IETF Logo Mail Archive

Re: [jose] Should we delete the "typ" header field

Nat Sakimura <sakimura@gmail.com> Thu, 06 June 2013 00:32 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F42021F86FB for <jose@ietfa.amsl.com>; Wed, 5 Jun 2013 17:32:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.296
X-Spam-Level: ***
X-Spam-Status: No, score=3.296 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, NO_RELAYS=-0.001, TRACKER_ID=2.696]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uuJPTVNFiXlK for <jose@ietfa.amsl.com>; Wed, 5 Jun 2013 17:32:21 -0700 (PDT)
Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 3E1BD21F86D3 for <jose@ietf.org>; Wed, 5 Jun 2013 17:32:01 -0700 (PDT)
Received: by mail-la0-f47.google.com with SMTP id fe20so2047095lab.34 for <jose@ietf.org>; Wed, 05 Jun 2013 17:31:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kK0f2cf3z5D2/mAYxAQhkl6a9gR+HLaGKVDYP3xd2jA=; b=ThxeI6wqdz6YtaN6hGKR6Wk6uoE90SWKxnIyuGiINre69P+9o59TWVaYWIxGkvp0zU TUdD6p1jnMWQIMuTitwRF0K+rcIbGkRFHsZS0IdXyLmSYsGndPjpPBg5tRUuhvZ2VD1W LeeN3MgE3JyoL2pCW/qd3opRajBl5YoeV7B9Til6Qndnw7vGUtEqYuNUvXdgF1V+g/Ei RSPd9SPAvw3vV1xyZmF4JJFc0mK5rb+pC6nXdsnbQ6UyAYbizNF6p/fyyNbiQXmjbp5U d9XWPRtvjid0W1ognbjb3LtpK2DOujTUzHOR11n4vZ9iPElqvlpYGuP8amkbM7xPxhWb /q8g==
MIME-Version: 1.0
X-Received: by 10.152.170.194 with SMTP id ao2mr16332899lac.48.1370478716169; Wed, 05 Jun 2013 17:31:56 -0700 (PDT)
Received: by 10.112.4.99 with HTTP; Wed, 5 Jun 2013 17:31:55 -0700 (PDT)
In-Reply-To: <CAL02cgTLpoYuh3iMrYtOKrYR82GqWQyzCnEZh6d0Li8Wxgn8bA@mail.gmail.com>
References: <02b701ce5cb8$46ae77e0$d40b67a0$@augustcellars.com> <CAD9ie-vK3gY9b9GQrbUa=TACy5KVA1uPH_u_utucoKzVynjuiA@mail.gmail.com> <02f501ce5cc5$ec9a2200$c5ce6600$@augustcellars.com> <CAD9ie-uV-THE0+oL-dNUB0qXF7sx8jHMZDCz8vGESmUHWV=LMg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C58C4@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAD9ie-sm7q6gdzC-aTKt=+b=A8wB68ExTP1FwiT=zQTN7b69zA@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C5C0A@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR=Lh5_HogPtgoFM+qhwNkqOFaW0+TzOCAziUwK8ZqQaw@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C7399@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR6XfSwHxOLym_pkM+9EOE8yRUEncLToKbrLVJxoOgxDg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9B69@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgTrpkt0PyvLmnSKTchST5hgbzjkLQMq3hr6O2pij7LgjQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9E95@TK5EX14MBXC285.redmond.corp.microsoft.com> <CABzCy2Cd6LJB63b8REsyW0yjS=2DMBaSwsL-ZUnwG-aCXJ5P-Q@mail.gmail.com> <CA+k3eCT6Dq2jo6Lx6SEMkNDrLKREJTkzwNxT7ggJHDJtvQVG2A@mail.gmail.com> <CAL02cgSeurHAEsAtEaEDYAko2Or8dFAOx8QWe-G2e4nss_AX4g@mail.gmail.com> <CABzCy2DtkqzSSC9Xgy7Gkf0_cxuV7Zn5Jux+NRPiF1LO6PtObw@mail.gmail.com> <CAL02cgTLpoYuh3iMrYtOKrYR82GqWQyzCnEZh6d0Li8Wxgn8bA@mail.gmail.com>
Date: Thu, 06 Jun 2013 09:31:55 +0900
Message-ID: <CABzCy2DpkF=LD13jZb5B6-4fFxZO37Aj9vh8HRBupRxNd6Mpfg@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="089e011615f20cb52a04de7171d6"
Cc: Mike Jones <Michael.Jones@microsoft.com>, Brian Campbell <bcampbell@pingidentity.com>, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [jose] Should we delete the "typ" header field
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 00:32:23 -0000

What I was thinking as an example was to have 'datetime' as a public header
parameter to be used generally, and then differentiate between two cases of
'agreement' and 'timestamp'. It is the same signing operation over the
original (e.g., a MS word document), but from an application point of view,
it is a bit different. Former constitute an agreement while the later does
not. The type=timestamp just signifies that the original document existed
at the time indicated.


