Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
 with ESMTP id 695FE11E8125 for <jose@ietfa.amsl.com>;
 Wed, 26 Jun 2013 11:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level: 
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5
 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qEj2JKJprtuR for
 <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 11:30:49 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by
 ietfa.amsl.com (Postfix) with ESMTP id B985211E811F for <jose@ietf.org>;
 Wed, 26 Jun 2013 11:30:49 -0700 (PDT)
Received: from Philemon (mccpool-66-89.ci.monterey.ca.us [205.155.66.89])
 (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate
 requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net
 (Postfix) with ESMTPSA id 6915D38F36; Wed, 26 Jun 2013 11:30:49 -0700 (PDT)
From: "Jim Schaad" <ietf@augustcellars.com>
To: "'jose issue tracker'" <trac+jose@trac.tools.ietf.org>,
 <draft-ietf-jose-json-web-signature@tools.ietf.org>,
 <michael.jones@microsoft.com>
References: <061.bb7bbe0b618ec6b74904f48bdb9bb312@trac.tools.ietf.org>
 <076.a597050ecb4fb25084cec65f7174dc7e@trac.tools.ietf.org>
In-Reply-To: <076.a597050ecb4fb25084cec65f7174dc7e@trac.tools.ietf.org>
Date: Wed, 26 Jun 2013 11:29:52 -0700
Message-ID: <033b01ce729b$26ff5c90$74fe15b0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGqOaFgm5bSrTowyJkuz8ggVcVAJQJ0/9dvmX0JYbA=
Content-Language: en-us
Cc: jose@ietf.org
Subject: Re: [jose] #27: member names MUST be unique needs additional text
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>,
 <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>,
 <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2013 18:30:54 -0000

<no hat>

I consider myself to be reasonably competent in both English and =
Technical English.  I have no idea what I am supposed to be doing to =
deal with the text below.  Does this mean that I need to write an =
independent parser?  What about cases where it is coming in on a stream =
and I don't get to see the data before the parse occurs?  How are they =
interpreted differently?  What exactly is this supposed to be =
addressing.  Much of this could be skipped when we said don't do it.  =
Since this is no longer a viable statement due to the state of parsers, =
we need to be more explicit and say what is going on.

No I don't consider the suggested text to be adequate.

> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf =
Of
> jose issue tracker
> Sent: Tuesday, June 25, 2013 5:41 PM
> To: draft-ietf-jose-json-web-signature@tools.ietf.org;
> michael.jones@microsoft.com
> Cc: jose@ietf.org
> Subject: Re: [jose] #27: member names MUST be unique needs additional =
text
>=20
> #27: member names MUST be unique needs additional text
>=20
>=20
> Comment (by michael.jones@microsoft.com):
>=20
>  The JWS draft currently says:
>=20
>          The Header Parameter Names within the JWS Header MUST be =
unique;
>          JWSs with duplicate Header Parameter Names MUST be rejected.
>=20
>  How about changing this to:
>=20
>          The Header Parameter Names within the JWS Header MUST be =
unique;
>          JWSs with duplicate Header Parameter Names MUST be rejected.
>          This is necessary to prevent attacks in which the same JWS =
might  be
> interpreted
>          in different ways by different implementations and to prevent =
 attackers
>          from hiding extra content in duplicate member values.
>          If the platform s JSON parser does not reject input with =
duplicate
> member names,
>          the input will first need to be separately parsed to reject =
these  invalid
> inputs
>          before using the platform s parser.
>=20
> --
> =
-------------------------+----------------------------------------------
> -------------------------+---
>  Reporter:               |       Owner:  draft-ietf-jose-json-web-
>   ietf@augustcellars.com |  signature@tools.ietf.org
>      Type:  defect       |      Status:  new
>  Priority:  major        |   Milestone:
> Component:  json-web-    |     Version:
>   signature              |  Resolution:
>  Severity:  -            |
>  Keywords:               |
> =
-------------------------+----------------------------------------------
> -------------------------+---
>=20
> Ticket URL: =
<http://trac.tools.ietf.org/wg/jose/trac/ticket/27#comment:1>
> jose <http://tools.ietf.org/jose/>
>=20
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose