[jose] Question about "crit" header parameter
"Seraphin, Vinod" <Vinod.Seraphin@pega.com> Mon, 21 October 2019 17:31 UTC
Return-Path: <vinod.seraphin@pega.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E198C12024E for <jose@ietfa.amsl.com>; Mon, 21 Oct 2019 10:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pega.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1yfywg1V-MRn for <jose@ietfa.amsl.com>; Mon, 21 Oct 2019 10:31:35 -0700 (PDT)
Received: from us-smtp-delivery-128.mimecast.com (us-smtp-delivery-128.mimecast.com [63.128.21.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D3FF120123 for <jose@ietf.org>; Mon, 21 Oct 2019 10:31:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pega.com; s=mimecast20180925; t=1571679081; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=dnGLO7J2q3VzdsYouHTqPzfBXbNF9VPctEQ34jcfL24=; b=Gtz0ruRlFM2h1FhzFYBoeEHZxAwottNSdypDwazf4fCRqsT1nL5j+AaUGQic4C0tGnUnw+ 58WHulbSrkwBDTPSHeJMUD6+Nwl82+Z0kBWSCV/bCU4D/e3XX+R3IwisZFyoD3RlPeTcyO +GI9eu+ll2Ep9YM8bo/7xOpAxteu3fzlFswf1U/tpwwwpTcYEO7jNBiG8SbhwjCsEZwfdT m8koFwDQiSctoe99gJEWDpEGL0WoFtunA4gtNJ6vb3DdW0lowgWUl/etPIvgbuh3tP9I18 fp6X1uTfFIYdsmmwQeRr312RdAr9njV0GSQxAwQfFf2LUefONhi5slx/CFzTAQ==
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2057.outbound.protection.outlook.com [104.47.36.57]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-246-KuCtnpidPKq1ttzbiOQMlg-1; Mon, 21 Oct 2019 13:31:18 -0400
Received: from DM5PR1301MB2204.namprd13.prod.outlook.com (10.174.184.19) by DM5PR1301MB1883.namprd13.prod.outlook.com (10.174.184.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.13; Mon, 21 Oct 2019 17:31:16 +0000
Received: from DM5PR1301MB2204.namprd13.prod.outlook.com ([fe80::9d17:d61c:a9b7:e1a0]) by DM5PR1301MB2204.namprd13.prod.outlook.com ([fe80::9d17:d61c:a9b7:e1a0%4]) with mapi id 15.20.2387.016; Mon, 21 Oct 2019 17:31:16 +0000
From: "Seraphin, Vinod" <Vinod.Seraphin@pega.com>
To: "jose@ietf.org" <jose@ietf.org>
Thread-Topic: Question about "crit" header parameter
Thread-Index: AQHViDVXgR92zEp5SEicsGf9G5kkUw==
Date: Mon, 21 Oct 2019 17:31:16 +0000
Message-ID: <EF986837-2FE4-481A-8A33-870789171C55@pega.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [198.22.153.130]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3c679968-5ecc-4b22-4f8f-08d7564c7a7a
x-ms-traffictypediagnostic: DM5PR1301MB1883:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR1301MB188341A10E36EFAAC94F71EEE8690@DM5PR1301MB1883.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0197AFBD92
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(396003)(346002)(376002)(39860400002)(136003)(199004)(189003)(6486002)(478600001)(86362001)(2351001)(45080400002)(66556008)(66946007)(66476007)(33656002)(76116006)(66616009)(91956017)(66446008)(2501003)(3846002)(6116002)(2906002)(7736002)(6916009)(14454004)(606006)(25786009)(861006)(71190400001)(71200400001)(81156014)(81166006)(5640700003)(6436002)(64756008)(733005)(8936002)(8676002)(1730700003)(5660300002)(316002)(14444005)(99936001)(256004)(186003)(99286004)(26005)(102836004)(6506007)(66066001)(2616005)(236005)(6512007)(476003)(486006)(54896002)(6306002)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR1301MB1883; H:DM5PR1301MB2204.namprd13.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: CGB8vnTo3rFxH7NiUsEyPkuC8W59LbWnVCYdT38mGN4HQXMZNFwUeqc9SemjOVf/zdPejuQwF3OBnHRl8JgKj0E7bFgSp6endfOZQeucLXzRzTPj+NFVddaupBEg44ISe6KSaIWcvcAV+xGrbWdMLlVh8VuJ4e6vDKI6hcKjtdQSU0usdibtfflivgILhYWWqlpkm4E+V73xrfSRm9dXO+R4g+ZzCb8/LYVLwFI5CNhA1zjCYEr6Zs+jlYojEDu+ObvefUQvYei9BKT5XS9BjUO/lggAu+dzUNotCjIrKbWB9PTIzZEVP8UG0o7JelGQOXDoKrjs8ArvQRwZxtCWUtAfP+c+F1dyPhEAzd1HvvtzWFN2H+qHuoA1UHmUOETw2Dn3SfaTa/Rq8Q5jbU+LzVTZ8vekYHViqVmqSiRGDYMnenm0lHV8Dsd2yuq27lpBD0D4q+IqaCy+yK5m1p+iWaxjN+XgXZMnfipkMrKgrGw=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: pega.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3c679968-5ecc-4b22-4f8f-08d7564c7a7a
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Oct 2019 17:31:16.4776 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 45d30f04-98fd-4d38-bdc0-9d81422180f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pVoiydbovhlXNofnVoOB+2zhVR7TcQkrFG0wwzL6NhzOK8RNKd90LrapuDc9a8O/r8M7b/13EK2Qr0hspwNdCQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1301MB1883
X-MC-Unique: KuCtnpidPKq1ttzbiOQMlg-1
X-Mimecast-Spam-Score: 0
Content-Type: multipart/related; boundary="_004_EF9868372FE4481A8A33870789171C55pegacom_"; type="multipart/alternative"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/HCCuQw-ZdFyAL3WG-MP5jBJ1kBc>
X-Mailman-Approved-At: Mon, 21 Oct 2019 13:44:00 -0700
Subject: [jose] Question about "crit" header parameter
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 17:57:11 -0000
Can this header be used to designate which claims within the payload are deemed mandatory? The desire is to have any token verification fail if such a specified list of mandatory claims are not found within the payload. Our security team has currently implemented such a feature by utilizing the “crit” header to contain this list of mandatory claims. I’ve recently found that the jose library fails any validation attempt of our token as it doesn’t find matching parameters for each of the crit array elements within the header portion of the token (the parameters are only within the payload at present), and the author has informed me that his interpretation of RFC 7515 is that any values within the crit array MUST also be in the header. There is an example in section 4.1.11 with trying to make “exp” mandatory, and shows “exp” with other header parameters. There is no mention of whether in such an example the “exp” would also be repeated within the payload or not. What would be the expectation? If “crit” is not meant to convey mandatory parameters, are there any other standardization efforts for designating mandatory claims within a token? Thanks - Vinod [id:image001.png@01D2DA13.2711AFB0] Vinod Seraphin | Senior Fellow Engineer, Emerging Technologies | Pegasystems Inc. Office: (617) 528.5272 | E-Mail: vinod.seraphin@pega.com<mailto:vinod.seraphin@pega.com> | LinkedIn: vinodseraphin<https://www.linkedin.com/in/vinodseraphin> | www.pega.com<http://www.pega.com/>
- [jose] Question about "crit" header parameter Seraphin, Vinod
- Re: [jose] Question about "crit" header parameter Brian Campbell