IETF Logo Mail Archive

Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?

Richard Barnes <rlb@ipv.sx> Thu, 20 June 2013 20:44 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 221D421F9A37 for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 13:44:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.889
X-Spam-Level: *
X-Spam-Status: No, score=1.889 tagged_above=-999 required=5 tests=[AWL=-0.199, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_NONE=0.1, SARE_UNSUB18=0.131]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xULAg7h9Qjuc for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 13:44:48 -0700 (PDT)
Received: from mail-oa0-x22c.google.com (mail-oa0-x22c.google.com [IPv6:2607:f8b0:4003:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id AA3E921F9A0C for <jose@ietf.org>; Thu, 20 Jun 2013 13:44:48 -0700 (PDT)
Received: by mail-oa0-f44.google.com with SMTP id l10so8552571oag.3 for <jose@ietf.org>; Thu, 20 Jun 2013 13:44:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=Efc7CeGQ0v9GbTG4kFNMhOAhpML1SKYjARXAkqWs35I=; b=FGmVP/TjhLOuWSj3cXHq0fgEfCL+ocknv/XE07uuoOVlXHGhEB9Ft5VAoy7uFf4ihQ f6OqpJRDV8EyHNnWBtxfv3NyhCoqJLGUYPtSrecUl1NdNU7n47H+8MSxd3aor3JqXqYw cm8XJmYCjgvsc2WaDZuIzWCLgswfHT7kaAnwVMtg3ZZcLKkl/lN2h26DDl8xx5182lg0 3Cv3ECiUl+UEtumGkKgNjLfDt0NonJEyEYOY03Qg0vCWthrXyAkecWI3jEyOQYgiXcFX kXYv5RGulG0trbJX/fi82qGFJFEudQ6RHqXYlMt4Gb7dKIJTaK2m2KIGTxmdmBzRtmLQ WEtg==
MIME-Version: 1.0
X-Received: by 10.182.74.131 with SMTP id t3mr2298719obv.87.1371761088122; Thu, 20 Jun 2013 13:44:48 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Thu, 20 Jun 2013 13:44:48 -0700 (PDT)
X-Originating-IP: [108.18.40.68]
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394367879D67@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943678735D4@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgQUpbYLatgiaXa8T9oMMi+sA5KxEiocETLTEDXskTtqDQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678794EF@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgSui3q4co4sCRBZCsA_wEgSNUFx8v0jsx+H_2z761VN=Q@mail.gmail.com> <BF7E36B9C495A6468E8EC573603ED9411528DA68@xmb-aln-x11.cisco.com> <4E1F6AAD24975D4BA5B16804296739436787993E@TK5EX14MBXC283.redmond.corp.microsoft.com> <053a01ce6de6$e34775e0$a9d661a0$@augustcellars.com> <4E1F6AAD24975D4BA5B168042967394367879D67@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Thu, 20 Jun 2013 16:44:48 -0400
Message-ID: <CAL02cgQO_ncK=c6kAQwBBT_b_RaXxeEdjbR-cRPLyiHiLEEwog@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11c1be065fd53404df9c0417"
X-Gm-Message-State: ALoCoQmMU97OmYzs9jzauUZ+Jg6EorF9dJVnTJ1SIaeBBq0WbxGxATOW46enKN/G1hx5/SZtpJ/U
Cc: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>, "Matt Miller (mamille2)" <mamille2@cisco.com>
Subject: Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2013 20:44:53 -0000

