Re: [jose] Whether implementations must understand all JOSE header fields

"Jim Schaad" <ietf@augustcellars.com> Wed, 26 December 2012 22:03 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B86721F8D0B for <jose@ietfa.amsl.com>; Wed, 26 Dec 2012 14:03:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.595
X-Spam-Level:
X-Spam-Status: No, score=-1.595 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, TRACKER_ID=2.003]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZZxzaf1TLn3 for <jose@ietfa.amsl.com>; Wed, 26 Dec 2012 14:03:02 -0800 (PST)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id 9A40D21F8CE0 for <jose@ietf.org>; Wed, 26 Dec 2012 14:03:02 -0800 (PST)
Received: from Philemon (unknown [64.122.12.77]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id C0DB638EFD; Wed, 26 Dec 2012 14:03:01 -0800 (PST)
From: "Jim Schaad" <ietf@augustcellars.com>
To: "'Mike Jones'" <Michael.Jones@microsoft.com>, <jose@ietf.org>
References: <4E1F6AAD24975D4BA5B168042967394366929F63@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394366929F63@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Wed, 26 Dec 2012 14:02:46 -0800
Message-ID: <002d01cde3b4$bd464590$37d2d0b0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_002E_01CDE371.AF2639E0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIu1NOwxvsFfhrE3kb42icQdthreZdpv7Gw
Content-Language: en-us
Subject: Re: [jose] Whether implementations must understand all JOSE header fields
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Dec 2012 22:03:05 -0000

This does not include my recommended approach which is to punt the issue of
required headers to the application rather than JOSE.

 

Jim

 

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Mike
Jones
Sent: Friday, December 14, 2012 10:17 AM
To: jose@ietf.org
Subject: [jose] Whether implementations must understand all JOSE header
fields

 

Currently the JOSE specs contain the following language declaring that all
header (and some other) fields must be understood:  "Implementations MUST
understand the entire contents of the header; otherwise, the . MUST be
rejected."  There's currently an open issue about whether all header fields
should be required to be understood by implementations using them or whether
to relax this requirement in some circumstances.  We would like the working
group to consider the following potential resolutions to the issue.

 

1.  Maintain the current requirement that all header fields must be
understood by implementations using them.

 

PRO:  This is a simple rule designed to result in secure implementations.
Representations of existing JWS & JWE objects are unchanged.

CON:  Extensibility is limited to cases where all participating parties
understand new fields that are introduced.

 

2A.  Take an alternative approach where, by default, all fields must be
understood, but where an explicit list of fields can be designated as "may
be ignored if not understood".  For instance, an "ign" (may be ignored)
member could be defined whose value is an array listing the member names
that may be safely ignored if not understood.  An example using this field
in a JWS header is:

 

    {"alg":"ES256",

     "ign":["notes"],

     "notes":"This signature need not be checked when the moon is full"

    }

 

(Obviously, the "ign" field MUST NOT contain the value "ign".)

 

PRO:  This would enable adding non-critical header fields without breaking
implementations.  It would maintain the current semantics, while allowing
explicit exceptions to be made in cases where the fields are not
security-critical and the structure has a meaningful interpretation without
them.  Representations of existing JWS & JWE objects are unchanged.

CON:  Requires coordination of field names and may-be-ignored list, adding
some implementation complexity.

 

2B.  Take an alternative approach where instead of one header object, there
would be two header objects.  Implementations would be required to
understand all fields in the first header object.  Implementations would be
allowed to ignore fields in the second header object if not understood.  An
example of this approach, adding the second header object after the first in
a JWS, would be:

 

    eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9

    .

 
eyJub3RlcyI6IlRoaXMgc2lnbmF0dXJlIG5lZWQgbm90IGJlIGNoZWNrZWQgd2hlbiB0aGUgbW9v
biBpcyBmdWxsIn0

    .

 
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9p
c19yb290Ijp0cnVlfQ

    .

    dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk

 

The first, third, and fourth fields are from the example JWS in the current
spec. The new second field is the base64url encoded representation of the
string '{"notes":"This signature need not be checked when the moon is
full"}'.

 

PRO:  May-be-ignored fields are easily distinguishable from
must-be-understood fields.

CON:  Implementations must consult/merge two sets of headers to understand
the meaning/structure of the object, adding some implementation complexity.
Existing JWS & JWE object representations would become invalid.

 

After a discussion period, we believe that it would be useful for the chairs
to make two formal consensus calls of the following kind:

 

FIRST POLL:  Should all header fields be critical for implementations to
understand?

YES - All header fields must continue to be understood by implementations or
the input must be rejected.

NO - A means of listing that specific header fields may be safely ignored
should be defined.

 

SECOND POLL:  Should the result of the first poll be "NO", which syntax
would you prefer for designating the header fields that may be ignored if
not understood?

A - Define a header field that explicitly lists the fields that may be
safely ignored if not understood.

B - Introduce a second header, where implementations must understand all
fields in the first but they may ignore not-understood fields in the second.

 

                                                Thanks for considering these
questions,

                                                Richard Barnes, John
Bradley, Mike Jones