2013/6/5 Richard Barnes <rlb@ipv.sx>

> I'm not sure I understand the use case here.  Let me look at a couple of
> options, and hopefully one of them will be what you meant :)
>
> If it's just a signed timestamp you're talking about, then that's
> adequately described by cty="timestamp", typ="JWS".
>
> If you want to sign something and add a timestamp in the header, then
> typ="timestamp" isn't accurate according to the current specification.  The
> type of the whole object would have to be something like
> "timestamped-content".  And in that case, an application can easily
> recognized that it's timestamped content by looking for the timestamp field
> in the header, so the "typ" isn't really helpful.
>
>
> Moving from the example to the general question:
>
> I think we finally have some common understanding on this list as to what
> Mike means by "typ" in the current document -- a label for the
> application-layer type of the overall object.  Thanks to Mike for
> clarifying that in this discussion.
>
> The question is whether this is a sufficiently useful thing to have in the
> core spec.  Obviously, applications have to know what type of object
> they're dealing with when they get a JOSE object.  That includes (1) what
> type of content is in the payload, and (2) what application-layer fields
> are required to be in the header.  (1) is covered by "cty".  So "typ" is
> only useful in the case where:
> A. The application is storing application-layer data in the JOSE header
> B. The required application-layer fields can be different for different
> objects
> C. The required application-layer fields can be different for different
> objects of the same content type
> D. The required application-layer fields are not indicated by other
> application-layer context
>
> Are there any known applications that meet these criteria?  JWT does not,
> for several reasons.
> 1. (!A) JWT does not store application-layer data in the JOSE header, only
> in the claims in the body
> 2. (!C) A JWT object can indicate with "cty" that it contains JWT claims
> or another JWT, either of which makes it obvious that this is a JWT
> 3. (!D) In the OAuth context, the Token Type value indicates what type of
> token is being presented, e.g., JWT
>
> So there's not really any known use case for "typ" as currently specified.
>  On the other hand, Dick and James have pointed out that it can be useful
> to have "typ" indicate whether the object at hand is a JWE or JWS.  Which
> brings us back to:
> -- Change the definition of "typ" so that it indicates the JOSE-layer type
> (JWE/JWS)
> -- Remove "typ" altogether
>
>
>
>
>
>
>
> On Wed, Jun 5, 2013 at 8:53 AM, Nat Sakimura <sakimura@gmail.com> wrote:
>
>> What about such as this?
>>
>> cty: original
>> typ: timestamp
>>
>>
>> 2013/6/5 Richard Barnes <rlb@ipv.sx>
>>
>>> It would be a good point, if it were true :)  In particular, this part:
>>> "[dropping 'typ'] is going to cause each and every application that
>>> uses JOSE to define their own field"
>>>
>>> So far, I've heard of exactly one application of JOSE that requires
>>> "typ" in the way it is currently specified, namely JWT.
>>>
>>> On the other hand, Dick's applications are apparently using it
>>> differently (and, IMO, properly) to distinguish JWE/JWS.  Then there are
>>> all the applications out there that are OK using application context and
>>> "cty" to recognize what type of object they have.  Apps using CMS have been
>>> doing this for ages.
>>>
>>> So it's not at all clear to me that there's any other application that
>>> would use "typ" besides JWT.  And it's not clear to me that JWT needs it.
