Re: [jose] Should we delete the "typ" header field
Richard Barnes <rlb@ipv.sx> Tue, 11 June 2013 18:58 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EFB121F995A for <jose@ietfa.amsl.com>; Tue, 11 Jun 2013 11:58:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.205
X-Spam-Level: *
X-Spam-Status: No, score=1.205 tagged_above=-999 required=5 tests=[AWL=-1.573, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, J_CHICKENPOX_43=0.6, RDNS_NONE=0.1, TRACKER_ID=2.003]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fo+BaXhAeXjN for <jose@ietfa.amsl.com>; Tue, 11 Jun 2013 11:58:22 -0700 (PDT)
Received: from mail-oa0-x231.google.com (mail-oa0-x231.google.com [IPv6:2607:f8b0:4003:c02::231]) by ietfa.amsl.com (Postfix) with ESMTP id EF11921F9956 for <jose@ietf.org>; Tue, 11 Jun 2013 11:58:21 -0700 (PDT)
Received: by mail-oa0-f49.google.com with SMTP id k14so7907115oag.8 for <jose@ietf.org>; Tue, 11 Jun 2013 11:58:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=ZBhHfcHaTmBG0uF4/DzO3IjBYlsXY7Y86IjzXonw7oE=; b=WdGanci2BcLms9GVi7KsE9Y3B7z/aMaU+IDobpauMLLpYV5BEnX07zawcHIwkuAdeC n3PZ40Nv1S2QOywMoWwxe6vNeMi9/VS67M2IcW6hzY6qQidPM4uvTCG8NpxgjkrG/p8Y tyQDAvl9SFh7SFftvuGWd7445VXX1UymFbnNaIpFE8gSJdO5Wxx81QLxUEvu2UjdjjCt v4LzHkeeTNxIItb+kN7xEghXCFN9gKNs8/MY4F8bVufTIxCuGguHXaCr0Bbm/OAJSA1L O8e4yLIRsDdxnfpO7h53iLXCKIwsrPAyblvj3ZpePZpSS3G8p7uEXGZ2O1lkdQ8avIJR Njsg==
MIME-Version: 1.0
X-Received: by 10.182.39.133 with SMTP id p5mr9444798obk.69.1370977101436; Tue, 11 Jun 2013 11:58:21 -0700 (PDT)
Received: by 10.60.84.8 with HTTP; Tue, 11 Jun 2013 11:58:21 -0700 (PDT)
X-Originating-IP: [192.1.51.101]
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943678214FF@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <02b701ce5cb8$46ae77e0$d40b67a0$@augustcellars.com> <CAD9ie-vK3gY9b9GQrbUa=TACy5KVA1uPH_u_utucoKzVynjuiA@mail.gmail.com> <02f501ce5cc5$ec9a2200$c5ce6600$@augustcellars.com> <CAD9ie-uV-THE0+oL-dNUB0qXF7sx8jHMZDCz8vGESmUHWV=LMg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C58C4@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAD9ie-sm7q6gdzC-aTKt=+b=A8wB68ExTP1FwiT=zQTN7b69zA@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C5C0A@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR=Lh5_HogPtgoFM+qhwNkqOFaW0+TzOCAziUwK8ZqQaw@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C7399@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR6XfSwHxOLym_pkM+9EOE8yRUEncLToKbrLVJxoOgxDg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9B69@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgTrpkt0PyvLmnSKTchST5hgbzjkLQMq3hr6O2pij7LgjQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9E95@TK5EX14MBXC285.redmond.corp.microsoft.com> <046301ce5d4d$15ecd2b0$41c67810$@augustcellars.com> <4E1F6AAD24975D4BA5B1680429673943678214FF@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Tue, 11 Jun 2013 14:58:21 -0400
Message-ID: <CAL02cgRDhf-2jjGM5Z1CPqf+AvA8a54nUQA6E0XOfmdXoA+V9A@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11c2e804206fba04dee57b07"
X-Gm-Message-State: ALoCoQksCToJOEe5M/Z+y1e482XRqKlNU/F58QSWRxRJdgFoQdp1io8sMNjBuClWA+SOFHFGHNNL
Cc: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [jose] Should we delete the "typ" header field
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2013 18:58:26 -0000
Let me try to patch Jim's example and illustrate why there's no need for "typ" here. Starting with a JWT in an OAuth header: Authorization: JWT { "typ": "JWT", "cty": "JWT", ... { "typ": "JWT", "cty": "JWT", ... { "typ": "JWT", ... [ claims ] }}} They "typ" does nothing here, because the type is always known from a level up. Worse, it introduces the possibility of conflict. What if "cty" is "JWT", but at the next level down, "typ" is not "JWT"? I notice you didn't answer Jim's question about this case, where the next level down has "typ":"JWS" and not "JWT". The following syntax, without "typ", gives you the same amount of information: Authorization: JWT { "cty": "JWT", ... { "cty": "JWT", ... { ... [ claims ] }}} --Richard On Mon, Jun 10, 2013 at 8:25 PM, Mike Jones <Michael.Jones@microsoft.com>wrote: > Answering Jim’s message that inadvertently went unanswered…**** > > ** ** > > Neither of these would be correct because of the last “cty”:”JWT” in both > examples. That’s because a JWT Claims Set is not a JWT. You would need to > omit the last “cty”:”JWT” in both examples for this to be correct.