IETF Logo Mail Archive

Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?

Richard Barnes <rlb@ipv.sx> Thu, 20 June 2013 16:49 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0424021F9D64 for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 09:49:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.024
X-Spam-Level:
X-Spam-Status: No, score=-0.024 tagged_above=-999 required=5 tests=[AWL=-0.199, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPrIJZpBBABd for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 09:49:05 -0700 (PDT)
Received: from mail-ob0-x232.google.com (mail-ob0-x232.google.com [IPv6:2607:f8b0:4003:c01::232]) by ietfa.amsl.com (Postfix) with ESMTP id C03EB21F9CEB for <jose@ietf.org>; Thu, 20 Jun 2013 09:49:05 -0700 (PDT)
Received: by mail-ob0-f178.google.com with SMTP id fb19so7313156obc.23 for <jose@ietf.org>; Thu, 20 Jun 2013 09:49:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=NN8l6I1OKfI94Xfp503esd8NuidcXkx0Y1RVsodEZp8=; b=mM/D4E8gPBCTj7vxvO7vBZra1wY0p64lMSxbZtIVWnyd2SUKmWhnh/pHzvsgEmcihz iZOBCoD5NfSdbpYSBEy9hsdgBgpHkOkMPF6gQ4xPL+fH8FyVppXrehXf6AiCU9MakwRZ Q+4j1rw03uAlWJq+auKwa/uYPE3MrGKjMEC8y8Ja3z3yakF3JjMmljNsLMAJabSwcnQt UlFaOw8oPpe0ctE9PW9CWC9sjGVzFA+zi7Pe5lCWR9XvnQx1LrHijGaSFJXemW8LtF5E itumqTC4mzBGvE9R8ZgNXtqZxzR+HlNsRWtM0R2QyYT3KkI2Xrpra06yP6ULOyirF3Gm bfBA==
MIME-Version: 1.0
X-Received: by 10.182.232.225 with SMTP id tr1mr1893264obc.69.1371746945312; Thu, 20 Jun 2013 09:49:05 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Thu, 20 Jun 2013 09:49:05 -0700 (PDT)
X-Originating-IP: [192.1.51.101]
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943678794EF@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943678735D4@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgQUpbYLatgiaXa8T9oMMi+sA5KxEiocETLTEDXskTtqDQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678794EF@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Thu, 20 Jun 2013 12:49:05 -0400
Message-ID: <CAL02cgSui3q4co4sCRBZCsA_wEgSNUFx8v0jsx+H_2z761VN=Q@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11c3124265ba3504df98b9aa"
X-Gm-Message-State: ALoCoQnD74fLzUdUHsg0ugikeXwnYiol/0/bSsk9jEdKUxIIfI+yGQt5XEL0ztW+jTyh6CAe1kYO
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2013 16:49:10 -0000

That algorithm is part of the story, but it's incomplete.  What we need is
an algorithm that starts with an arbitrary octet string and sorts by
JWS/JWE and serialization.  An outline of the flow chart:

1. If content parses as valid JSON
1.*. Parse JSON
1.1. Iontains a "ciphertext" field -> JWE + JSON
1.2. Contains a "payload" field -> JWS + JSON
1.3. Else fail
2. Else if content matches the regex "^[a-zA-Z0-9_.-]*$"
2.*. Split on "."
2.1. If 5 components -> JWE + compact
2.2. If 3 components -> JWS + compact
2.3. Else fail
3. Else fail

There's also the question of which document this goes in.  It would be a
natural thing for a combined JWS+JWE document, but we don't have one of
those :(




On Thu, Jun 20, 2013 at 11:19 AM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  There is a defined algorithm to distinguish between the JWS and JWE
> objects in the third paragraph of
> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-11#section-4
> .****
>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> *From:* Richard Barnes [mailto:rlb@ipv.sx]
> *Sent:* Thursday, June 20, 2013 8:15 AM
> *To:* Mike Jones
> *Cc:* jose@ietf.org
>
> *Subject:* Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME
> types?****
>
> ** **
>
> Multiplexing JWE and JWS under a single JOSE media type only makes sense
> if there's a defined algorithm to demux them.  So if you want to do this,
> you would need to write down the algorithm.****
>
> ** **
>
> Personally, it seems simpler and clearer to me to just have the four
> current types, so that you know which type of object you're dealing with,
> and in what serialization, without having to do content sniffing.****
>
> ** **
>
> On Tue, Jun 18, 2013 at 9:26 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:****
>
> The JWS and JWE documents currently define these MIME types for the
> convenience of applications that may want to use them:****
>
>                 application/jws****
>
>                 application/jws+json****
>
>                 application/jwe****
>
>                 application/jwe+json****
>
>  ****
>
> That being said, I’m not aware of any uses of these by applications at
> present.  Thus, I think that makes it fair game to ask whether we want to
> keep them or remove them – in which case, if applications ever needed them,
> they could define them later.****
>
>  ****
>
> Another dimension of this question for JWS and JWE is that it’s not clear
> that the four types application/jws, application/jws+json, application/jwe,
> and application/jwe+json are even the right ones.  It might be more useful
> to have generic application/jose and application/jose+json types, which
> could hold either JWS or JWE objects respectively using the compact or JSON
> serializations (although I’m not advocating adding them at this time).****
>
>  ****
>
> Having different JWS versus JWE MIME types apparently did contribute to at
> least Dick’s confusion about the purpose of the “typ” field, so deleting
> them could help eliminate this possibility of confusion in the future.
> Thus, I’m increasingly convinced we should get rid of the JWS and JWE types
> and leave it up to applications to define the types they need, when they
> need them.****
>
>  ****
>
> Do people have use cases for these four MIME types now or should we leave
> them to future specs to define, if needed?****
>
>  ****
>
>                                                                 -- Mike***
> *
>
>  ****
>
> P.S.  For completeness, I’ll add that the JWK document also defines these
> MIME types:****
>
>                 application/jwk+json****
>
>                 application/jwk-set+json****
>
>  ****
>
> There are already clear use cases for these types, so I’m not advocating
> deleting them, but wanted to call that out explicitly.  For instance, when
> retrieving a JWK Set document referenced by a “jku” header parameter, I
> believe that the result should use the application/jwk-set+json type.  (In
> fact, I’ll add this to the specs, unless there are any objections.)
> Likewise, draft-miller-jose-jwe-protected-jwk-02 already uses
> application/jwk+json.  Both could also be as “cty” values when encrypting
> JWKs and JWK Sets, in contexts where that that would be useful.****
>
>  ****
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose****
>
> ** **
>

v2.23.0 | Report a Bug | By Email