IETF Logo Mail Archive

Re: [jose] JWS Unencoded Payload Option spec addressing WGLC comments

"Jim Schaad" <ietf@augustcellars.com> Sun, 18 October 2015 01:23 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97E2E1A1DBE for <jose@ietfa.amsl.com>; Sat, 17 Oct 2015 18:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.801
X-Spam-Level:
X-Spam-Status: No, score=0.801 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AenIyCeq_ihh for <jose@ietfa.amsl.com>; Sat, 17 Oct 2015 18:23:32 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E5531A1C00 for <jose@ietf.org>; Sat, 17 Oct 2015 18:23:32 -0700 (PDT)
Received: from hebrews (173-8-216-38-Oregon.hfc.comcastbusiness.net [173.8.216.38]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id C75A938EE8; Sat, 17 Oct 2015 18:23:31 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: "'Manger, James'" <James.H.Manger@team.telstra.com>, 'Mike Jones' <Michael.Jones@microsoft.com>, jose@ietf.org
References: <BY2PR03MB4425B29243487BC32294D1AF5300@BY2PR03MB442.namprd03.prod.outlook.com> <255B9BB34FB7D647A506DC292726F6E13BB0623AFD@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E13BB0623AFD@WSMSG3153V.srv.dir.telstra.com>
Date: Sat, 17 Oct 2015 18:20:51 -0700
Message-ID: <012c01d10943$3ab9a9c0$b02cfd40$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_012D_01D10908.8E5C0A40"
X-Mailer: Microsoft Outlook 15.0
Content-Language: en-us
Thread-Index: AQIUQlbBXbko3FqiXWowZorfE22UeQIK6AZandmnc1A=
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/Tfq7gRtAsOUt6pVHoCEARL0ECiQ>
Subject: Re: [jose] JWS Unencoded Payload Option spec addressing WGLC comments
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Oct 2015 01:23:35 -0000

James,

 

I have been thinking about what you are saying in your mail.

 

1.       I agree with your question about doing an update to RFC 7515.  It
would be perfectly reasonable to mark this draft as doing an update because
it is defining a new header that can be placed in a JWS message.  It is
probably not required but needs to be considered.  It does not invalidate
the 7515 version of JWS as being URL-safe.  It would be recognized if you
are doing this document that the safety would be different.

2.      I think that there should be a recommendation that a "crit"
parameter stated as required (or at least strongly recommended) that lists
the "b64" header parameter in it.  At a minimum there should be a discussion
about the use of the "crit" parameter in this context.

 

Jim

 

 

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Manger, James
Sent: Tuesday, October 13, 2015 7:55 PM
To: Mike Jones <Michael.Jones@microsoft.com>; jose@ietf.org
Subject: Re: [jose] JWS Unencoded Payload Option spec addressing WGLC
comments

 

Shouldn't draft-ietf-jose-jws-signing-input-options update RFC 7515 "JWS"?
That seems quite important as draft-ietf-jose-jws-signing-input-options
changes the meaning of valid JWS messages (new "b64" field that cannot be
ignored, but is not listed in "crit"), and allows a bunch of previously
invalid chars in JWS Compact Serializations (invalidating the JWS definition
of Compact Serialization as a "URL-safe string").

 

--

James Manger

 

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Wednesday, 14 October 2015 10:49 AM
To: jose@ietf.org <mailto:jose@ietf.org> 
Subject: [jose] JWS Unencoded Payload Option spec addressing WGLC comments

 

Draft -03 of the JWS Unencoded Payload Option specification addresses the
working group last call comments received.  Thanks to Jim Schaad, Vladimir
Dzhuvinov, John Bradley, and Nat Sakimura for the useful comments.  Changes
were:

*         Allowed the ASCII space character and all printable ASCII
characters other than period ('.') in non-detached unencoded payloads using
the JWS Compact Serialization. 

*         Updated the abstract to say that that the spec updates RFC 7519. 

*         Removed unused references. 

*         Changed the change controller to IESG.

 

The specification is available at:

*
https://tools.ietf.org/html/draft-ietf-jose-jws-signing-input-options-03

 

An HTML formatted version is also available at:

*
http://self-issued.info/docs/draft-ietf-jose-jws-signing-input-options-03.ht
ml

 

                                                                -- Mike

 

P.S.  This note was also published at http://self-issued.info/?p=1465 and as
@selfissued
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftwitter.co
m%2fselfissued&data=01%7c01%7cmichael.jones%40microsoft.com%7c3a69db7b8b6c4d
47da0f08d2937a3d82%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=ggurSMkRVW%2
bR8Nv93Mnbsf16CmVGqfjB9lW8SV5gAKM%3d> .

v2.23.0 | Report a Bug | By Email