**** > > ** ** > > No, there is no overloading. JWT uses the absence of a “cty” value to say > that the payload is a JWT Claims Set – which is the default case.**** > > ** ** > > -- Mike*** > * > > ** ** > > *From:* Jim Schaad [mailto:ietf@augustcellars.com] > *Sent:* Thursday, May 30, 2013 8:48 AM > *To:* Mike Jones; 'Richard Barnes' > *Cc:* jose@ietf.org; 'Dick Hardt' > > *Subject:* RE: [jose] Should we delete the "typ" header field**** > > ** ** > > Ok – I am having some problems with this. Looking at some concrete > psudo-examples**** > > ** ** > > {typ:JWT, ctyp:JWT,…{type:JWT, ctyp:JWT,…{jwt claims object } } **** > > ** ** > > **1. **would be a legal or a non-legal description of a signed and > then encrypted set of JWT claims?**** > > **2. **Does it make a difference if there are or are not other > header fields?**** > > ** ** > > {typ:JWE, ctyp:JWT,…{type:JWS, ctyp:JWT,… {jwt claims object }}**** > > ** ** > > **1. ** Would be a legal or a non-legal description of a signed and > then encrypted set of JWT claims?**** > > ** ** > > If typ and ctyp are using the same space, does that mean that a JWT set of > claims and a JWT token are being overloaded on the what the string means? > In one case it means a token and in the other case it means a set of claims. > **** > > ** ** > > ** ** > > ** ** > > ** ** > > *From:* Mike Jones [mailto:Michael.Jones@microsoft.com<Michael.Jones@microsoft.com>] > > *Sent:* Thursday, May 30, 2013 8:06 AM > *To:* Richard Barnes > *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt > *Subject:* RE: [jose] Should we delete the "typ" header field**** > > ** ** > > No, “cty” is used by the derived class to determine the type of the > encapsulated field. But that’s not a complete description of the **entire > object** - especially not the additional meaning imbued by the additional > parameters the derived type may add to the JOSE header. “typ” is there to > provide the type of the entire object, including what you’re calling the > wrapper parts.**** > > ** ** > > -- Mike**** > > ** ** > > *From:* Richard Barnes [mailto:rlb@ipv.sx <rlb@ipv.sx>] > *Sent:* Thursday, May 30, 2013 7:58 AM > *To:* Mike Jones > *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt > *Subject:* Re: [jose] Should we delete the "typ" header field**** > > ** ** > > Isn't that requirement met by "cty"? The only thing JOSE adds is a crypto > wrapper around the real application content. If you're an application, you > know a JOSE object is the thing you want because it contains the content > you want -- it's a JWT because it contains JWT claims.**** > > ** ** > > Inheritance is the wrong metaphor. This is encapsulation of application > data:**** > > if (jws.valid && jws.cty == "application/jwt_claims") {**** > > jwtClaims = jws.content;**** > > }**** > > ** ** > > --Richard**** > > ** ** > > On Thu, May 30, 2013 at 10:43 AM, Mike Jones <Michael.Jones@microsoft.com> > wrote:**** > > Thanks for sharing the S/MIME details. Although I was actually making the > analogy to MIME – not S/MIME. Like many analogies, it’s imperfect, but I > believe still illustrative.**** > > **** > > The reason that the analogy isn’t perfect is that the JOSE data structures > are used to build application-specific data structures that are legal JOSE > data structures but also have additional properties – including additional > header fields with specific semantics. (When we agreed to ignore > not-understood header fields we let that horse out of the barn.) For > instance, Dick Hardt uses JWEs with issuer and audience fields in the > headers, so they can be used by routing software.**** > > **** > > Think of JOSE as the base class and the application types built using it > as derived classes. JWT is a derived class. Dick’s structures are a > derived class. These derived classes sometimes need names. That’s what > “typ” is for.