[jose] Header criticality -- hidden consensus?
Richard Barnes <rlb@ipv.sx> Fri, 08 February 2013 23:12 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A591321F8C12 for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 15:12:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.588
X-Spam-Level:
X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[AWL=0.388, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CG-PFG2Y-F-A for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 15:12:01 -0800 (PST)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8BEC021F8BAB for <jose@ietf.org>; Fri, 8 Feb 2013 15:12:00 -0800 (PST)
Received: by mail-lb0-f172.google.com with SMTP id n8so3398225lbj.17 for <jose@ietf.org>; Fri, 08 Feb 2013 15:11:59 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:date:message-id:subject :from:to:content-type:x-gm-message-state; bh=cXwUcd6TEMcieTNNGczOArrZhSLWWsqGQSL7HXU14IQ=; b=fs5juOZMIuTSSEDIVzp19W7BneXkyndiwl/+/um+qEFV4JfjRlgt5kMG9WHU7phIeq Qrx9wDy7GyVVRu9lWC6ofp0Ik1Afj2b0L1aTrZ09HabQazSwRRnWhmGVLoPQKO56cJxG qwbYg9nl2ZXOmo9HP92TMyraQz0FISOApC1WaeSeDcTqBvrVevbokZjtCt9UMiCSOcAR dSqKTalGf1Mn4PfG6/LeJd6H7dE51gZDtUmc154IvUyY6xpw1kMyeIyTr6BzPux1oKX0 jsk0y2c230AR7ciL0/4PM1DQh3kcYWxNKy80LI1gQJPfhAzTlYLDKtZnOhKByUEGList 0rwg==
MIME-Version: 1.0
X-Received: by 10.152.113.6 with SMTP id iu6mr6375418lab.43.1360365119390; Fri, 08 Feb 2013 15:11:59 -0800 (PST)
Received: by 10.112.147.164 with HTTP; Fri, 8 Feb 2013 15:11:59 -0800 (PST)
X-Originating-IP: [192.1.51.63]
Date: Fri, 08 Feb 2013 18:11:59 -0500
Message-ID: <CAL02cgRxeS-DomWzVBmoqzps57jgvrUSLn5nrFtqcrTD1wQa=g@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="f46d04089151b4c59d04d53eaf1e"
X-Gm-Message-State: ALoCoQmf+YO+uDEQkUkeI8mZK2ySp4bigL6cDL/nG4zDOv1JDAGPB76vnwBKaDCN+saz0ysWYsHM
Subject: [jose] Header criticality -- hidden consensus?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2013 23:12:01 -0000
We're 24 votes into the header criticality poll, so I thought I would go ahead and take a look at how the results are shaping up. My initial tabulation is below. The result on the FIRST POLL (the main one) is as follows: No: 10 Yes: 14 What I find striking, however, is that every single person that voted "Yes" on the FIRST POLL also voted "Yes" on the SECOND POLL. So nobody who thinks that all headers should be critical thinks that a JOSE library should actually be required to enforce this constraint. And that means that enforcing that all headers are supported cannot be a MUST according to RFC 2119. So I wonder if there's consensus to remove the following text from JWE and JWS: -----BEGIN-JWE----- 4. The resulting JWE Header MUST be validated to only include parameters and values whose syntax and semantics are both understood and supported. -----END-JWE----- -----BEGIN-JWS----- 4. The resulting JWS Header MUST be validated to only include parameters and values whose syntax and semantics are both understood and supported. -----END-JWS----- Otherewise, a JOSE library conforming to these specifications would be REQUIRED (a synonym to MUST in 2119) to reject a JWE/JWS that contains an unknown header, contradicting all those "Yes" votes on the SECOND POLL. --Richard -----BEGIN-Tabulation----- 1 2 3 Name: N - - Bradley N - - Ito N N A Yee N N B Barnes N N B Rescorla N N C Manger N N C Octman N Y A Fletcher N Y A Miller N Y A Sakimura Y Y - D'Agostino Y Y A Biering Y Y A Brault Y Y A Hedberg Y Y A Jay Y Y A Jones Y Y A Marais Y Y A Nadalin Y Y A Nara Y Y A Nennker Y Y A Solberg Y Y B Hardt Y Y B Medeiros Y Y C Matake Y Y C Mishra -----END-Tabulation-----
- [jose] Header criticality -- hidden consensus? Richard Barnes
- Re: [jose] Header criticality -- hidden consensus? Mike Jones
- Re: [jose] Header criticality -- hidden consensus? Richard Barnes
- Re: [jose] Header criticality -- hidden consensus? Mike Jones
- Re: [jose] Header criticality -- hidden consensus? Brian Campbell
- Re: [jose] Header criticality -- hidden consensus? Richard Barnes
- Re: [jose] Header criticality -- hidden consensus? Brian Campbell
- Re: [jose] Header criticality -- hidden consensus? Richard Barnes
- Re: [jose] Header criticality -- hidden consensus? Mike Jones
- Re: [jose] Header criticality -- hidden consensus? Mike Jones
- Re: [jose] Header criticality -- hidden consensus? Richard Barnes
- Re: [jose] Header criticality -- hidden consensus? Richard Barnes
- Re: [jose] Header criticality -- hidden consensus? Mike Jones
- Re: [jose] Header criticality -- hidden consensus? Vladimir Dzhuvinov / NimbusDS
- Re: [jose] Header criticality -- hidden consensus? Hannes Tschofenig
- Re: [jose] Header criticality -- hidden consensus? Manger, James H
- Re: [jose] Header criticality -- hidden consensus? Vladimir Dzhuvinov / NimbusDS