IETF Logo Mail Archive

Re: [jose] Should we delete the "typ" header field

"Jim Schaad" <ietf@augustcellars.com> Thu, 30 May 2013 15:49 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D923021F9679 for <jose@ietfa.amsl.com>; Thu, 30 May 2013 08:49:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.778
X-Spam-Level:
X-Spam-Status: No, score=-1.778 tagged_above=-999 required=5 tests=[AWL=-1.383, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_LOW=-1, TRACKER_ID=2.003]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m0ASuSFVtFDN for <jose@ietfa.amsl.com>; Thu, 30 May 2013 08:49:01 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id AA72321F9355 for <jose@ietf.org>; Thu, 30 May 2013 08:48:59 -0700 (PDT)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id 9DED738F08; Thu, 30 May 2013 08:48:58 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>, 'Richard Barnes' <rlb@ipv.sx>
References: <02b701ce5cb8$46ae77e0$d40b67a0$@augustcellars.com> <CAD9ie-vK3gY9b9GQrbUa=TACy5KVA1uPH_u_utucoKzVynjuiA@mail.gmail.com> <02f501ce5cc5$ec9a2200$c5ce6600$@augustcellars.com> <CAD9ie-uV-THE0+oL-dNUB0qXF7sx8jHMZDCz8vGESmUHWV=LMg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C58C4@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAD9ie-sm7q6gdzC-aTKt=+b=A8wB68ExTP1FwiT=zQTN7b69zA@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C5C0A@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR=Lh5_HogPtgoFM+qhwNkqOFaW0+TzOCAziUwK8ZqQaw@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C7399@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR6XfSwHxOLym_pkM+9EOE8yRUEncLToKbrLVJxoOgxDg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9B69@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgTrpkt0PyvLmnSKTchST5hgbzjkLQMq3hr6O2pij7LgjQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9E95@TK5EX14MBXC285.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943677C9E95@TK5EX14MBXC285.redmond.corp.microsoft.com>
Date: Thu, 30 May 2013 08:48:09 -0700
Message-ID: <046301ce5d4d$15ecd2b0$41c67810$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0464_01CE5D12.69954DB0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQL+gOaQctokYsIF5NqCLBrsp9OxugIREdBOAZxwGYYA+xTLLwL/DSbtAkjfeb0CNOnLqQJml3CFAT+uwjIC8i/K0QKfBA3BAgAu76wCGMPjBZXx6FMQ
Content-Language: en-us
Cc: jose@ietf.org, 'Dick Hardt' <dick.hardt@gmail.com>
Subject: Re: [jose] Should we delete the "typ" header field
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 15:49:08 -0000

Ok - I am having some problems with this.  Looking at some concrete
psudo-examples

 

{typ:JWT, ctyp:JWT,.{type:JWT, ctyp:JWT,.{jwt claims object } }  

 

1.       would be a legal or a non-legal description of a signed and then
encrypted set of JWT claims?

2.       Does it make a difference if there are or are not other header
fields?

 

{typ:JWE, ctyp:JWT,.{type:JWS, ctyp:JWT,. {jwt claims object }}

 

1.        Would be a legal or a non-legal description of a signed and then
encrypted set of JWT claims?

 

If typ and ctyp are using the same space, does that mean that a JWT set of
claims and a JWT token are being overloaded on the what the string means?
In one case it means a token and in the other case it means a set of claims.

 

 

 

 

From: Mike Jones [mailto:Michael.Jones@microsoft.com] 
Sent: Thursday, May 30, 2013 8:06 AM
To: Richard Barnes
Cc: Jim Schaad; jose@ietf.org; Dick Hardt
Subject: RE: [jose] Should we delete the "typ" header field

 

No, "cty" is used by the derived class to determine the type of the
encapsulated field.  But that's not a complete description of the *entire
object* - especially not the additional meaning imbued by the additional
parameters the derived type may add to the JOSE header.  "typ" is there to
provide the type of the entire object, including what you're calling the
wrapper parts.

