Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)

Mike Jones <> Wed, 19 November 2014 21:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 41F391A8905; Wed, 19 Nov 2014 13:50:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mlHDWkwopSa4; Wed, 19 Nov 2014 13:50:16 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fc10::1:712]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 877A51A88E5; Wed, 19 Nov 2014 13:50:03 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 19 Nov 2014 21:49:40 +0000
Received: from (2a01:111:f400:7c0c::117) by (2a01:111:e400:4000::19) with Microsoft SMTP Server (TLS) id via Frontend Transport; Wed, 19 Nov 2014 21:49:40 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id via Frontend Transport; Wed, 19 Nov 2014 21:49:39 +0000
Received: from ([]) by ([]) with mapi id 14.03.0210.003; Wed, 19 Nov 2014 21:49:06 +0000
From: Mike Jones <>
To: Pete Resnick <>
Thread-Topic: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
Thread-Index: AQHP3fdK8YG+SRr1nECfcW20xykmgJwgtxPQgAJQ0QCAARwqgIArdnkAgARaq4CAFM/YYA==
Date: Wed, 19 Nov 2014 21:49:04 +0000
Message-ID: <>
References: <> <> <008a01cfe161$f0ec5090$d2c4f1b0$> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
Received-SPF: Pass ( domain of designates as permitted sender); client-ip=;;
Authentication-Results: spf=pass (sender IP is;
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(199003)(51874003)(51704005)(189002)(43784003)(86362001)(2656002)(46406003)(84676001)(19580395003)(104016003)(92566001)(85806002)(87936001)(86612001)(110136001)(230783001)(93886004)(26826002)(21056001)(33656002)(15202345003)(68736004)(69596002)(95666004)(6806004)(20776003)(15975445006)(47776003)(92726001)(44976005)(120916001)(64706001)(4396001)(106116001)(99396003)(77096003)(62966003)(54356999)(31966008)(46102003)(76176999)(50986999)(66066001)(97756001)(55846006)(97736003)(50466002)(77156002)(81156004)(23726002)(107046002)(106466001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB1211;; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB1211;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB1211;
X-Forefront-PRVS: 04004D94E2
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB1211;
Cc: "" <>, Jim Schaad <>, Kathleen Moriarty <>, The IESG <>, "" <>, "" <>
Subject: Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Nov 2014 21:50:26 -0000

Below I'm responding only to the remaining issue about "rejecting JWSs".   Pete, please let me know if the proposed language works for you.

> >>>>> 5.2:
> >>>>>
> >>>>> Strike the last sentence of the second paragraph. There's no
> >>>>> requirement here. If none of them validate, I can do what I want
> >>>>> with the JWS. I needn't "reject" it. I might just mark it as "invalid".
> >>>>>
> >>>>> [Get rid of all talk of "rejecting" throughout this document.
> >>>>> Again, I will note that the signatures are not valid, but
> >>>>> rejecting is a local implementation detail.]
> >>>>>
> >>>> As discussed during the telechat and on subsequent threads, the
> >>>> terms "accept" and "reject" are commonly used in this way, for
> >>>> instance, in RFC 5820.  As Kathleen wrote after the call, "For the
> "reject"
> >>>> language, Pete said on the call that he would go through each one
> >>>> to see where it might be application specific and will suggest changes.
> >>>> Thanks in advance, Pete.".
> >>>>
> So I've gone through all of the "reject"s in the document, and I think I see a
> way to allay my concern without significantly changing the
> language: Instead of saying "reject the JWS" as it does in most places, I
> believe it would be much clearer if it simply said "reject the signature" as it
> does in 4.1.6. Then you're clearly not saying "rejecting the data", as I'm afraid
> certain sorts of applications developers will interpret it. In some instances,
> you'll need to say something like "reject the signature of a JWS with foobar",
> but I don't think that significantly changes the intended meaning.

It turns out that way back in draft -15, in response to issue #35 (, we'd already changed statements about "rejecting the JWS" in contexts of signature failures to statements about  the JWS Signature being invalid.  So those uses of "reject the JWS" that remained were actually about rejecting the whole thing - not about rejecting the signature.  I'm revisiting that history because your suggested language about "reject the signature" doesn't actually convey the correct meaning in the remaining contexts.

But I understand and agree with your intent - which is to say that implementations will determine that some JWSs are invalid, rather than the "rejection" being some kind of cataclysmic failure.  To achieve this intent, I've instead changed the language "reject the JWS" to "consider the JWS to be invalid" in my current editor's draft.  Let me know if that works for you.

I've made the parallel changes in the JWE draft as well.

				Thanks again,
				-- Mike