Also: http://tools.ietf.org/html/rfc6839


On Thu, Jun 20, 2013 at 2:56 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  Because the syntax is completely different.  One is period-separated
> base64url encoded fields.  The other is JSON.****
>
> ** **
>
>                                                                 -- Mike***
> *
>
> ** **
>
> *From:* Jim Schaad [mailto:ietf@augustcellars.com]
> *Sent:* Thursday, June 20, 2013 11:49 AM
> *To:* Mike Jones; 'Matt Miller (mamille2)'; 'Richard Barnes'
> *Cc:* jose@ietf.org
> *Subject:* RE: [jose] Should we keep or remove the JOSE JWS and JWE MIME
> types?****
>
> ** **
>
> I have a question, why is there both an application/jose and and
> application/jose+json.  Why not have just one of them?****
>
> ** **
>
> Jim****
>
> ** **
>
> ** **
>
> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf
> Of *Mike Jones
> *Sent:* Thursday, June 20, 2013 10:47 AM
> *To:* Matt Miller (mamille2); Richard Barnes
> *Cc:* jose@ietf.org
> *Subject:* Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME
> types?****
>
> ** **
>
> Editorially, if we do decide to add application/jose and
> application/jose+json MIME types, I would register them in
> draft-ietf-jose-json-web-signature, just like other registry content shared
> between JWS and JWE, such as the JSON Web Signature and Encryption Header
> Parameters Registry<http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-11#page-18>
> .****
>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> -----Original Message-----
> From: Matt Miller (mamille2) [mailto:mamille2@cisco.com<mamille2@cisco.com>]
>
> Sent: Thursday, June 20, 2013 10:33 AM
> To: Richard Barnes
> Cc: Mike Jones; jose@ietf.org
> Subject: Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME
> types?****
>
> ** **
>
> I just want to say that I think having a media type is important and
> useful.  It might not be important and useful for JWT or OAuth or
> OpenID-Connect, but I can think of many applications that would make use of
> them if at all possible.****
>
> ** **
>
> I personally don't care if it's a generic media type or individual
> application/jwe and application/jws.  However, I think a generic media type
> would require a separate document; trying to fit this into the one shared
> document (JWA) seems wrong.****
>
> ** **
>
> ** **
>
> - m&m****
>
> ** **
>
> Matt Miller < mamille2@cisco.com >****
>
> Cisco Systems, Inc.****
>
> ** **
>
> PS: I've found +json useful for other things, because I do have
> applications that present in different formats (right now that's usually
> +xml).  While there's not a simple corollary with XML-based concepts, I
> think there will be corollaries in the future (e.g., CBOR).  Having them
> now means we're not painted into a corner if (when) we look at JOSE2 and
> support for binary representations.****
>
> ** **
>
> On Jun 20, 2013, at 10:49 AM, Richard Barnes <rlb@ipv.sx>****
>
> wrote:****
>
> ** **
>
> > That algorithm is part of the story, but it's incomplete.  What we need
> is****
>
> > an algorithm that starts with an arbitrary octet string and sorts by****
>
> > JWS/JWE and serialization.  An outline of the flow chart:****
>
> > ****
>
> > 1. If content parses as valid JSON****
>
> > 1.*. Parse JSON****
>
> > 1.1. Iontains a "ciphertext" field -> JWE + JSON****
>
> > 1.2. Contains a "payload" field -> JWS + JSON****
>
> > 1.3. Else fail****
>
> > 2. Else if content matches the regex "^[a-zA-Z0-9_.-]*$"****
>
> > 2.*. Split on "."****
>
> > 2.1. If 5 components -> JWE + compact****
>
> > 2.2. If 3 components -> JWS + compact****
>
> > 2.3. Else fail****
>
> > 3. Else fail****
>
> > ****
>
> > There's also the question of which document this goes in.  It would be a
> ****
>
> > natural thing for a combined JWS+JWE document, but we don't have one of*
> ***
>
> > those :(****
>
> > ****
>
> > ****
>
> > ****
>
> > ****
>
> > On Thu, Jun 20, 2013 at 11:19 AM, Mike Jones <
> Michael.Jones@microsoft.com>wrote:****
>
> > ****
>
> >> There is a defined algorithm to distinguish between the JWS and JWE****
>
> >> objects in the third paragraph of****
>
> >>
> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-11#section-4
> ****
>
> >> .********
>
> >> ****
>
> >> ** ******
>
> >> ****
>
> >>                                                            -- Mike*****
> ***
>
> >> ****
>
> >> ** ******
>
> >> ****
>
> >> *From:* Richard Barnes [mailto:rlb@ipv.sx <rlb@ipv.sx>]****
>
> >> *Sent:* Thursday, June 20, 2013 8:15 AM****
