IETF Logo Mail Archive

[jose] Header criticality -- hidden consensus?

Richard Barnes <rlb@ipv.sx> Fri, 08 February 2013 23:12 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A591321F8C12 for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 15:12:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.588
X-Spam-Level:
X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[AWL=0.388, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CG-PFG2Y-F-A for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 15:12:01 -0800 (PST)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8BEC021F8BAB for <jose@ietf.org>; Fri, 8 Feb 2013 15:12:00 -0800 (PST)
Received: by mail-lb0-f172.google.com with SMTP id n8so3398225lbj.17 for <jose@ietf.org>; Fri, 08 Feb 2013 15:11:59 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:date:message-id:subject :from:to:content-type:x-gm-message-state; bh=cXwUcd6TEMcieTNNGczOArrZhSLWWsqGQSL7HXU14IQ=; b=fs5juOZMIuTSSEDIVzp19W7BneXkyndiwl/+/um+qEFV4JfjRlgt5kMG9WHU7phIeq Qrx9wDy7GyVVRu9lWC6ofp0Ik1Afj2b0L1aTrZ09HabQazSwRRnWhmGVLoPQKO56cJxG qwbYg9nl2ZXOmo9HP92TMyraQz0FISOApC1WaeSeDcTqBvrVevbokZjtCt9UMiCSOcAR dSqKTalGf1Mn4PfG6/LeJd6H7dE51gZDtUmc154IvUyY6xpw1kMyeIyTr6BzPux1oKX0 jsk0y2c230AR7ciL0/4PM1DQh3kcYWxNKy80LI1gQJPfhAzTlYLDKtZnOhKByUEGList 0rwg==
MIME-Version: 1.0
X-Received: by 10.152.113.6 with SMTP id iu6mr6375418lab.43.1360365119390; Fri, 08 Feb 2013 15:11:59 -0800 (PST)
Received: by 10.112.147.164 with HTTP; Fri, 8 Feb 2013 15:11:59 -0800 (PST)
X-Originating-IP: [192.1.51.63]
Date: Fri, 08 Feb 2013 18:11:59 -0500
Message-ID: <CAL02cgRxeS-DomWzVBmoqzps57jgvrUSLn5nrFtqcrTD1wQa=g@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="f46d04089151b4c59d04d53eaf1e"
X-Gm-Message-State: ALoCoQmf+YO+uDEQkUkeI8mZK2ySp4bigL6cDL/nG4zDOv1JDAGPB76vnwBKaDCN+saz0ysWYsHM
Subject: [jose] Header criticality -- hidden consensus?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2013 23:12:01 -0000

We're 24 votes into the header criticality poll, so I thought I would go
ahead and take a look at how the results are shaping up.  My initial
tabulation is below.  The result on the FIRST POLL (the main one) is as
follows:

No: 10
Yes: 14

What I find striking, however, is that every single person that voted "Yes"
on the FIRST POLL also voted "Yes" on the SECOND POLL.  So nobody who
thinks that all headers should be critical thinks that a JOSE library
should actually be required to enforce this constraint.  And that means
that enforcing that all headers are supported cannot be a MUST according to
RFC 2119.

So I wonder if there's consensus to remove the following text from JWE and
JWS:
-----BEGIN-JWE-----
   4.   The resulting JWE Header MUST be validated to only include
        parameters and values whose syntax and semantics are both
        understood and supported.
-----END-JWE-----
-----BEGIN-JWS-----
   4.  The resulting JWS Header MUST be validated to only include
       parameters and values whose syntax and semantics are both
       understood and supported.
-----END-JWS-----

Otherewise, a JOSE library conforming to these specifications would be
REQUIRED (a synonym to MUST in 2119) to reject a JWE/JWS that contains an
unknown header, contradicting all those "Yes" votes on the SECOND POLL.

--Richard



-----BEGIN-Tabulation-----
1       2       3    Name:
N       -       -    Bradley
N       -       -    Ito
N       N       A    Yee
N       N       B    Barnes
N       N       B    Rescorla
N       N       C    Manger
N       N       C    Octman
N       Y       A    Fletcher
N       Y       A    Miller
N       Y       A    Sakimura
Y       Y       -    D'Agostino
Y       Y       A    Biering
Y       Y       A    Brault
Y       Y       A    Hedberg
Y       Y       A    Jay
Y       Y       A    Jones
Y       Y       A    Marais
Y       Y       A    Nadalin
Y       Y       A    Nara
Y       Y       A    Nennker
Y       Y       A    Solberg
Y       Y       B    Hardt
Y       Y       B    Medeiros
Y       Y       C    Matake
Y       Y       C    Mishra
-----END-Tabulation-----

v2.23.0 | Report a Bug | By Email