IETF Logo Mail Archive

Re: [jose] Stephen Farrell's Discuss on draft-ietf-jose-jws-signing-input-options-08: (with DISCUSS and COMMENT)

John Bradley <ve7jtb@ve7jtb.com> Thu, 17 December 2015 14:05 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 278391B2E0B for <jose@ietfa.amsl.com>; Thu, 17 Dec 2015 06:05:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l1X6_QEM4IWW for <jose@ietfa.amsl.com>; Thu, 17 Dec 2015 06:05:00 -0800 (PST)
Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9B4F1B2E15 for <jose@ietf.org>; Thu, 17 Dec 2015 06:04:45 -0800 (PST)
Received: by mail-wm0-x236.google.com with SMTP id p187so22572691wmp.1 for <jose@ietf.org>; Thu, 17 Dec 2015 06:04:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=z9rrWzaJ0up4rgPhHWs2eE9KTlnABKn7Gz0DKJUJZTc=; b=a1VAsl0AtFg8TMtjYVsmRdilPSnk5KlUYTL/Gf7G++GTHRYXkPiM3P/7kzaQMsRvs/ 9VHWB51CrpLNT0DnGzZkielmDjXucbIBSi9vYi2B60bMuUOuhQeNd0mQTkiFnB/TXFYv bR5a00AHDR8iVhX44BqXpZJGB1qRKAqF+vGvPKGI0IAPvfiMc0rCVTpovN3TRs4fgNKa JRPptw19Vn7TgOKAdpyCBaCQIZP2ZQKmZ9Lt8yrkGaXYo/nPrmWOpXlcYP6k8/kKWkb8 pd05KQvPsQtAxUrcYqxFb3HThglrbAuKzjC7lff3YD8S3w67nRfeXv3S/63P09gd9Ycb Qi1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=z9rrWzaJ0up4rgPhHWs2eE9KTlnABKn7Gz0DKJUJZTc=; b=ZQokBeIxQeZKkbldDWbAXqaPh4vQMNH0xRblpypCKr2D6Ut3iwkrnc2An/XsSJfh3q rB4TKExpZk6nBePi9Ms5p5TFi0WsOmV5kF6OS9I7tFp3iD3Q7Ng9PSr71ONCxAPPBJ1+ 8w2tOXx9MtSsto6ti/PzflAgPd5FW4KAMSvkg2+aSnt0nTU87OmZQfqPXFTBBu6GjlxG 8iXCgaDK1diqltJnEgdGi08n3NYa1KFA03aPPgHWRpilQdLFr0yD9NoMwcqfje8VaQiZ Rnq9eDSqOIJRHnMhY5ar3ltivxnhjkFwz/iy7xtHawooWYuQd82eUylRns1XTfuxsysp Q0fg==
X-Gm-Message-State: ALoCoQn4nwjdnhK3xfFuatI3rTzTH5CQmdjaJ7q6Ft1tj6sPjlHA4ThOzz9+eLfzS+gotRkojLbv8t/8BsJvnxm6vUv5MdIM1w==
X-Received: by 10.28.12.69 with SMTP id 66mr4453262wmm.73.1450361084358; Thu, 17 Dec 2015 06:04:44 -0800 (PST)
Received: from [192.168.2.109] (p5DD8474B.dip0.t-ipconnect.de. [93.216.71.75]) by smtp.gmail.com with ESMTPSA id jt9sm10608389wjc.38.2015.12.17.06.04.35 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 17 Dec 2015 06:04:43 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <5672BD41.3000804@cs.tcd.ie>
Date: Thu, 17 Dec 2015 15:04:29 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <2A23B5AE-6E82-4A44-A0D8-3D7970C57438@ve7jtb.com>
References: <20151217112025.22801.65457.idtracker@ietfa.amsl.com> <BY2PR03MB4429A8A55EB13BCF8227BEBF5E00@BY2PR03MB442.namprd03.prod.outlook.com> <5672B939.4020507@cs.tcd.ie> <BY2PR03MB442F5A1BDF03E7997843CF0F5E00@BY2PR03MB442.namprd03.prod.outlook.com> <5672BD41.3000804@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/ZeE2dW0k19d__1lFcKtnwZMFQhc>
Cc: "jose-chairs@ietf.org" <jose-chairs@ietf.org>, "ietf@augustcellars.com" <ietf@augustcellars.com>, Michael Jones <Michael.Jones@microsoft.com>, "draft-ietf-jose-jws-signing-input-options@ietf.org" <draft-ietf-jose-jws-signing-input-options@ietf.org>, "jose@ietf.org" <jose@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [jose] Stephen Farrell's Discuss on draft-ietf-jose-jws-signing-input-options-08: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 14:05:03 -0000