**** > > **** > > -- Mike**** > > **** > > *From:* Richard Barnes [mailto:rlb@ipv.sx] > *Sent:* Thursday, May 30, 2013 7:34 AM**** > > > *To:* Mike Jones > *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt > *Subject:* Re: [jose] Should we delete the "typ" header field**** > > **** > > You're mixing up "typ" and "cty". If you want to make the analogy to > S/MIME, "cty" is the equivalent to Content-Type inside the protected MIME > body; "typ" is the content-type on the outer MIME header. Pasting in an > example:**** > > **** > > -----BEGIN-----**** > > Content-Type: application/pkcs7-mime; smime-type=signed-data;**** > > name=smime.p7m**** > > Content-Transfer-Encoding: base64**** > > Content-Disposition: attachment; filename=smime.p7m**** > > **** > > 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7**** > > 77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH**** > > HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh**** > > 6YT64V0GhIGfHfQbnj75**** > > -----END-----**** > > <http://tools.ietf.org/html/rfc3851#section-3.4.2>**** > > **** > > The outer Content-Type, which is analogous to "typ", MUST be > application/pkcs7-mime, with a parameter indicating the type of CMS object. > This is the same as requiring "typ" to be JWE or JWS. The inner > Content-Type (ASN.1/base64 encoded in the example) can be anything, just > like "cty".**** > > **** > > --Richard**** > > **** > > **** > > **** > > **** > > On Thu, May 30, 2013 at 12:53 AM, Mike Jones <Michael.Jones@microsoft.com> > wrote:**** > > Requiring that the “typ” value be only “JWS” or “JWE” would be analogous > to the MIME spec requiring that the Content-Type: field be only > “text/plain” or “message/external-body”. It would render it useless.**** > > **** > > -- Mike**** > > **** > > *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf > Of *Richard Barnes > *Sent:* Wednesday, May 29, 2013 8:03 PM > *To:* Mike Jones > *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt**** > > > *Subject:* Re: [jose] Should we delete the "typ" header field**** > > **** > > If this is the level of "type" you're referring to, I think we should drop > it from the spec. It's an application-layer thing that the app can add or > not according to its wishes.**** > > **** > > I'm with Dick on this. I think we should either have a mandatory > indicator of what type of JOSE object this, or nothing at all. If the > former, the allowable values are "JWE" and "JWS". The "+JSON" options are > non-sensical -- the app needs to know what it's parsing before it gets this > header. While I have a preference for the former (for clarity), the latter > approach is also OK with me, since the MIME types are specific to JWE/JWS. > **** > > **** > > Another approach here would be to address the JSON and compact forms > separately. The JSON form has no need of "typ" at all, since the type of > the object is completely clear from what fields are there, e.g., > "recipients" vs. "signatures". For the compact form, we could do something > like James's "E."/"S." prefix idea, which you need because the > dot-separated components have different meanings and no field names to > indicate this.**** > > **** > > --Richard**** > > **** > > On Wed, May 29, 2013 at 8:30 PM, Mike Jones <Michael.Jones@microsoft.com> > wrote:**** > > A standard library is unlikely to know the meanings of all possible “typ” > values – and more to the point, *it doesn’t have to*. It’s the > application’s job to determine that “this blob is a JOSE object” and then > pass it to a standard library, which will then ignore the “typ” value.**** > > **** > > A standard JOSE library won’t know what “typ”: “JWT” means. It won’t know > what “typ”: “BCGovToken” is, should the BC Government want to declare that > it’s using a token with particular characteristics. It won’t know what > “typ”: “XMPP” is, should XMPP want to declare that it’s using a JOSE data > structure with particular characteristics. Etc.**** > > **** > > All these values can be registered in the registry and used by > applications that understand them. That’s the application’s job – not the > library’s job. The “typ” field is just there so that applications have a > standard place to make any such declarations that they may need.