Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 25 September 2014 14:18 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11C761A6FF7; Thu, 25 Sep 2014 07:18:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oLj-E4uC6tq0; Thu, 25 Sep 2014 07:18:15 -0700 (PDT)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB3611A6FF1; Thu, 25 Sep 2014 07:18:14 -0700 (PDT)
Received: by mail-la0-f49.google.com with SMTP id pn19so12737425lab.36 for <multiple recipients>; Thu, 25 Sep 2014 07:18:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pnK6RJ/KYO9xaOwinad4VCY2USnXap3OxS4v8AtjZc0=; b=zbADclvdoQhI1dyE+wEfwHGslR0+neyzbd8bpyU5l7iRhfa2ARgmlgg7h27pjkfppP ERJkdSyDEehHtg3qZtKun0TyipEGTk6163Wo5Z0Yfst0XHlPzSmDUcDmxyNhs5yuN813 ef91+bux8FAjm8gRkRieN0OVn8i3RcSPBqTy+JyRunAxqi5vyl1ShLN8N5ESvT26sGzH w73D9vTyRU4C6Ou4cdvH1uKmTqluFIShhfE4pgB2/UtnQ86/mNkNX0QkzUnj+60nWJHX 4bJeNYlwjvAmob0QYB5Zl8FOcnT1p6tkWIrFIMhItd/8wKXOrUH3RahypPcDa1NFECc2 wXIg==
MIME-Version: 1.0
X-Received: by 10.112.55.102 with SMTP id r6mr12853408lbp.23.1411654692963; Thu, 25 Sep 2014 07:18:12 -0700 (PDT)
Received: by 10.112.41.233 with HTTP; Thu, 25 Sep 2014 07:18:12 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BA6F3CF@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAHbuEH4Ccn2Z=8kEECzvgjmtshwsFoa-EH_NpkJPos7zirGeaQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AEC00DB@TK5EX14MBXC292.redmond.corp.microsoft.com> <5416FE10.3060608@bbn.com> <CAHBU6iu3GfsLCAint3z7risZUnVW4EK0WrGVW6Dv=gvppiHSxQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AECCCDD@TK5EX14MBXC292.redmond.corp.microsoft.com> <54173546.5000400@bbn.com> <CAHBU6ivb3BeEufcnJB+eSk8wgETMx+qzH3miE6Z1jtrQkXNR3w@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AECE40B@TK5EX14MBXC292.redmond.corp.microsoft.com> <54184EBA.3010109@bbn.com> <4E1F6AAD24975D4BA5B16804296739439AED1727@TK5EX14MBXC292.redmond.corp.microsoft.com> <5418987E.1060307@bbn.com> <CFD36394-E707-4D51-9689-DD8B1FD320D5@ve7jtb.com> <54199E11.1000809@bbn.com> <CAHBU6ivJ+mQZetWDDkRjP1nB+XOCLyXatq4k9bv4y7onAgu=ug@mail.gmail.com> <5419CBA9.8020807@bbn.com> <4E1F6AAD24975D4BA5B16804296739439BA6F3CF@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Thu, 25 Sep 2014 10:18:12 -0400
Message-ID: <CAHbuEH7Y1qW0yF6j+Xa_gHnXA-NWoU5f50HfyH_1TNmwn9Sx0A@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a1133d0b28509880503e47866"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/VzzW-vNgGDiDvbJI2l9RLv4KW6o
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, Stephen Kent <kent@bbn.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-jose-json-web-key.all@tools.ietf.org" <draft-ietf-jose-json-web-key.all@tools.ietf.org>, Tim Bray <tbray@textuality.com>, "jose@ietf.org" <jose@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>
Subject: Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2014 14:18:18 -0000

I think it is fine to leave this issue as open through the IESG review.
The discussion and further explanation in this thread has been helpful,
thank you.  This could get handled in a number of ways, leave it as-is,
address it with the I-JSON reference in this draft, or in an update to the
published RFC.  We'll see if there are strong opinions in the IESG.  I tend
to go for stricter options to prevent issues, but do recognize that there
are some challenges with that option and would like to see the IESG
opinions.

Thank you.

On Tue, Sep 23, 2014 at 7:40 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

>  FYI, I did not change the language about duplicate member names in the
> JOSE -32 and JWT -26 drafts at this time because it seems that there
> remains substantial working group support for the current semantics,
> including by Tim Bray (the JSON spec editor) and Richard Barnes.  I did not
> yet add an I-JSON reference to impose a requirement on producers because it
> seemed imprudent to take a normative dependency on an unfinished
> specification.  However, if I-JSON does finish before these specs are RFCs,
> we could easily do that when it finishes, if the working group, etc.
> concurs with that action.
>
>
>
> My focus for this round of edits was to resolve all the review comments
> for which the proposed resolutions appeared to be uncontroversial.  I
> understand that the working group and others may continue discussing this
> issue.
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* Stephen Kent [mailto:kent@bbn.com]
> *Sent:* Wednesday, September 17, 2014 10:58 AM
> *To:* Tim Bray
> *Cc:* John Bradley; Mike Jones;
> draft-ietf-jose-json-web-key.all@tools.ietf.org; Kathleen Moriarty;
> jose-chairs@tools.ietf.org; jose@ietf.org; secdir@ietf.org
> *Subject:* Re: [jose] JWK member names, was: SECDIR review of
> draft-ietf-jose-json-web-key-31
>
>
>
> Tim,
>
>   The chance  of the JOSE working group moving the vast world of deployed
> JSON infrastructure round to 0.00.   Thus putting a MUST reject in here
> would essentially say you can’t use well-debugged production software, and
> would be a really bad idea.
>
> So, JSON is not easily changed, but adopting I-JSON will easier. OK, I'll
> take your word on that.
>
>   On the other hand, if JOSE specified that producers’ messages MUST
> conform to I-JSON, and a couple other WGs climbed on that bandwagon, and
> the word started to get around, I wouldn’t be surprised if a few of the
> popular JSON implementations added an I-JSON mode.  That would be a good
> thing and lessen the attack surface of all JSON-based protocols (which
> these days, is a whole lot of them).
>
>
> I am comfortable with mandating I-JSON if you believe that will be a more
> effective way to
> encourage change.
>
> Steve
>



-- 

Best regards,
Kathleen