I prefer making crit only required if the producer is not certain that all potential recipients understand/the extension.

However it would not be the end of the world for me from a size perspective if crit was always required.  Trading 6 octets for saving 1/4 of the body size is not a bad trade off.

The issue for me is more always requiring something to be sent that is known to not be used.

So I am on the not forcing crit side but could live with the consensus if it goes the other way.

John B.

> On Dec 17, 2015, at 2:48 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> Great. For completeness, the alternative proposed by James Manger
> (which I'd also prefer) was:
> 
>   The "crit" Header Parameter MUST be included with "b64" in its set
>   of values to ensure the JWS is rejected (instead of being
>   misinterpreted) by implementations that do not understand this
>   specification.
> 
> My discuss then is asking if, after all this discussion, the WG
> prefer the above or that below. I'll take the WG chairs word on what
> they conclude as the outcome.
> 
> S.
> 
> On 17/12/15 13:44, Mike Jones wrote:
>> Sure, I'm obviously fine asking the working group what they think of the new text.  Working group - this new text at https://tools.ietf.org/html/draft-ietf-jose-jws-signing-input-options-08#section-6 is:
>> 
>>   6.  Using "crit" with "b64"
>> 
>>   If a JWS using "b64" with a value of "false" might be processed by
>>   implementations not implementing this extension, then the "crit"
>>   Header Parameter MUST be included with "b64" in its set of values to
>>   cause such implementations to reject the JWS.  Conversely, if used in
>>   environments in which all participants implement this extension, then
>>   "crit" need not be included, since its inclusion would have no
>>   effect, other than increasing the JWS size and processing costs.
>> 
>> 				Thanks all,
>> 				-- Mike
>> 
>>> -----Original Message-----
>>> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
>>> Sent: Thursday, December 17, 2015 2:32 PM
>>> To: Mike Jones <Michael.Jones@microsoft.com>; The IESG <iesg@ietf.org>
>>> Cc: ietf@augustcellars.com; jose-chairs@ietf.org; draft-ietf-jose-jws-signing-
>>> input-options@ietf.org; jose@ietf.org
>>> Subject: Re: Stephen Farrell's Discuss on draft-ietf-jose-jws-signing-input-
>>> options-08: (with DISCUSS and COMMENT)
>>> 
>>> 
>>> Hiya,
>>> 
>>> On 17/12/15 13:20, Mike Jones wrote:
>>>> Thanks for your review, Stephen.  Replies inline below...
>>>> 
>>>>> -----Original Message----- From: Stephen Farrell
>>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Thursday, December 17,
>>>>> 2015 12:20 PM To: The IESG <iesg@ietf.org> Cc:
>>>>> draft-ietf-jose-jws-signing-input-options@ietf.org; Mike Jones
>>>>> <Michael.Jones@microsoft.com>; Jim Schaad <ietf@augustcellars.com>;
>>>>> jose-chairs@ietf.org; ietf@augustcellars.com; jose@ietf.org Subject:
>>>>> Stephen Farrell's Discuss on draft-ietf-jose-jws-signing-input-
>>>>> options-08: (with DISCUSS and COMMENT)
>>>>> 
>>>>> Stephen Farrell has entered the following ballot position for
>>>>> draft-ietf-jose-jws-signing-input-options-08: Discuss
>>>>> 
>>>>> When responding, please keep the subject line intact and reply to all
>>>>> email addresses included in the To and CC lines. (Feel free to cut
>>>>> this introductory paragraph, however.)
>>>>> 
>>>>> 
>>>>> Please refer to
>>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for more
>>>>> information about IESG DISCUSS and COMMENT positions.
>>>>> 
>>>>> 
>>>>> The document, along with other ballot positions, can be found