 

                                                            -- Mike

 

From: Richard Barnes [mailto:rlb@ipv.sx] 
Sent: Thursday, May 30, 2013 7:58 AM
To: Mike Jones
Cc: Jim Schaad; jose@ietf.org; Dick Hardt
Subject: Re: [jose] Should we delete the "typ" header field

 

Isn't that requirement met by "cty"?  The only thing JOSE adds is a crypto
wrapper around the real application content.  If you're an application, you
know a JOSE object is the thing you want because it contains the content you
want -- it's a JWT because it contains JWT claims.

 

Inheritance is the wrong metaphor.  This is encapsulation of application
data:

if (jws.valid && jws.cty == "application/jwt_claims") {

    jwtClaims = jws.content;

}

 

--Richard

 

On Thu, May 30, 2013 at 10:43 AM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

Thanks for sharing the S/MIME details.  Although I was actually making the
analogy to MIME - not S/MIME.  Like many analogies, it's imperfect, but I
believe still illustrative.

 

The reason that the analogy isn't perfect is that the JOSE data structures
are used to build application-specific data structures that are legal JOSE
data structures but also have additional properties - including additional
header fields with specific semantics.  (When we agreed to ignore
not-understood header fields we let that horse out of the barn.)  For
instance, Dick Hardt uses JWEs with issuer and audience fields in the
headers, so they can be used by routing software.

 

Think of JOSE as the base class and the application types built using it as
derived classes.  JWT is a derived class.  Dick's structures are a derived
class.  These derived classes sometimes need names.  That's what "typ" is
for.

 

                                                            -- Mike

 

From: Richard Barnes [mailto:rlb@ipv.sx] 
Sent: Thursday, May 30, 2013 7:34 AM


To: Mike Jones
Cc: Jim Schaad; jose@ietf.org; Dick Hardt
Subject: Re: [jose] Should we delete the "typ" header field

 

You're mixing up "typ" and "cty".  If you want to make the analogy to
S/MIME, "cty" is the equivalent to Content-Type inside the protected MIME
body; "typ" is the content-type on the outer MIME header.  Pasting in an
example:

 

-----BEGIN-----

Content-Type: application/pkcs7-mime; smime-type=signed-data;

     name=smime.p7m

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename=smime.p7m

 

567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7

77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH

HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh

6YT64V0GhIGfHfQbnj75

-----END-----

<http://tools.ietf.org/html/rfc3851#section-3.4.2>

 

The outer Content-Type, which is analogous to "typ", MUST be
application/pkcs7-mime, with a parameter indicating the type of CMS object.
This is the same as requiring "typ" to be JWE or JWS.  The inner
Content-Type (ASN.1/base64 encoded in the example) can be anything, just
like "cty".

 

--Richard

 

 

 

 

On Thu, May 30, 2013 at 12:53 AM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

Requiring that the "typ" value be only "JWS" or "JWE" would be analogous to
the MIME spec requiring that the Content-Type: field be only "text/plain" or
"message/external-body".  It would render it useless.

 

                                                            -- Mike

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
Richard Barnes
Sent: Wednesday, May 29, 2013 8:03 PM
To: Mike Jones
Cc: Jim Schaad; jose@ietf.org; Dick Hardt


Subject: Re: [jose] Should we delete the "typ" header field

 

If this is the level of "type" you're referring to, I think we should drop
it from the spec.  It's an application-layer thing that the app can add or
not according to its wishes.

 

I'm with Dick on this.  I think we should either have a mandatory indicator
of what type of JOSE object this, or nothing at all.   If the former, the
allowable values are "JWE" and "JWS".  The "+JSON" options are non-sensical
-- the app needs to know what it's parsing before it gets this header.
While I have a preference for the former (for clarity), the latter approach
is also OK with me, since the MIME types are specific to JWE/JWS.

