>>> draft-ietf-jose-jws-signing-input-options@ietf.org; Mike Jones
>>>>>>> <Michael.Jones@microsoft.com>; Jim Schaad <ietf@augustcellars.com>;
>>>>>>> jose-chairs@ietf.org; ietf@augustcellars.com; jose@ietf.org Subject:
>>>>>>> Stephen Farrell's Discuss on draft-ietf-jose-jws-signing-input-
>>>>>>> options-08: (with DISCUSS and COMMENT)
>>>>>>>
>>>>>>> Stephen Farrell has entered the following ballot position for
>>>>>>> draft-ietf-jose-jws-signing-input-options-08: Discuss
>>>>>>>
>>>>>>> When responding, please keep the subject line intact and reply to all
>>>>>>> email addresses included in the To and CC lines. (Feel free to cut
>>>>>>> this introductory paragraph, however.)
>>>>>>>
>>>>>>>
>>>>>>> Please refer to
>>>>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for more
>>>>>>> information about IESG DISCUSS and COMMENT positions.
>>>>>>>
>>>>>>>
>>>>>>> The document, along with other ballot positions, can be found
>>>>>>> here:
>>>>>>> https://datatracker.ietf.org/doc/draft-ietf-jose-jws-signing-input-op
>>>>>>> tions/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> ----------------------------------------------------------------------
>>>>>>> DISCUSS:
>>>>>>> ---------------------------------------------------------------------
>>>>>>> -
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> The "crit" point raised in the gen-art review and maybe elsewhere is I think
>>>>>>> correct but I don't think section 6 of -08 is a good resolution of
>>>>>>> this topic. However, I'll clear if this is the WG consensus but it's
>>>>>>> hard to know that's the case for text just added yesterday. To
>>>>>>> resolve this discuss we just need to see what the WG list says about
>>>>>>> the new text.
>>>>>>
>>>>>> Jim's shepherd write-up at
>>>>>> https://datatracker.ietf.org/doc/draft-ietf-jose-jws-signing-input-opt
>>>>>> ions/shepherdwriteup/ records the working group's desire to not
>>>>>> require the use of "crit"
>>>>>> when it isn't needed.  He wrote:
>>>>>>
>>>>>> "(6)  The fact that there are two different versions of encoding that
>>>>>> produce the same text string for signing is worrisome to me.  The WG
>>>>>> had the ability to address this when producing the JWS specification
>>>>>> and decided not to do so that time.  In this document, the desire to
>>>>>> allow for things to be smaller has lead to the fact that the b64 and
>>>>>> crit headers can be omitted as being implicit.  This was the desire of
>>>>>> the WG, but I personally feel that it is the wrong decision."
>>>>>
>>>>> Fair enough, so the chair/shepherd, gen-art reviewer and seems like a few
>>>>> IESG members all find the current position unconvincing as does the one
>>>>> implementer who posted to the WG list since the new text was added.
>>>>> Wouldn't you agree there's enough there to justify asking the WG once more
>>>>> what they think about that 13 byte overhead to prevent interop and maybe
>>>>> even security problems?
>>>>>
>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> -
>>>>>>>
>>>>>>>
>>>>> COMMENT:
>>>>>>> ---------------------------------------------------------------------
>>>>>>> -
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> - abstract: the description of the update to 7519 is odd. It seems to be saying
>>>>>>> "Here we define a thing. This specification updates 7519 to say you
>>>>>>> must not use this thing." but prohibiting is an odd verb to use
>>>>>>> there. (Since it wasn't previously there to be allowed or not.)
>>>>>>
>>>>>> Would you like this text better?
>>>>>>
>>>>>> "This specification updates RFC 7519 by stating that JSON Web Tokens
>>>>>> (JWTs) MUST NOT use the unencoded payload option defined by this
>>>>>> specification."
>>>>>
>>>>> Better yep. Thanks.
>>>>>
>>>>>>
>>>>>> Or do you think this spec doesn't need to have the "Updates 7519"
>>>>>> clause at all?  People seemed split on whether this was needed or not.
>>>>>
>>>>> Happens all the time. Personally I mostly don't care about updates which is
>>>>> the case this time too:-)
>>>>>
>>>>>>
>>>>>>> - section 6: "It is intended that application profiles specify up
>>>>>>> front whether" "intended" is very wishy washy and "up front" makes no
>>>>>>> sense at all.
>>>>>>
>>>>>> How about this wording change? "It is intended that application
>>>>>> profiles specify up front whether" -> "Application profiles should
>>>>>> specify whether"
>>>>>
>>>>> Also better,
>>>>> Ta,
>>>>> S.
>>>>>
>>>>>
>>>>>>
>>>>>> Thanks again, -- Mike
>>>>>>
>>>> _______________________________________________
>>>> jose mailing list
>>>> jose@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/jose
>>>>
>>>
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>>
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email