IETF Logo Mail Archive

Re: [jose] #27: member names MUST be unique needs additional text

"Jim Schaad" <ietf@augustcellars.com> Wed, 26 June 2013 18:30 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 695FE11E8125 for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 11:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qEj2JKJprtuR for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 11:30:49 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id B985211E811F for <jose@ietf.org>; Wed, 26 Jun 2013 11:30:49 -0700 (PDT)
Received: from Philemon (mccpool-66-89.ci.monterey.ca.us [205.155.66.89]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id 6915D38F36; Wed, 26 Jun 2013 11:30:49 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'jose issue tracker' <trac+jose@trac.tools.ietf.org>, draft-ietf-jose-json-web-signature@tools.ietf.org, michael.jones@microsoft.com
References: <061.bb7bbe0b618ec6b74904f48bdb9bb312@trac.tools.ietf.org> <076.a597050ecb4fb25084cec65f7174dc7e@trac.tools.ietf.org>
In-Reply-To: <076.a597050ecb4fb25084cec65f7174dc7e@trac.tools.ietf.org>
Date: Wed, 26 Jun 2013 11:29:52 -0700
Message-ID: <033b01ce729b$26ff5c90$74fe15b0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGqOaFgm5bSrTowyJkuz8ggVcVAJQJ0/9dvmX0JYbA=
Content-Language: en-us
Cc: jose@ietf.org
Subject: Re: [jose] #27: member names MUST be unique needs additional text
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2013 18:30:54 -0000

<no hat>

I consider myself to be reasonably competent in both English and Technical English.  I have no idea what I am supposed to be doing to deal with the text below.  Does this mean that I need to write an independent parser?  What about cases where it is coming in on a stream and I don't get to see the data before the parse occurs?  How are they interpreted differently?  What exactly is this supposed to be addressing.  Much of this could be skipped when we said don't do it.  Since this is no longer a viable statement due to the state of parsers, we need to be more explicit and say what is going on.

No I don't consider the suggested text to be adequate.

> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
> jose issue tracker
> Sent: Tuesday, June 25, 2013 5:41 PM
> To: draft-ietf-jose-json-web-signature@tools.ietf.org;
> michael.jones@microsoft.com
> Cc: jose@ietf.org
> Subject: Re: [jose] #27: member names MUST be unique needs additional text
> 
> #27: member names MUST be unique needs additional text
> 
> 
> Comment (by michael.jones@microsoft.com):
> 
>  The JWS draft currently says:
> 
>          The Header Parameter Names within the JWS Header MUST be unique;
>          JWSs with duplicate Header Parameter Names MUST be rejected.
> 
>  How about changing this to:
> 
>          The Header Parameter Names within the JWS Header MUST be unique;
>          JWSs with duplicate Header Parameter Names MUST be rejected.
>          This is necessary to prevent attacks in which the same JWS might  be
> interpreted
>          in different ways by different implementations and to prevent  attackers
>          from hiding extra content in duplicate member values.
>          If the platform s JSON parser does not reject input with duplicate
> member names,
>          the input will first need to be separately parsed to reject these  invalid
> inputs
>          before using the platform s parser.
> 
> --
> -------------------------+----------------------------------------------
> -------------------------+---
>  Reporter:               |       Owner:  draft-ietf-jose-json-web-
>   ietf@augustcellars.com |  signature@tools.ietf.org
>      Type:  defect       |      Status:  new
>  Priority:  major        |   Milestone:
> Component:  json-web-    |     Version:
>   signature              |  Resolution:
>  Severity:  -            |
>  Keywords:               |
> -------------------------+----------------------------------------------
> -------------------------+---
> 
> Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/27#comment:1>
> jose <http://tools.ietf.org/jose/>
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email