Re: [jose] Should we delete the "typ" header field
"Jim Schaad" <ietf@augustcellars.com> Mon, 10 June 2013 05:40 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 834BB21F8B90 for <jose@ietfa.amsl.com>; Sun, 9 Jun 2013 22:40:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o79iWqHpinA0 for <jose@ietfa.amsl.com>; Sun, 9 Jun 2013 22:40:51 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 9EDD821F91B1 for <jose@ietf.org>; Sun, 9 Jun 2013 22:40:51 -0700 (PDT)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 0D1972C9BC for <jose@ietf.org>; Sun, 9 Jun 2013 22:40:50 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: jose@ietf.org
References: <02b701ce5cb8$46ae77e0$d40b67a0$@augustcellars.com> <CAD9ie-vK3gY9b9GQrbUa=TACy5KVA1uPH_u_utucoKzVynjuiA@mail.gmail.com> <02f501ce5cc5$ec9a2200$c5ce6600$@augustcellars.com> <CAD9ie-uV-THE0+oL-dNUB0qXF7sx8jHMZDCz8vGESmUHWV=LMg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C58C4@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAD9ie-sm7q6gdzC-aTKt=+b=A8wB68ExTP1FwiT=zQTN7b69zA@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C5C0A@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR=Lh5_HogPtgoFM+qhwNkqOFaW0+TzOCAziUwK8ZqQaw@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C7399@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR6XfSwHxOLym_pkM+9EOE8yRUEncLToKbrLVJxoOgxDg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9B69@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgTrpkt0PyvLmnSKTchST5hgbzjkLQMq3hr6O2pij7LgjQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9E95@TK5EX14MBXC285.redmond.corp.microsoft.com> <CABzCy2Cd6LJB63b8REsyW0yjS=2DMBaSw sL-ZUnwG-aCXJ5P-Q@mail .gmail.com> <CA+k3eCT6Dq2jo6Lx6SEMkNDrLKREJTkzwNxT7ggJHDJtvQVG2A@mail.gmail.com> <CAL02cgSeurHAEsAtEaEDYAko2Or8dFAOx8QWe-G2e4nss_AX4g@mail.gmail.com> <CABzCy2DtkqzSSC9Xgy7Gkf0_cxuV7Zn5Jux+NRPiF1LO6PtObw@mail.gmail.com> <CAL02cgTLpoYuh3iMrYtOKrYR82GqWQyzCnEZh6d0Li8Wxgn8bA@mail.gmail.com> <CABzCy2DpkF=LD13jZb5B6-4fFxZO37Aj9vh8HRBupRxNd6Mpfg@mail.gmail.com> <CAD9ie-s1uWSsRDJHb8Z_NPQvuAWWJmYPkTp8g_PbacA5gaqT1w@mail.gmail.com> <CABzCy2Abnv=Cm=nSN2t4b+B=G-rBrza6nrK+VPxqWUcTFpZEYw@mail.gmail.com> <CE8995AB5D178F44A2154F5C9A97CAF40255A5CA075A@HE111541.emea1.cds.t-internal.com>
In-Reply-To: <CE8995AB5D178F44A2154F5C9A97CAF40255A5CA075A@HE111541.emea1.cds.t-internal.com>
Date: Sun, 09 Jun 2013 22:39:59 -0700
Message-ID: <05fb01ce659c$f28a8170$d79f8450$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQL+gOaQctokYsIF5NqCLBrsp9OxugIREdBOAZxwGYYA+xTLLwL/DSbtAkjfeb0CNOnLqQJml3CFAT+uwjIC8i/K0QKfBA3BAgAu76wCGMPjBQGo9J74AU9RWkABvcif6gJ7dcuLAdSQGswCQZpOCAKG8a7wAkKXKnkBUbCFRpV3M3rw
Content-Language: en-us
Subject: Re: [jose] Should we delete the "typ" header field
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2013 05:40:57 -0000
<no hat> I kept trying to send this message out during the last week, but I have been doing too much physical activity to be awake at night and produce a coherent message. The opinions here are my personal opinions, some of them might be things that I would also advocate as a chair, but don't assume just because it is here I would. I have been looking at the conversation on this topic with slight surprise, I did not really expect this type of firestorm to occur on a part of the spec that had been in for quite a while. Givens: 1. My general inclination is that things in the document generally stay in the document, however they do need to be shown to be clearly described and useful. 2. My general inclination is that things which can be shown to be useful for multiple applications can be done in the base document. That said, there is nothing that says such a thing could not be defined in one of the application specs which uses it rather than the base document. My understanding: My understanding of what Mike has said is that this field is meant to clearly present that this is a JSON thing for a specific application. This is contrary to the expectation that Richard, Dick and myself had where it was a description of the "security service" rather than the application. My problem with this understanding is I am not sure when it is a useful concept to have. In order for it to be needed you would need to have two statements being true: 1. There is no way to know the application from the current protocol being exercised and 2. There is no way to correctly infer the application from the value of the ctyp field (if present). Under the current circumstances as I understand the JWT specification, neither of these criteria would be met. Nat gave an interesting example of a case where it might be useful, that of a Time Stamp Provider. My problem with this is that I don't think of this as being an application protocol, but as being a different security service. Thus a timestamp JWS is a specialized version of a normal JWS. As such, yes it would make sense to me that the type field could be used to differentiate between a normal JWS and a timestamp-JWS. But a timestamp would be, by definition, completely agnostic about the inner content provided. The same could not be said of a JWT application. It needs to understand the specific inner content that was provided. SideBar: It is not immediately clear to me that a classic timestamp provider could be done using the JOSE data structures as it normally requires that one can produce a timestamp without sharing the content with the timestamp producer. There are also interesting discussions on if the fact that it is a timestamp or other special signature should be signaled in the signature object or as a key parameter. However none of this paragraph is relevant to the current discussion. I think that I would like to see the following things: 1. Two clear use cases provided, one for JWT and one for something else where the typ field as an application indicator would be useful/required. I think that such a thing needs to address the two points that I presented previously. 2. I don't believe that anyone has addressed the question I raised about the fact that both the ctyp and typ fields are using the same registry, thus JWT would mean different things depending on which field it is in. 3. I had a message dated 5/30/13 where I asked a couple of questions. This message was not responded to. Jim
- [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] FW: Should we delete the "typ" header … Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Manger, James H
- Re: [jose] Should we delete the "typ" header field Mike Jones
- [jose] FW: Should we delete the "typ" header field Manger, James H
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Richer, Justin P.
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Anthony Nadalin
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Brian Campbell
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Manger, James H
- Re: [jose] Should we delete the "typ" header field Axel.Nennker
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Richard Barnes
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Jim Schaad
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H