>>>>> here:
>>>>> https://datatracker.ietf.org/doc/draft-ietf-jose-jws-signing-input-op
>>>>> tions/
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>> ----------------------------------------------------------------------
>>>>> DISCUSS:
>>>>> ---------------------------------------------------------------------
>>>>> -
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>> The "crit" point raised in the gen-art review and maybe elsewhere is I think
>>>>> correct but I don't think section 6 of -08 is a good resolution of
>>>>> this topic. However, I'll clear if this is the WG consensus but it's
>>>>> hard to know that's the case for text just added yesterday. To
>>>>> resolve this discuss we just need to see what the WG list says about
>>>>> the new text.
>>>> 
>>>> Jim's shepherd write-up at
>>>> https://datatracker.ietf.org/doc/draft-ietf-jose-jws-signing-input-opt
>>>> ions/shepherdwriteup/ records the working group's desire to not
>>>> require the use of "crit"
>>>> when it isn't needed.  He wrote:
>>>> 
>>>> "(6)  The fact that there are two different versions of encoding that
>>>> produce the same text string for signing is worrisome to me.  The WG
>>>> had the ability to address this when producing the JWS specification
>>>> and decided not to do so that time.  In this document, the desire to
>>>> allow for things to be smaller has lead to the fact that the b64 and
>>>> crit headers can be omitted as being implicit.  This was the desire of
>>>> the WG, but I personally feel that it is the wrong decision."
>>> 
>>> Fair enough, so the chair/shepherd, gen-art reviewer and seems like a few
>>> IESG members all find the current position unconvincing as does the one
>>> implementer who posted to the WG list since the new text was added.
>>> Wouldn't you agree there's enough there to justify asking the WG once more
>>> what they think about that 13 byte overhead to prevent interop and maybe
>>> even security problems?
>>> 
>>>> 
>>>>> ---------------------------------------------------------------------
>>>>> -
>>>>> 
>>>>> 
>>> COMMENT:
>>>>> ---------------------------------------------------------------------
>>>>> -
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>> - abstract: the description of the update to 7519 is odd. It seems to be saying
>>>>> "Here we define a thing. This specification updates 7519 to say you
>>>>> must not use this thing." but prohibiting is an odd verb to use
>>>>> there. (Since it wasn't previously there to be allowed or not.)
>>>> 
>>>> Would you like this text better?
>>>> 
>>>> "This specification updates RFC 7519 by stating that JSON Web Tokens
>>>> (JWTs) MUST NOT use the unencoded payload option defined by this
>>>> specification."
>>> 
>>> Better yep. Thanks.
>>> 
>>>> 
>>>> Or do you think this spec doesn't need to have the "Updates 7519"
>>>> clause at all?  People seemed split on whether this was needed or not.
>>> 
>>> Happens all the time. Personally I mostly don't care about updates which is
>>> the case this time too:-)
>>> 
>>>> 
>>>>> - section 6: "It is intended that application profiles specify up
>>>>> front whether" "intended" is very wishy washy and "up front" makes no
>>>>> sense at all.
>>>> 
>>>> How about this wording change? "It is intended that application
>>>> profiles specify up front whether" -> "Application profiles should
>>>> specify whether"
>>> 
>>> Also better,
>>> Ta,
>>> S.
>>> 
>>> 
>>>> 
>>>> Thanks again, -- Mike
>>>> 
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>> 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email