**** > > **** > > -- Mike*** > * > > **** > > *From:* Dick Hardt [mailto:dick.hardt@gmail.com] > *Sent:* Wednesday, May 29, 2013 5:18 PM > *To:* Mike Jones > *Cc:* Jim Schaad; jose@ietf.org**** > > > *Subject:* Re: [jose] Should we delete the "typ" header field**** > > **** > > I'd prefer to be able to use standard libraries for creating and parsing > tokens, and not specialized libraries dependent on the use case.**** > > **** > > I strongly think we either drop "typ" or make it required.**** > > **** > > On Wed, May 29, 2013 at 5:03 PM, Mike Jones <Michael.Jones@microsoft.com> > wrote:**** > > It’s fine for your application to specify that it’s required for your use > case. Not applications need it, so they shouldn’t be forced to pay the > space penalty of an unnecessary field.**** > > **** > > -- Mike*** > * > > **** > > *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf > Of *Dick Hardt > *Sent:* Wednesday, May 29, 2013 4:56 PM**** > > > *To:* Jim Schaad > *Cc:* jose@ietf.org > *Subject:* Re: [jose] Should we delete the "typ" header field**** > > **** > > I use it all the time and my code would barf if it was not there.**** > > **** > > I think it should be required rather than be a hint if it is going ot be > there.**** > > **** > > On Wed, May 29, 2013 at 4:40 PM, Jim Schaad <ietf@augustcellars.com> > wrote:**** > > I think the values just changed**** > > **** > > However the way you are using it would be an argument to say that it > should be a required field. Are you just using it as a hint if it exists > and then looking at the rest of the fields if it is not present?**** > > **** > > Jim**** > > **** > > **** > > *From:* Dick Hardt [mailto:dick.hardt@gmail.com] > *Sent:* Wednesday, May 29, 2013 3:49 PM > *To:* Jim Schaad > *Cc:* jose@ietf.org > *Subject:* Re: [jose] Should we delete the "typ" header field**** > > **** > > Well, I have been using, but now realize the spec changed or I was > confused.**** > > **** > > I had been setting "typ" to be either "JWE" or "JWS" depending on the type > of token I was creating or parsing as it was easier than looking at "alg"* > *** > > **** > > As currently defined, I don't see value in "typ".**** > > **** > > -- Dick**** > > **** > > **** > > On Wed, May 29, 2013 at 3:02 PM, Jim Schaad <ietf@augustcellars.com> > wrote:**** > > In reading the documents, I am trying to understand the justification for > having the “typ” header parameter in the JOSE documents.**** > > **** > > The purpose of the field is to hold the type of the object. In the past, > I believe that values which should now be placed in the cty field (such as > “JWT”) were placed in this field as well. However the parameter is > optional and an implementation cannot rely on its being present. This > means that for all practical purposes all of the code to determine the > value of the type field from the values of the alg and enc fields. If the > field was mandatory then this code would disappear at a fairly small space > cost and I can understand why the parameter would be present.**** > > **** > > Can anybody justify why this field should be present in the document – or > should it just disappear?**** > > **** > > Jim**** > > **** > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose**** > > > > **** > > **** > > -- > -- Dick **** > > > > **** > > **** > > -- > -- Dick **** > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose**** > > > > **** > > **** > > -- > -- Dick **** > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose**** > > **** > > **** > > ** ** >
- [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] FW: Should we delete the "typ" header … Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Manger, James H
- Re: [jose] Should we delete the "typ" header field Mike Jones
- [jose] FW: Should we delete the "typ" header field Manger, James H
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Richer, Justin P.
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Anthony Nadalin
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Brian Campbell
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Manger, James H
- Re: [jose] Should we delete the "typ" header field Axel.Nennker
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Richard Barnes
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Jim Schaad
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H