IETF Logo Mail Archive

Re: [jose] Feedback request on jose tracker issue #8: Should we add a "spi" header field?

Nat Sakimura <sakimura@gmail.com> Sat, 20 April 2013 15:03 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E644B21F91BF for <jose@ietfa.amsl.com>; Sat, 20 Apr 2013 08:03:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.207
X-Spam-Level:
X-Spam-Status: No, score=-2.207 tagged_above=-999 required=5 tests=[AWL=-1.059, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aVx1MWrDry-N for <jose@ietfa.amsl.com>; Sat, 20 Apr 2013 08:03:00 -0700 (PDT)
Received: from mail-lb0-f175.google.com (mail-lb0-f175.google.com [209.85.217.175]) by ietfa.amsl.com (Postfix) with ESMTP id D57C921F91B2 for <jose@ietf.org>; Sat, 20 Apr 2013 08:02:59 -0700 (PDT)
Received: by mail-lb0-f175.google.com with SMTP id o10so4490867lbi.20 for <jose@ietf.org>; Sat, 20 Apr 2013 08:02:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:references:from:mime-version:in-reply-to:date:message-id :subject:to:cc:content-type; bh=0b3UQ/wNLqwiZ0TPeUsqVW4hZ+0mCVfvpLyVenwZTXI=; b=ufk0BvcS9I1k+Kl/BuU6DYr0zLwZRv3bifGQ2vyibcHWE3Iii9vtq1vsgg00w0C2v4 OHyAoB2a8omPnmzMAeNKYyhTGVvaSObHx49FV9ELLW1lDowq3iFZcAZKaX215akYf5F9 aRcW+hl0HqPJoWzy9nbOOU/nTUHdK7n0MmaoUdqBbDvtFr4PTARdBottrERwun0qpXxW 4SKUGHORloBmw61kDCswbnaY+fRE7vYdGPjk5v9IMU2SxRFZdICNt1ILYE4acr/GjX75 y60J80Iy4BNIeOgx0IZdoJjS7zjHvMb+iRTyit4IpFmr8lN2o8L1ZHRmuW9Ai9HE2dBl s7Kg==
X-Received: by 10.112.141.38 with SMTP id rl6mr9300341lbb.101.1366470178782; Sat, 20 Apr 2013 08:02:58 -0700 (PDT)
References: <A3598C19-D882-46B3-92FB-A203BF1BE585@vigilsec.com> <4E1F6AAD24975D4BA5B1680429673943676776F8@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgSO4DQ9-zJspFMy2LcaFH8Y64kvJ5wc5vyfi7BrudvmEw@mail.gmail.com> <0072E7B1-1CD4-46DB-8954-52E795B5C861@vigilsec.com> <4E1F6AAD24975D4BA5B16804296739436767934E@TK5EX14MBXC284.redmond.corp.microsoft.com> <F0E0420E-6259-4446-A0EA-78A76FF743E5@ve7jtb.com>
From: Nat Sakimura <sakimura@gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <F0E0420E-6259-4446-A0EA-78A76FF743E5@ve7jtb.com>
Date: Sat, 20 Apr 2013 22:54:12 +0900
Message-ID: <-5894109702243771834@unknownmsgid>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a11c2605a9a43c604dacc21db"
Cc: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>, Russ Housley <housley@vigilsec.com>, "jose@ietf.org" <jose@ietf.org>, Karen O'Donoghue <odonoghue@isoc.org>
Subject: Re: [jose] Feedback request on jose tracker issue #8: Should we add a "spi" header field?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Apr 2013 15:03:02 -0000

+1

=nat via iPhone

Apr 20, 2013 3:34、John Bradley <ve7jtb@ve7jtb.com> のメッセージ:

Yes using "alg":"spi" is cleaner and allowed by the current spec.  I am not
keen on omitting alg as a flag.

On 2013-04-19, at 3:10 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

BTW, in terms of a “dedicated flag”, I’d previously suggested to Richard in
private communication that one way for the SPI spec to do his cleanly would
be to use “alg”: “spi”, rather than omitting the “alg” field entirely.  The
“spi” value would then be registered by the SPI spec in the algorithms
registry - pointing back to the SPI spec.

I personally think that this is cleaner than just omitting “alg”, since it
maintains the invariant that all JWS and JWE representations have an “alg”
value that is used to determine the processing rules.

                                                                Cheers,
                                                                -- Mike

*From:* Russ Housley [mailto:housley@vigilsec.com]
*Sent:* Friday, April 19, 2013 10:51 AM
*To:* Richard Barnes; Mike Jones
*Cc:* Karen O'Donoghue; jose@ietf.org
*Subject:* Re: [jose] Feedback request on jose tracker issue #8: Should we
add a "spi" header field?

+1


On Apr 19, 2013, at 1:42 PM, Richard Barnes wrote:


In principle, you could use the omission of the "alg" field as a signal
that pre-negotiation is going on.  However, that seems like not the most
useful way to do it, and it conflicts with current practice -- namely the
examples currently in the JWE and JWS specs.  Those examples use
pre-negotiation, but they also have an "alg" field.  It's not very useful
because it doesn't provide the recipient any clue about how to populate the
missing fields.  There's a semantic mis-match here as well, since a JWE
with pre-negotiation is still a JWE, just an incomplete one.

A dedicated flag field like SPI provides a clearer indication, and it also
provides a hook that out-of-band protocols can use to connect in the
pre-negotiated parameters.

--Richard



On Fri, Apr 19, 2013 at 12:06 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:
Russ, I'm curious why you say that the "spi" field needs to be in the base
spec.  From a spec factoring point of view, even if SPI remains a
completely separate spec and nothing is said in the base spec, there would
be no confusion or conflicts, including for implementations.  Here's why:
  - A header without an "alg" field is not recognized as a JWS or JWE, so
there's no conflict there
  - A JWS or JWE can legally contain a "spi" header field and a registry is
already provided to define the meanings of additional header fields, so
there's no conflict there either

Therefore, it seems like the separate spec could use the registry to define
the meaning of "spi" in a JWS and JWE and could furthermore define the
semantics of objects using headers without an "alg" field but including a
"spi" field.  No conflicts.  And clear separation of concerns.

Those wanting the SPI functionality could use it.  Those not needing it
would need to do nothing - which I think is as it should be.

                                Best wishes,
                                -- Mike

-----Original Message-----
From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
Russ Housley
Sent: Friday, April 19, 2013 8:37 AM
To: odonoghue@isoc.org; jose@ietf.org
Subject: Re: [jose] Feedback request on jose tracker issue #8: Should we
add a "spi" header field?

Combination of 1 and 2.  The field needs to be in the base specifications,
but the only rule that needs to be included in the base specification is an
exact match of the identifier.

Russ

= = = = = = = = = =

1.  Have draft-barnes-jose-spi remain a separate specification that could
optionally also be supported by JWS and JWE implementations.
2.  Incorporate draft-barnes-jose-spi into the JWS and JWE specifications
as a mandatory feature.
3.  Incorporate draft-barnes-jose-spi into the JWS and JWE specifications
as an optional feature.
4.  Another resolution (please specify in detail).

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose


_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose


_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email