>>>
>>> --Richard
>>>
>>>
>>>
>>>
>>>
>>> On Fri, May 31, 2013 at 5:45 PM, Brian Campbell <
>>> bcampbell@pingidentity.com> wrote:
>>>
>>>> Nat makes a good point here, I think.
>>>>
>>>>
>>>> On Thu, May 30, 2013 at 9:31 AM, Nat Sakimura <sakimura@gmail.com>wrote:
>>>>
>>>>> From what I understand, both typ and cty are something to be consumed
>>>>> by the application and not JOSE processor. From the point of view of the
>>>>> JOSE processor, they should be ignored.
>>>>>
>>>>> We could drop both fields from JOSE specs, but that is going to cause
>>>>> each and every application that uses JOSE to define their own field, which
>>>>> is a waste. That is why we are defining them here.
>>>>>
>>>>> I would rather drop them than define JOSE processing semantics to
>>>>> these fields.
>>>>>
>>>>>
>>>>> 2013/5/31 Mike Jones <Michael.Jones@microsoft.com>
>>>>>
>>>>>>  No, “cty” is used by the derived class to determine the type of the
>>>>>> encapsulated field.  But that’s not a complete description of the **entire
>>>>>> object** - especially not the additional meaning imbued by the
>>>>>> additional parameters the derived type may add to the JOSE header.  “typ”
>>>>>> is there to provide the type of the entire object, including what you’re
>>>>>> calling the wrapper parts.****
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>>                                                             -- Mike**
>>>>>> **
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>> *From:* Richard Barnes [mailto:rlb@ipv.sx]
>>>>>> *Sent:* Thursday, May 30, 2013 7:58 AM
>>>>>>
>>>>>> *To:* Mike Jones
>>>>>> *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt
>>>>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>> Isn't that requirement met by "cty"?  The only thing JOSE adds is a
>>>>>> crypto wrapper around the real application content.  If you're an
>>>>>> application, you know a JOSE object is the thing you want because it
>>>>>> contains the content you want -- it's a JWT because it contains JWT claims.
>>>>>> ****
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>> Inheritance is the wrong metaphor.  This is encapsulation of
>>>>>> application data:****
>>>>>>
>>>>>> if (jws.valid && jws.cty == "application/jwt_claims") {****
>>>>>>
>>>>>>     jwtClaims = jws.content;****
>>>>>>
>>>>>> }****
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>> --Richard****
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>> On Thu, May 30, 2013 at 10:43 AM, Mike Jones <
>>>>>> Michael.Jones@microsoft.com> wrote:****
>>>>>>
>>>>>> Thanks for sharing the S/MIME details.  Although I was actually
>>>>>> making the analogy to MIME – not S/MIME.  Like many analogies, it’s
>>>>>> imperfect, but I believe still illustrative.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> The reason that the analogy isn’t perfect is that the JOSE data
>>>>>> structures are used to build application-specific data structures that are
>>>>>> legal JOSE data structures but also have additional properties – including
>>>>>> additional header fields with specific semantics.  (When we agreed to
>>>>>> ignore not-understood header fields we let that horse out of the barn.)
>>>>>> For instance, Dick Hardt uses JWEs with issuer and audience fields in the
>>>>>> headers, so they can be used by routing software.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> Think of JOSE as the base class and the application types built using
>>>>>> it as derived classes.  JWT is a derived class.  Dick’s structures are a
>>>>>> derived class.  These derived classes sometimes need names.  That’s what
>>>>>> “typ” is for.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>>                                                             -- Mike**
>>>>>> **
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> *From:* Richard Barnes [mailto:rlb@ipv.sx]
>>>>>> *Sent:* Thursday, May 30, 2013 7:34 AM****
>>>>>>
>>>>>>
>>>>>> *To:* Mike Jones
>>>>>> *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt
>>>>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> You're mixing up "typ" and "cty".  If you want to make the analogy to
>>>>>> S/MIME, "cty" is the equivalent to Content-Type inside the protected MIME
>>>>>> body; "typ" is the content-type on the outer MIME header.  Pasting in an
>>>>>> example:****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> -----BEGIN-----****
>>>>>>
>>>>>> Content-Type: application/pkcs7-mime; smime-type=signed-data;****
>>>>>>
>>>>>>      name=smime.p7m****
>>>>>>
>>>>>> Content-Transfer-Encoding: base64****
>>>>>>
>>>>>> Content-Disposition: attachment; filename=smime.p7m****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7****
>>>>>>
>>>>>> 77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH****
>>>>>>
>>>>>> HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh****
>>>>>>
>>>>>> 6YT64V0GhIGfHfQbnj75****
>>>>>>
>>>>>> -----END-----****
>>>>>>
>>>>>> <http://tools.ietf.org/html/rfc3851#section-3.4.2>****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> The outer Content-Type, which is analogous to "typ", MUST be
>>>>>> application/pkcs7-mime, with a parameter indicating the type of CMS object.
