Re: [jose] Proposed Text - MUST understand
Richard Barnes <rlb@ipv.sx> Mon, 25 February 2013 22:32 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3470D21F9347 for <jose@ietfa.amsl.com>; Mon, 25 Feb 2013 14:32:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.325
X-Spam-Level:
X-Spam-Status: No, score=-1.325 tagged_above=-999 required=5 tests=[AWL=-0.900, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ljpc2jLfQWqH for <jose@ietfa.amsl.com>; Mon, 25 Feb 2013 14:32:17 -0800 (PST)
Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com [IPv6:2607:f8b0:4003:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id CFAC621F934C for <jose@ietf.org>; Mon, 25 Feb 2013 14:32:02 -0800 (PST)
Received: by mail-ob0-f172.google.com with SMTP id tb18so2140obb.3 for <jose@ietf.org>; Mon, 25 Feb 2013 14:32:00 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=q9xsGEkXwWT1yynWFNeYo0hxzIovOyh4PslnrG5+MKE=; b=mfvJ4mFhTDqgmyI1ThU6S0Wwmcw+yvNgdd/lQZkn4ozBoaiyvX1lKdQXdgpfheKBIH KZGGqsjdmjZpJw935zgaMLNQq2x5K6NX0s0Rn5XRVr6H/HaQcG/lIBBSGwQLBGrS7jHl SUhwl99wxyuiQovNUex0kb+Gs/d6wUGP4WM2exSa7URvZNS0kMkTBiuWGn2xilXeg1hJ T9mNXKVXBFv9MPfiu2/TvvO9f+GdPr8dgvfxIaQz5l9Cx2GG9ao8bRxZIza/4nyppYr6 YnAriRGUGY/yRyNQSy4pTNHf5B31D2LIry6cWkO/H9c+kEAFkO6H7fmx2VttnBNRGs1N C3yg==
MIME-Version: 1.0
X-Received: by 10.60.3.233 with SMTP id f9mr9515409oef.32.1361831520687; Mon, 25 Feb 2013 14:32:00 -0800 (PST)
Received: by 10.60.60.98 with HTTP; Mon, 25 Feb 2013 14:32:00 -0800 (PST)
X-Originating-IP: [128.89.253.236]
In-Reply-To: <004d01ce1301$a0a78030$e1f68090$@augustcellars.com>
References: <003901ce12ce$23306460$69912d20$@augustcellars.com> <ED49B299-B099-4A13-9D4A-2A703A3A54EB@vigilsec.com> <004d01ce1301$a0a78030$e1f68090$@augustcellars.com>
Date: Mon, 25 Feb 2013 17:32:00 -0500
Message-ID: <CAL02cgS4SuWDTbxixnP+33iht4_XWw70H--x_jPRaYcHiKEtyg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Jim Schaad <ietf@augustcellars.com>
Content-Type: multipart/alternative; boundary="e89a8ff242ab08f0ad04d6941ccc"
X-Gm-Message-State: ALoCoQkKW43pcYcYMVfu2FqlbtrUrZR5dXXWU68XMEUi+T0ogRdoQC2iqW0jFPWBxfkINrKqtl+l
Cc: Russ Housley <housley@vigilsec.com>, jose@ietf.org
Subject: Re: [jose] Proposed Text - MUST understand
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2013 22:32:26 -0000
Hi Jim, Thanks for taking a cut at this. I agree that the "IETF applications" distinction is not helpful. Also, I don't think RFC 2119 language is helpful here. The security risk here is that an application will make a security decision based on a field it doesn't understand. We should focus on that. (Like you, I have trouble coming up with an example, but I guess I'm willing to admit the possibility. Revised text proposal: ************************************************************* The JOSE header is extensible to include new header fields that a recipient may or may not support. Applications making use of JOSE need to ensure that security decisions ignore any header fields that are not understood by an implementation. An application specification might do this by requiring that a specific set of header fields be present in every JOSE object (and no others), or it might specify a decision process in terms of specific fields, and explicitly require implementations to ignore other fields. The reason why the default position is that applications need to understand and process all of the headers can be seen in the following example. <Jones et al provide a non-trivial example that demonstrates the security problem associated with ignoring header fields.> ****************************************************************** On Sun, Feb 24, 2013 at 9:41 PM, Jim Schaad <ietf@augustcellars.com> wrote: > Sorry, I was missing a clause in the text > > IETF applications that use the JOSE work MUST > > I was trying to say that IETF documents using JOSE must do this, however we > cannot really impose it on non IETF documents. > > Jim > > > > -----Original Message----- > > From: Russ Housley [mailto:housley@vigilsec.com] > > Sent: Sunday, February 24, 2013 2:18 PM > > To: Jim Schaad > > Cc: jose@ietf.org > > Subject: Re: [jose] Proposed Text - MUST understand > > > > How is an IETF application different than any other application? > > > > The Datatracker, rfcdiff, and xml2rfc will probably never need to use > jose, so > > I know that is not the intended meaning. ;-) > > > > Russ > > > > > > On Feb 24, 2013, at 3:32 PM, Jim Schaad wrote: > > > > > I am going to venture some proposed text to try and advance the > > > discussion about the MUST understand all fields in the current > > > document. I acknowledge that the text is written from the point of > > > view that I espouse, however I think that perhaps it does give a > > > sufficient amount of credence to the point of view of other that it > > > might provide a good starting point for discussions. > > > > > > This text is written standalone and as such I have not yet tried to > > > incorporate it into the different documents and in the different > locations. > > > It is possible that the text will need to be somewhat repurposed when > > > it appears in each of the different documents. > > > > > > > > ********************************************************** > > *** > > > > > > Applications which use this specification SHOULD ensure that all of > > > the fields in the header are used in either in making the trust > > > decision or determining how to use the content. IETF applications > > > MUST have default position of requiring that all fields in the header > > > are known to and used by the application. IETF applications which > > > allow for fields in the header to be ignored MUST include a > > > justification of why this decision was made and looking at the security > > trade-offs of the decision. > > > > > > The reason why the default position is that applications need to > > > understand and process all of the headers can be seen in the following > > > example. <Jones et al provide a non-trivial example that demonstrates > > > the security problem associated with ignoring header fields.> > > > > > > > > ********************************************************** > > ******** > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- [jose] Proposed Text - MUST understand Jim Schaad
- Re: [jose] Proposed Text - MUST understand Russ Housley
- Re: [jose] Proposed Text - MUST understand Jim Schaad
- Re: [jose] Proposed Text - MUST understand Richard Barnes