IETF Logo Mail Archive

Re: [jose] Header criticality -- hidden consensus?

Richard Barnes <rlb@ipv.sx> Fri, 08 February 2013 23:46 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1875621F8BEF for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 15:46:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.39
X-Spam-Level:
X-Spam-Status: No, score=-2.39 tagged_above=-999 required=5 tests=[AWL=0.586, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C1Fafh6P-D1K for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 15:46:40 -0800 (PST)
Received: from mail-lb0-f178.google.com (mail-lb0-f178.google.com [209.85.217.178]) by ietfa.amsl.com (Postfix) with ESMTP id 954CA21F8B73 for <jose@ietf.org>; Fri, 8 Feb 2013 15:46:39 -0800 (PST)
Received: by mail-lb0-f178.google.com with SMTP id n1so3409214lba.9 for <jose@ietf.org>; Fri, 08 Feb 2013 15:46:38 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=03PtW+DRJyRrhWxbzZQT+NntRxTMpOPl9pxvndDVJ7U=; b=F7MhUojfpqwzNlMN/aZzlIrZgOg4/j+2sNNqjldo/Omm4it+CPl/tWO9rtUYRupYqX b9fHa7QZ9NWprcOxlKyXYuDLi3Tqo+KtgqZM6uZJo2r6jXgAwwnwlqVOgba4mNT/9McH 38f+ETK8La/mvwnn0pYJbhO1oy98WnlZrgr/pmuoS7itYepknJmiPLLj+9sNbuLu78Kl sFyKpxMkVixIV7676f5FDauYxomylWWe5W9udty/lsEbDoqYiqTHbuYdSVGeGrW39ODW hsFF8Lve4nwM6CH1Eo6Hky72IMdlRAT43J/3V2efK+0RVnJPi2AL+vC/skTcrgFkwOWL a8lw==
MIME-Version: 1.0
X-Received: by 10.112.47.168 with SMTP id e8mr2956955lbn.46.1360367198422; Fri, 08 Feb 2013 15:46:38 -0800 (PST)
Received: by 10.112.147.164 with HTTP; Fri, 8 Feb 2013 15:46:38 -0800 (PST)
X-Originating-IP: [192.1.51.63]
In-Reply-To: <CA+k3eCSbtSTT55J=jOhEQBTDeyu7TM35F_tswt-bKAdd4-VkJw@mail.gmail.com>
References: <CAL02cgRxeS-DomWzVBmoqzps57jgvrUSLn5nrFtqcrTD1wQa=g@mail.gmail.com> <CA+k3eCSbtSTT55J=jOhEQBTDeyu7TM35F_tswt-bKAdd4-VkJw@mail.gmail.com>
Date: Fri, 08 Feb 2013 18:46:38 -0500
Message-ID: <CAL02cgRcHcZBd6dt2vLFfByCRKxTMqhzf2FyMety0qcsg2c+Lw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="bcaec553fde0a0495504d53f2b06"
X-Gm-Message-State: ALoCoQkif3jysKwYp2K7A2ODaMsAcQapXVsalgVP4CRgbifcizFZ9OQ2H5FefwpNKasmyVyXJLx6
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Header criticality -- hidden consensus?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2013 23:46:41 -0000

Sorry about that!  But you're in the "No" camp anyway, so it doesn't really
change the outcome here.


On Fri, Feb 8, 2013 at 6:34 PM, Brian Campbell
<bcampbell@pingidentity.com>wrote:

> FWIW, I didn't see my name on the tabulation but I did 'vote'
> http://www.ietf.org/mail-archive/web/jose/current/msg01461.html
>
>
> On Fri, Feb 8, 2013 at 4:11 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
>> We're 24 votes into the header criticality poll, so I thought I would go
>> ahead and take a look at how the results are shaping up.  My initial
>> tabulation is below.  The result on the FIRST POLL (the main one) is as
>> follows:
>>
>> No: 10
>> Yes: 14
>>
>> What I find striking, however, is that every single person that voted
>> "Yes" on the FIRST POLL also voted "Yes" on the SECOND POLL.  So nobody who
>> thinks that all headers should be critical thinks that a JOSE library
>> should actually be required to enforce this constraint.  And that means
>> that enforcing that all headers are supported cannot be a MUST according to
>> RFC 2119.
>>
>> So I wonder if there's consensus to remove the following text from JWE
>> and JWS:
>> -----BEGIN-JWE-----
>>    4.   The resulting JWE Header MUST be validated to only include
>>         parameters and values whose syntax and semantics are both
>>         understood and supported.
>> -----END-JWE-----
>> -----BEGIN-JWS-----
>>    4.  The resulting JWS Header MUST be validated to only include
>>        parameters and values whose syntax and semantics are both
>>        understood and supported.
>> -----END-JWS-----
>>
>> Otherewise, a JOSE library conforming to these specifications would be
>> REQUIRED (a synonym to MUST in 2119) to reject a JWE/JWS that contains an
>> unknown header, contradicting all those "Yes" votes on the SECOND POLL.
>>
>> --Richard
>>
>>
>>
>> -----BEGIN-Tabulation-----
>> 1       2       3    Name:
>> N       -       -    Bradley
>> N       -       -    Ito
>> N       N       A    Yee
>> N       N       B    Barnes
>> N       N       B    Rescorla
>> N       N       C    Manger
>> N       N       C    Octman
>> N       Y       A    Fletcher
>> N       Y       A    Miller
>> N       Y       A    Sakimura
>> Y       Y       -    D'Agostino
>> Y       Y       A    Biering
>> Y       Y       A    Brault
>> Y       Y       A    Hedberg
>> Y       Y       A    Jay
>> Y       Y       A    Jones
>> Y       Y       A    Marais
>> Y       Y       A    Nadalin
>> Y       Y       A    Nara
>> Y       Y       A    Nennker
>> Y       Y       A    Solberg
>> Y       Y       B    Hardt
>> Y       Y       B    Medeiros
>> Y       Y       C    Matake
>> Y       Y       C    Mishra
>> -----END-Tabulation-----
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>>
>

v2.23.0 | Report a Bug | By Email