>>>>>>  This is the same as requiring "typ" to be JWE or JWS.  The inner
>>>>>> Content-Type (ASN.1/base64 encoded in the example) can be anything, just
>>>>>> like "cty".****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> --Richard****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> On Thu, May 30, 2013 at 12:53 AM, Mike Jones <
>>>>>> Michael.Jones@microsoft.com> wrote:****
>>>>>>
>>>>>> Requiring that the “typ” value be only “JWS” or “JWE” would be
>>>>>> analogous to the MIME spec requiring that the Content-Type: field be only
>>>>>> “text/plain” or “message/external-body”.  It would render it useless.
>>>>>> ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>>                                                             -- Mike**
>>>>>> **
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On
>>>>>> Behalf Of *Richard Barnes
>>>>>> *Sent:* Wednesday, May 29, 2013 8:03 PM
>>>>>> *To:* Mike Jones
>>>>>> *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt****
>>>>>>
>>>>>>
>>>>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> If this is the level of "type" you're referring to, I think we should
>>>>>> drop it from the spec.  It's an application-layer thing that the app can
>>>>>> add or not according to its wishes.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> I'm with Dick on this.  I think we should either have a mandatory
>>>>>> indicator of what type of JOSE object this, or nothing at all.   If the
>>>>>> former, the allowable values are "JWE" and "JWS".  The "+JSON" options are
>>>>>> non-sensical -- the app needs to know what it's parsing before it gets this
>>>>>> header.  While I have a preference for the former (for clarity), the latter
>>>>>> approach is also OK with me, since the MIME types are specific to JWE/JWS.
>>>>>> ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> Another approach here would be to address the JSON and compact forms
>>>>>> separately.  The JSON form has no need of "typ" at all, since the type of
>>>>>> the object is completely clear from what fields are there, e.g.,
>>>>>> "recipients" vs. "signatures".  For the compact form, we could do something
>>>>>> like James's "E."/"S." prefix idea, which you need because the
>>>>>> dot-separated components have different meanings and no field names to
>>>>>> indicate this.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> --Richard****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> On Wed, May 29, 2013 at 8:30 PM, Mike Jones <
>>>>>> Michael.Jones@microsoft.com> wrote:****
>>>>>>
>>>>>> A standard library is unlikely to know the meanings of all possible
>>>>>> “typ” values – and more to the point, *it doesn’t have to*.  It’s
>>>>>> the application’s job to determine that “this blob is a JOSE object” and
>>>>>> then pass it to a standard library, which will then ignore the “typ” value.
>>>>>> ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> A standard JOSE library won’t know what “typ”: “JWT” means.  It won’t
>>>>>> know what “typ”: “BCGovToken” is, should the BC Government want to declare
>>>>>> that it’s using a token with particular characteristics.  It won’t know
>>>>>> what “typ”: “XMPP” is, should XMPP want to declare that it’s using a JOSE
>>>>>> data structure with particular characteristics.  Etc.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> All these values can be registered in the registry and used by
>>>>>> applications that understand them.  That’s the application’s job – not the
>>>>>> library’s job.  The “typ” field is just there so that applications have a
>>>>>> standard place to make any such declarations that they may need.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>>                                                                 --
>>>>>> Mike****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> *From:* Dick Hardt [mailto:dick.hardt@gmail.com]
>>>>>> *Sent:* Wednesday, May 29, 2013 5:18 PM
>>>>>> *To:* Mike Jones
>>>>>> *Cc:* Jim Schaad; jose@ietf.org****
>>>>>>
>>>>>>
>>>>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> I'd prefer to be able to use standard libraries for creating and
>>>>>> parsing tokens, and not specialized libraries dependent on the use case.
