Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41F391A8905; Wed, 19 Nov 2014 13:50:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mlHDWkwopSa4; Wed, 19 Nov 2014 13:50:16 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0712.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:712]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 877A51A88E5; Wed, 19 Nov 2014 13:50:03 -0800 (PST) Received: from BN3PR0301CA0009.namprd03.prod.outlook.com (25.160.180.147) by CY1PR0301MB1211.namprd03.prod.outlook.com (25.161.212.145) with Microsoft SMTP Server (TLS) id 15.1.16.15; Wed, 19 Nov 2014 21:49:40 +0000 Received: from BY2FFO11FD017.protection.gbl (2a01:111:f400:7c0c::117) by BN3PR0301CA0009.outlook.office365.com (2a01:111:e400:4000::19) with Microsoft SMTP Server (TLS) id 15.1.16.15 via Frontend Transport; Wed, 19 Nov 2014 21:49:40 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD017.mail.protection.outlook.com (10.1.14.105) with Microsoft SMTP Server (TLS) id 15.1.6.13 via Frontend Transport; Wed, 19 Nov 2014 21:49:39 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.229]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.193]) with mapi id 14.03.0210.003; Wed, 19 Nov 2014 21:49:06 +0000 From: Mike Jones To: Pete Resnick Thread-Topic: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT) Thread-Index: AQHP3fdK8YG+SRr1nECfcW20xykmgJwgtxPQgAJQ0QCAARwqgIArdnkAgARaq4CAFM/YYA== Date: Wed, 19 Nov 2014 21:49:04 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB8CF5A@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <20141002041344.8073.81288.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439BAEBD05@TK5EX14MBXC286.redmond.corp.microsoft.com> <008a01cfe161$f0ec5090$d2c4f1b0$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739439BAF370A@TK5EX14MBXC286.redmond.corp.microsoft.com> <545B9763.9050004@qti.qualcomm.com> In-Reply-To: <545B9763.9050004@qti.qualcomm.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.76] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(199003)(51874003)(51704005)(189002)(43784003)(86362001)(2656002)(46406003)(84676001)(19580395003)(104016003)(92566001)(85806002)(87936001)(86612001)(110136001)(230783001)(93886004)(26826002)(21056001)(33656002)(15202345003)(68736004)(69596002)(95666004)(6806004)(20776003)(15975445006)(47776003)(92726001)(44976005)(120916001)(64706001)(4396001)(106116001)(99396003)(77096003)(62966003)(54356999)(31966008)(46102003)(76176999)(50986999)(66066001)(97756001)(55846006)(97736003)(50466002)(77156002)(81156004)(23726002)(107046002)(106466001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB1211; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-Microsoft-Antispam: UriScan:; X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB1211; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB1211; X-Forefront-PRVS: 04004D94E2 X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB1211; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/NdJf54a5zEZGsyT4yr0NoidR7mM Cc: "jose-chairs@tools.ietf.org" , Jim Schaad , Kathleen Moriarty , The IESG , "jose@ietf.org" , "draft-ietf-jose-json-web-signature@tools.ietf.org" Subject: Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT) X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2014 21:50:26 -0000 Below I'm responding only to the remaining issue about "rejecting JWSs". = Pete, please let me know if the proposed language works for you. > >>>>> 5.2: > >>>>> > >>>>> Strike the last sentence of the second paragraph. There's no > >>>>> requirement here. If none of them validate, I can do what I want > >>>>> with the JWS. I needn't "reject" it. I might just mark it as "inval= id". > >>>>> > >>>>> [Get rid of all talk of "rejecting" throughout this document. > >>>>> Again, I will note that the signatures are not valid, but > >>>>> rejecting is a local implementation detail.] > >>>>> > >>>> As discussed during the telechat and on subsequent threads, the > >>>> terms "accept" and "reject" are commonly used in this way, for > >>>> instance, in RFC 5820. As Kathleen wrote after the call, "For the > "reject" > >>>> language, Pete said on the call that he would go through each one > >>>> to see where it might be application specific and will suggest chang= es. > >>>> Thanks in advance, Pete.". > >>>> >=20 > So I've gone through all of the "reject"s in the document, and I think I = see a > way to allay my concern without significantly changing the > language: Instead of saying "reject the JWS" as it does in most places, I > believe it would be much clearer if it simply said "reject the signature"= as it > does in 4.1.6. Then you're clearly not saying "rejecting the data", as I'= m afraid > certain sorts of applications developers will interpret it. In some insta= nces, > you'll need to say something like "reject the signature of a JWS with foo= bar", > but I don't think that significantly changes the intended meaning. It turns out that way back in draft -15, in response to issue #35 (http://t= rac.tools.ietf.org/wg/jose/trac/ticket/35), we'd already changed statements= about "rejecting the JWS" in contexts of signature failures to statements = about the JWS Signature being invalid. So those uses of "reject the JWS" = that remained were actually about rejecting the whole thing - not about rej= ecting the signature. I'm revisiting that history because your suggested l= anguage about "reject the signature" doesn't actually convey the correct me= aning in the remaining contexts. But I understand and agree with your intent - which is to say that implemen= tations will determine that some JWSs are invalid, rather than the "rejecti= on" being some kind of cataclysmic failure. To achieve this intent, I've i= nstead changed the language "reject the JWS" to "consider the JWS to be inv= alid" in my current editor's draft. Let me know if that works for you. I've made the parallel changes in the JWE draft as well. Thanks again, -- Mike