IETF Logo Mail Archive

Re: [jose] Proposed resolution of header criticality issue

Dick Hardt <dick.hardt@gmail.com> Tue, 12 March 2013 05:26 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3346521F8654 for <jose@ietfa.amsl.com>; Mon, 11 Mar 2013 22:26:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3
X-Spam-Level:
X-Spam-Status: No, score=-3 tagged_above=-999 required=5 tests=[AWL=0.599, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id niEpkkp8z3eb for <jose@ietfa.amsl.com>; Mon, 11 Mar 2013 22:26:11 -0700 (PDT)
Received: from mail-pb0-f45.google.com (mail-pb0-f45.google.com [209.85.160.45]) by ietfa.amsl.com (Postfix) with ESMTP id 721AD21F8623 for <jose@ietf.org>; Mon, 11 Mar 2013 22:26:11 -0700 (PDT)
Received: by mail-pb0-f45.google.com with SMTP id ro8so4588353pbb.18 for <jose@ietf.org>; Mon, 11 Mar 2013 22:26:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=6+JSMXFcwXwaWzfCcgjKZoAf3Z8i2ny9fuaZ9ORjc/w=; b=jXuHWvv5XqD/infSqas5HCe3U2tFlYRacnOQvihJG4MCQdQRUpJEy+Jz0iBFiKoGHH knKL1JU3wg66C7o0WUdfZjk8VKarRfat+5D9rkPxTMuUPFEPEW+BNbDA2auNLuGF33mv bxmdis3S2/RzmEYcslzEihLyG+t7kEZpuG/1YbQDmZSZELJlUOo5XJBCJQYngCEJ9kD+ +73PiPZHr0l/hKfMqZG7D7CgxAtCIuUuV9Qlgf0npqgM+Rn8iv1Eba4qMfRzMHXiUoUK Q5vfb+sLqi/v3RhqZ9q79rvGnrS2LoWCUuNYutuYkfKBD2yjeLPZlQRVdsI3aACJihyX 32XQ==
X-Received: by 10.68.10.227 with SMTP id l3mr34767534pbb.100.1363065971179; Mon, 11 Mar 2013 22:26:11 -0700 (PDT)
Received: from [10.0.0.80] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id hu2sm23393222pbc.38.2013.03.11.22.26.07 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 11 Mar 2013 22:26:08 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <513E774C.6090605@isoc.org>
Date: Mon, 11 Mar 2013 22:26:06 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <0B6EA527-9DE6-4708-A48D-9D2660951F84@gmail.com>
References: <513E6A73.1090403@isoc.org> <513E774C.6090605@isoc.org>
To: odonoghue@isoc.org
X-Mailer: Apple Mail (2.1499)
Cc: jose@ietf.org
Subject: Re: [jose] Proposed resolution of header criticality issue
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2013 05:26:12 -0000

On Mar 11, 2013, at 5:31 PM, Karen O'Donoghue <odonoghue@isoc.org> wrote:

> 
> Folks,
> 
> A side meeting was held Sunday with a number of jose working group participants to try to resolve the open issue related to header criticality. The following are the proposed resolutions from the meeting. Point 5 of the proposed resolution below is actually independent of the other 4 points, and could be considered separately. This will all be discussed in Wednesday's meeting. 
> 
> In addition to the text below, there was some agreement to replace the "understand" text with something a bit more explicit like "must process". However, that text has not been rolled into the summary text below yet. 
> 
> Thank you to Jim Schaad, Mike Jones, John Bradley, Nat Sakimura, Martin Thomas, Eric Rescorla, Matt Miller, and Richard Barnes for your efforts (and my apologies if I missed someone). 
> 
> Regards, 
> Karen
> 
> 1:  Change the language “Additional members MAY be present in the JWK.  If present, they MUST be understood by implementations using them.” to “Additional members MAY be present in the JWK.  If not understood by implementations encountering them, they MUST be ignored.”  (And make the same change for JWK Set as well.)

Yeah!  Implementing MUST understand was going to be non-trivial.

> 
> 2:  Characterize all existing JWS and JWE header fields as either must be understood or may be ignored.  “alg”, “enc”, and “zip” must be understood.  “kid”, “x5u”, “x5c”, “x5t”, “jwk”, “jku”, “typ”, and “cty” can be ignored because while not using them may result in the inability to process some signatures or encrypted content, this will not result in a security violation – just degraded functionality.  Other fields such as “epk”, “apu”, “apv”, “epu”, and “epv” must be understood and used when “alg” or “enc” values requiring them are used, and otherwise they may be ignored.

Why must "zip" be understood? Is there a security issue here or just degraded performance? In my current implementations, "zip" does not help me enough to bother with the added complexity and I have not implemented support.

-- Dick

v2.23.0 | Report a Bug | By Email