 

Another approach here would be to address the JSON and compact forms
separately.  The JSON form has no need of "typ" at all, since the type of
the object is completely clear from what fields are there, e.g.,
"recipients" vs. "signatures".  For the compact form, we could do something
like James's "E."/"S." prefix idea, which you need because the dot-separated
components have different meanings and no field names to indicate this.

 

--Richard

 

On Wed, May 29, 2013 at 8:30 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

A standard library is unlikely to know the meanings of all possible "typ"
values - and more to the point, it doesn't have to.  It's the application's
job to determine that "this blob is a JOSE object" and then pass it to a
standard library, which will then ignore the "typ" value.

 

A standard JOSE library won't know what "typ": "JWT" means.  It won't know
what "typ": "BCGovToken" is, should the BC Government want to declare that
it's using a token with particular characteristics.  It won't know what
"typ": "XMPP" is, should XMPP want to declare that it's using a JOSE data
structure with particular characteristics.  Etc.

 

All these values can be registered in the registry and used by applications
that understand them.  That's the application's job - not the library's job.
The "typ" field is just there so that applications have a standard place to
make any such declarations that they may need.

 

                                                                -- Mike

 

From: Dick Hardt [mailto:dick.hardt@gmail.com] 
Sent: Wednesday, May 29, 2013 5:18 PM
To: Mike Jones
Cc: Jim Schaad; jose@ietf.org


Subject: Re: [jose] Should we delete the "typ" header field

 

I'd prefer to be able to use standard libraries for creating and parsing
tokens, and not specialized libraries dependent on the use case.

 

I strongly think we either drop "typ" or make it required.

 

On Wed, May 29, 2013 at 5:03 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

It's fine for your application to specify that it's required for your use
case.  Not applications need it, so they shouldn't be forced to pay the
space penalty of an unnecessary field.

 

                                                                -- Mike

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Dick
Hardt
Sent: Wednesday, May 29, 2013 4:56 PM


To: Jim Schaad
Cc: jose@ietf.org
Subject: Re: [jose] Should we delete the "typ" header field

 

I use it all the time and my code would barf if it was not there.

 

I think it should be required rather than be a hint if it is going ot be
there.

 

On Wed, May 29, 2013 at 4:40 PM, Jim Schaad <ietf@augustcellars.com> wrote:

I think the values just changed

 

However the way you are using it would be an argument to say that it should
be a required field.  Are you just using it as a hint if it exists and then
looking at the rest of the fields if it is not present?

 

Jim

 

 

From: Dick Hardt [mailto:dick.hardt@gmail.com] 
Sent: Wednesday, May 29, 2013 3:49 PM
To: Jim Schaad
Cc: jose@ietf.org
Subject: Re: [jose] Should we delete the "typ" header field

 

Well, I have been using, but now realize the spec changed or I was confused.

 

I had been setting "typ" to be either "JWE" or "JWS" depending on the type
of token I was creating or parsing as it was easier than looking at "alg"

 

As currently defined, I don't see value in "typ".

 

-- Dick

 

 

On Wed, May 29, 2013 at 3:02 PM, Jim Schaad <ietf@augustcellars.com> wrote:

In reading the documents, I am trying to understand the justification for
having the "typ" header parameter in the JOSE documents.

 

The purpose of the field is to hold the type of the object.  In the past, I
believe that values which should now be placed in the cty field (such as
"JWT") were placed in this field as well.  However the parameter is optional
and an implementation cannot rely on its being present.  This means that for
all practical purposes all of the code to determine the value of the type
field from the values of the alg and enc fields.  If the field was mandatory
then this code would disappear at a fairly small space cost and I can
understand why the parameter would be present.

 

Can anybody justify why this field should be present in the document - or
should it just disappear?

 

Jim

 


_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose





 

-- 
-- Dick 





 

-- 
-- Dick 


_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose





 

-- 
-- Dick 


_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email