>
> >> *To:* Mike Jones****
>
> >> *Cc:* jose@ietf.org****
>
> >> ****
>
> >> *Subject:* Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME
> ****
>
> >> types?********
>
> >> ****
>
> >> ** ******
>
> >> ****
>
> >> Multiplexing JWE and JWS under a single JOSE media type only makes sense
> ****
>
> >> if there's a defined algorithm to demux them.  So if you want to do
> this,****
>
> >> you would need to write down the algorithm.********
>
> >> ****
>
> >> ** ******
>
> >> ****
>
> >> Personally, it seems simpler and clearer to me to just have the four***
> *
>
> >> current types, so that you know which type of object you're dealing
> with,****
>
> >> and in what serialization, without having to do content sniffing.******
> **
>
> >> ****
>
> >> ** ******
>
> >> ****
>
> >> On Tue, Jun 18, 2013 at 9:26 PM, Mike Jones <
> Michael.Jones@microsoft.com>****
>
> >> wrote:********
>
> >> ****
>
> >> The JWS and JWE documents currently define these MIME types for the****
>
> >> convenience of applications that may want to use them:********
>
> >> ****
>
> >>                application/jws********
>
> >> ****
>
> >>                application/jws+json********
>
> >> ****
>
> >>                application/jwe********
>
> >> ****
>
> >>                application/jwe+json********
>
> >> ****
>
> >> ********
>
> >> ****
>
> >> That being said, I’m not aware of any uses of these by applications at*
> ***
>
> >> present.  Thus, I think that makes it fair game to ask whether we want
> to****
>
> >> keep them or remove them – in which case, if applications ever needed
> them,****
>
> >> they could define them later.********
>
> >> ****
>
> >> ********
>
> >> ****
>
> >> Another dimension of this question for JWS and JWE is that it’s not
> clear****
>
> >> that the four types application/jws, application/jws+json,
> application/jwe,****
>
> >> and application/jwe+json are even the right ones.  It might be more
> useful****
>
> >> to have generic application/jose and application/jose+json types, which
> ****
>
> >> could hold either JWS or JWE objects respectively using the compact or
> JSON****
>
> >> serializations (although I’m not advocating adding them at this
> time).********
>
> >> ****
>
> >> ********
>
> >> ****
>
> >> Having different JWS versus JWE MIME types apparently did contribute to
> at****
>
> >> least Dick’s confusion about the purpose of the “typ” field, so deleting
> ****
>
> >> them could help eliminate this possibility of confusion in the future.*
> ***
>
> >> Thus, I’m increasingly convinced we should get rid of the JWS and JWE
> types****
>
> >> and leave it up to applications to define the types they need, when they
> ****
>
> >> need them.********
>
> >> ****
>
> >> ********
>
> >> ****
>
> >> Do people have use cases for these four MIME types now or should we
> leave****
>
> >> them to future specs to define, if needed?********
>
> >> ****
>
> >> ********
>
> >> ****
>
> >>                                                                --
> Mike*******
>
> >> *****
>
> >> ****
>
> >> ********
>
> >> ****
>
> >> P.S.  For completeness, I’ll add that the JWK document also defines
> these****
>
> >> MIME types:********
>
> >> ****
>
> >>                application/jwk+json********
>
> >> ****
>
> >>                application/jwk-set+json********
>
> >> ****
>
> >> ********
>
> >> ****
>
> >> There are already clear use cases for these types, so I’m not advocating
> ****
>
> >> deleting them, but wanted to call that out explicitly.  For instance,
> when****
>
> >> retrieving a JWK Set document referenced by a “jku” header parameter, I
> ****
>
> >> believe that the result should use the application/jwk-set+json type.
> (In****
>
> >> fact, I’ll add this to the specs, unless there are any objections.)****
>
> >> Likewise, draft-miller-jose-jwe-protected-jwk-02 already uses****
>
> >> application/jwk+json.  Both could also be as “cty” values when
> encrypting****
>
> >> JWKs and JWK Sets, in contexts where that that would be useful.********
>
> >> ****
>
> >> ********
>
> >> ****
>
> >> ****
>
> >> _______________________________________________****
>
> >> jose mailing list****
>
> >> jose@ietf.org****
>
> >> https://www.ietf.org/mailman/listinfo/jose********
>
> >> ****
>
> >> ** ******
>
> >> ****
>
> > _______________________________________________****
>
> > jose mailing list****
>
> > jose@ietf.org****
>
> > https://www.ietf.org/mailman/listinfo/jose****
>
> ** **
>

v2.23.0 | Report a Bug | By Email