>>>>>> ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> I strongly think we either drop "typ" or make it required.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> On Wed, May 29, 2013 at 5:03 PM, Mike Jones <
>>>>>> Michael.Jones@microsoft.com> wrote:****
>>>>>>
>>>>>> It’s fine for your application to specify that it’s required for your
>>>>>> use case.  Not applications need it, so they shouldn’t be forced to pay the
>>>>>> space penalty of an unnecessary field.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>>                                                                 --
>>>>>> Mike****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On
>>>>>> Behalf Of *Dick Hardt
>>>>>> *Sent:* Wednesday, May 29, 2013 4:56 PM****
>>>>>>
>>>>>>
>>>>>> *To:* Jim Schaad
>>>>>> *Cc:* jose@ietf.org
>>>>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> I use it all the time and my code would barf if it was not there.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> I think it should be required rather than be a hint if it is going ot
>>>>>> be there.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> On Wed, May 29, 2013 at 4:40 PM, Jim Schaad <ietf@augustcellars.com>
>>>>>> wrote:****
>>>>>>
>>>>>> I think the values just changed****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> However the way you are using it would be an argument to say that it
>>>>>> should be a required field.  Are you just using it as a hint if it exists
>>>>>> and then looking at the rest of the fields if it is not present?****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> Jim****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> *From:* Dick Hardt [mailto:dick.hardt@gmail.com]
>>>>>> *Sent:* Wednesday, May 29, 2013 3:49 PM
>>>>>> *To:* Jim Schaad
>>>>>> *Cc:* jose@ietf.org
>>>>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> Well, I have been using, but now realize the spec changed or I was
>>>>>> confused.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> I had been setting "typ" to be either "JWE" or "JWS" depending on the
>>>>>> type of token I was creating or parsing as it was easier than looking at
>>>>>> "alg"****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> As currently defined, I don't see value in "typ".****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> -- Dick****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> On Wed, May 29, 2013 at 3:02 PM, Jim Schaad <ietf@augustcellars.com>
>>>>>> wrote:****
>>>>>>
>>>>>> In reading the documents, I am trying to understand the justification
>>>>>> for having the “typ” header parameter in the JOSE documents.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> The purpose of the field is to hold the type of the object.  In the
>>>>>> past, I believe that values which should now be placed in the cty field
>>>>>> (such as “JWT”) were placed in this field as well.  However the parameter
>>>>>> is optional and an implementation cannot rely on its being present.  This
>>>>>> means that for all practical purposes all of the code to determine the
>>>>>> value of the type field from the values of the alg and enc fields.  If the
>>>>>> field was mandatory then this code would disappear at a fairly small space
>>>>>> cost and I can understand why the parameter would be present.****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> Can anybody justify why this field should be present in the document
>>>>>> – or should it just disappear?****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> Jim****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> jose mailing list
>>>>>> jose@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/jose****
>>>>>>
>>>>>>
>>>>>>
>>>>>> ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> --
>>>>>> -- Dick ****
>>>>>>
>>>>>>
>>>>>>
>>>>>> ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> --
>>>>>> -- Dick ****
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> jose mailing list
>>>>>> jose@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/jose****
>>>>>>
>>>>>>
>>>>>>
>>>>>> ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> --
>>>>>> -- Dick ****
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> jose mailing list
>>>>>> jose@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/jose****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>>  ****
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>> _______________________________________________
>>>>>> jose mailing list
>>>>>> jose@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/jose
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Nat Sakimura (=nat)
>>>>> Chairman, OpenID Foundation
>>>>> http://nat.sakimura.org/
>>>>> @_nat_en
>>>>>
>>>>> _______________________________________________
>>>>> jose mailing list
>>>>> jose@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/jose
>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email