Re: [jose] #36 (json-web-signature): Algorithm "none" should be removed

"jose issue tracker" <trac+jose@zinfandel.tools.ietf.org> Thu, 14 August 2014 08:13 UTC

Return-Path: <trac+jose@trac.tools.ietf.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A3FC1A094C for <jose@ietfa.amsl.com>; Thu, 14 Aug 2014 01:13:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Level:
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tNpF7eOFYf8i for <jose@ietfa.amsl.com>; Thu, 14 Aug 2014 01:13:53 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:123a::1:2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25E541A0956 for <jose@ietf.org>; Thu, 14 Aug 2014 01:13:53 -0700 (PDT)
Received: from localhost ([::1]:59354 helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from <trac+jose@trac.tools.ietf.org>) id 1XHqAI-0007iA-Ae; Thu, 14 Aug 2014 01:13:42 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: jose issue tracker <trac+jose@zinfandel.tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: draft-ietf-jose-json-web-signature@tools.ietf.org, michael.jones@microsoft.com, rlb@ipv.sx, ietf@augustcellars.com, odonoghue@isoc.org
X-Trac-Project: jose
Date: Thu, 14 Aug 2014 08:13:42 -0000
X-URL: http://tools.ietf.org/jose/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/jose/trac/ticket/36#comment:6
Message-ID: <076.5118aeefed1eb8887e02699a079c87f7@trac.tools.ietf.org>
References: <061.d41e5e3f57bfb36040f9b5b22107bda7@trac.tools.ietf.org>
X-Trac-Ticket-ID: 36
In-Reply-To: <061.d41e5e3f57bfb36040f9b5b22107bda7@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: draft-ietf-jose-json-web-signature@tools.ietf.org, michael.jones@microsoft.com, rlb@ipv.sx, ietf@augustcellars.com, odonoghue@isoc.org, jose@ietf.org
X-SA-Exim-Mail-From: trac+jose@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Resent-To: mbj@microsoft.com, n-sakimura@nri.co.jp, ve7jtb@ve7jtb.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/JGLhiW5SQvGtpXsivB7kAL2i7bk
X-Mailman-Approved-At: Thu, 14 Aug 2014 01:28:05 -0700
Cc: jose@ietf.org
Subject: Re: [jose] #36 (json-web-signature): Algorithm "none" should be removed
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2014 08:13:59 -0000

#36: Algorithm "none" should be removed

Description changed by odonoghue@isoc.org:

Old description:

> Rather than having an algorithm none, this should be a degenerate case of
> JWS that is defined by and detected in the JWS specification.  I would
> suggest that we define it as being - if the "alg" and "enc" items are
> absent, then there is no signature on the message.  This would still
> allow the "zip" item to be present on the message to give you both a data
> carrying JOSE object and allow for compression.  Additionally one could
> define a new typ value of "DATA" to indicate that we are just carrying a
> payload and it is not acutally a JWS object.

New description:

 Rather than having an algorithm none, this should be a degenerate case of
 JWS that is defined by and detected in the JWS specification.  I would
 suggest that we define it as being - if the "alg" and "enc" items are
 absent, then there is no signature on the message.  This would still allow
 the "zip" item to be present on the message to give you both a data
 carrying JOSE object and allow for compression.  Additionally one could
 define a new typ value of "DATA" to indicate that we are just carrying a
 payload and it is not acutally a JWS object.

 Note: There was extensive discussion on the mailing list, and the rough
 consensus of the working group was to leave "none" in the document.

--

-- 
-------------------------+-------------------------------------------------
 Reporter:               |       Owner:  draft-ietf-jose-json-web-
  ietf@augustcellars.com |  signature@tools.ietf.org
     Type:  defect       |      Status:  closed
 Priority:  major        |   Milestone:
Component:  json-web-    |     Version:
  signature              |  Resolution:  fixed
 Severity:  -            |
 Keywords:               |
-------------------------+-------------------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/36#comment:6>
jose <http://tools.ietf.org/jose/>