Re: [jose] [secdir] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
Tero Kivinen <kivinen@iki.fi> Thu, 18 September 2014 08:06 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BA231A7113; Thu, 18 Sep 2014 01:06:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.773
X-Spam-Level:
X-Spam-Status: No, score=-2.773 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.652, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQZTOnPk0thT; Thu, 18 Sep 2014 01:06:14 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 876991A6FBB; Thu, 18 Sep 2014 01:06:14 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id s8I868Ug001963 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 18 Sep 2014 11:06:08 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id s8I867T2023596; Thu, 18 Sep 2014 11:06:07 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <21530.37486.670938.432565@fireball.kivinen.iki.fi>
Date: Thu, 18 Sep 2014 11:06:06 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Tim Bray <tbray@textuality.com>
In-Reply-To: <CAHBU6ivJ+mQZetWDDkRjP1nB+XOCLyXatq4k9bv4y7onAgu=ug@mail.gmail.com>
References: <CAHbuEH4Ccn2Z=8kEECzvgjmtshwsFoa-EH_NpkJPos7zirGeaQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AEC00DB@TK5EX14MBXC292.redmond.corp.microsoft.com> <5416FE10.3060608@bbn.com> <CAHBU6iu3GfsLCAint3z7risZUnVW4EK0WrGVW6Dv=gvppiHSxQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AECCCDD@TK5EX14MBXC292.redmond.corp.microsoft.com> <54173546.5000400@bbn.com> <CAHBU6ivb3BeEufcnJB+eSk8wgETMx+qzH3miE6Z1jtrQkXNR3w@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AECE40B@TK5EX14MBXC292.redmond.corp.microsoft.com> <54184EBA.3010109@bbn.com> <4E1F6AAD24975D4BA5B16804296739439AED1727@TK5EX14MBXC292.redmond.corp.microsoft.com> <5418987E.1060307@bbn.com> <CFD36394-E707-4D51-9689-DD8B1FD320D5@ve7jtb.com> <54199E11.1000809@bbn.com> <CAHBU6ivJ+mQZetWDDkRjP1nB+XOCLyXatq4k9bv4y7onAgu=ug@mail.gmail.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 9 min
X-Total-Time: 8 min
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/S4viuMWipxRoihNonpIQItBs6FE
X-Mailman-Approved-At: Thu, 18 Sep 2014 03:34:16 -0700
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, Stephen Kent <kent@bbn.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-jose-json-web-key.all@tools.ietf.org" <draft-ietf-jose-json-web-key.all@tools.ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Michael Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>
Subject: Re: [jose] [secdir] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Sep 2014 08:06:18 -0000
Tim Bray writes: > The chance of the JOSE working group moving the vast world of > deployed JSON infrastructure round to 0.00. Thus putting a MUST > reject in here would essentially say you can’t use well-debugged > production software, and would be a really bad idea. And are none of those jose parsers open source? If any of them is open source, then someone who wants to use jose, could take one, fix it to reject duplicates, and use that still well-debugged production software, with small patch, and he just need to add regression test case for the new patch, and rerun the normal regression tests to know everything else still works. If all of them are closed source software which you cannot patch, then it might be better that people write proper open source parser which actually tries to be secure. > On the other hand, if JOSE specified that producers’ messages MUST > conform to I-JSON, and a couple other WGs climbed on that bandwagon, > and the word started to get around, I wouldn’t be surprised if a few > of the popular JSON implementations added an I-JSON mode. That > would be a good thing and lessen the attack surface of all > JSON-based protocols (which these days, is a whole lot of them). And if we say MUST reject structures with duplicate keys, that would perhaps force them even more, especially as those vendors really wanting to be conformant would start asking that. On the other hand, I think most of the vendors would just issue request for the fix, but still continue using the relaxed parser, regardless what we write in the specification here. At least if we say MUST then they hopefully will put the feature request in. If we say SHOULD, they will not... -- kivinen@iki.fi
- [jose] JWK member names, was: SECDIR review of dr… Kathleen Moriarty
- Re: [jose] JWK member names, was: SECDIR review o… Mike Jones
- Re: [jose] JWK member names, was: SECDIR review o… Tim Bray
- Re: [jose] JWK member names, was: SECDIR review o… Mike Jones
- Re: [jose] JWK member names, was: SECDIR review o… Tim Bray
- Re: [jose] JWK member names, was: SECDIR review o… Tim Bray
- Re: [jose] JWK member names, was: SECDIR review o… Stephen Kent
- Re: [jose] JWK member names, was: SECDIR review o… Tim Bray
- Re: [jose] JWK member names, was: SECDIR review o… Mike Jones
- Re: [jose] JWK member names, was: SECDIR review o… Mike Jones
- Re: [jose] JWK member names, was: SECDIR review o… Stephen Kent
- Re: [jose] JWK member names, was: SECDIR review o… Stephen Kent
- Re: [jose] JWK member names, was: SECDIR review o… Tim Bray
- Re: [jose] JWK member names, was: SECDIR review o… John Bradley
- Re: [jose] JWK member names, was: SECDIR review o… Mike Jones
- Re: [jose] JWK member names, was: SECDIR review o… Tim Bray
- Re: [jose] JWK member names, was: SECDIR review o… Tim Bray
- Re: [jose] JWK member names, was: SECDIR review o… John Bradley
- Re: [jose] JWK member names, was: SECDIR review o… Jim Schaad
- Re: [jose] JWK member names, was: SECDIR review o… Stephen Kent
- Re: [jose] JWK member names, was: SECDIR review o… Stephen Kent
- Re: [jose] [secdir] JWK member names, was: SECDIR… John Bradley
- Re: [jose] [secdir] JWK member names, was: SECDIR… Tero Kivinen
- Re: [jose] JWK member names, was: SECDIR review o… Tim Bray
- Re: [jose] [secdir] JWK member names, was: SECDIR… Tim Bray
- Re: [jose] JWK member names, was: SECDIR review o… Mike Jones
- Re: [jose] JWK member names, was: SECDIR review o… Stephen Kent
- Re: [jose] JWK member names, was: SECDIR review o… John Bradley
- Re: [jose] JWK member names, was: SECDIR review o… Tim Bray
- Re: [jose] JWK member names, was: SECDIR review o… Stephen Kent
- Re: [jose] JWK member names, was: SECDIR review o… Tim Bray
- Re: [jose] JWK member names, was: SECDIR review o… Richard Barnes
- Re: [jose] JWK member names, was: SECDIR review o… Stephen Kent
- Re: [jose] [secdir] JWK member names, was: SECDIR… Tero Kivinen
- Re: [jose] [secdir] JWK member names, was: SECDIR… Richard Barnes
- Re: [jose] JWK member names, was: SECDIR review o… Mike Jones
- Re: [jose] JWK member names, was: SECDIR review o… Kathleen Moriarty