Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
Justin Richer <jricher@mitre.org> Thu, 20 June 2013 17:34 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1AE821F9F40 for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 10:34:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.219
X-Spam-Level:
X-Spam-Status: No, score=-6.219 tagged_above=-999 required=5 tests=[AWL=-0.221, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SgLokNWUuywg for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 10:34:42 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 2345621F9F42 for <jose@ietf.org>; Thu, 20 Jun 2013 10:34:41 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 79ECE1F0BC5; Thu, 20 Jun 2013 13:34:40 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 5DFC61F0352; Thu, 20 Jun 2013 13:34:40 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 20 Jun 2013 13:34:40 -0400
Message-ID: <51C33CEE.4040802@mitre.org>
Date: Thu, 20 Jun 2013 13:33:34 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: "Matt Miller (mamille2)" <mamille2@cisco.com>
References: <4E1F6AAD24975D4BA5B1680429673943678735D4@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgQUpbYLatgiaXa8T9oMMi+sA5KxEiocETLTEDXskTtqDQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678794EF@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgSui3q4co4sCRBZCsA_wEgSNUFx8v0jsx+H_2z761VN=Q@mail.gmail.com> <BF7E36B9C495A6468E8EC573603ED9411528DA68@xmb-aln-x11.cisco.com>
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED9411528DA68@xmb-aln-x11.cisco.com>
Content-Type: multipart/alternative; boundary="------------080903050101090301090209"
X-Originating-IP: [129.83.31.56]
Cc: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2013 17:34:52 -0000
It seems like JWA is quickly becoming the document with all the actual concrete content in it. -- Justin On 06/20/2013 01:32 PM, Matt Miller (mamille2) wrote: > I just want to say that I think having a media type is important and useful. It might not be important and useful for JWT or OAuth or OpenID-Connect, but I can think of many applications that would make use of them if at all possible. > > I personally don't care if it's a generic media type or individual application/jwe and application/jws. However, I think a generic media type would require a separate document; trying to fit this into the one shared document (JWA) seems wrong. > > > - m&m > > Matt Miller < mamille2@cisco.com > > Cisco Systems, Inc. > > PS: I've found +json useful for other things, because I do have applications that present in different formats (right now that's usually +xml). While there's not a simple corollary with XML-based concepts, I think there will be corollaries in the future (e.g., CBOR). Having them now means we're not painted into a corner if (when) we look at JOSE2 and support for binary representations. > > On Jun 20, 2013, at 10:49 AM, Richard Barnes <rlb@ipv.sx> > wrote: > >> That algorithm is part of the story, but it's incomplete. What we need is >> an algorithm that starts with an arbitrary octet string and sorts by >> JWS/JWE and serialization. An outline of the flow chart: >> >> 1. If content parses as valid JSON >> 1.*. Parse JSON >> 1.1. Iontains a "ciphertext" field -> JWE + JSON >> 1.2. Contains a "payload" field -> JWS + JSON >> 1.3. Else fail >> 2. Else if content matches the regex "^[a-zA-Z0-9_.-]*$" >> 2.*. Split on "." >> 2.1. If 5 components -> JWE + compact >> 2.2. If 3 components -> JWS + compact >> 2.3. Else fail >> 3. Else fail >> >> There's also the question of which document this goes in. It would be a >> natural thing for a combined JWS+JWE document, but we don't have one of >> those :( >> >> >> >> >> On Thu, Jun 20, 2013 at 11:19 AM, Mike Jones <Michael.Jones@microsoft.com>wrote: >> >>> There is a defined algorithm to distinguish between the JWS and JWE >>> objects in the third paragraph of >>> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-11#section-4 >>> .**** >>> >>> ** ** >>> >>> -- Mike**** >>> >>> ** ** >>> >>> *From:* Richard Barnes [mailto:rlb@ipv.sx] >>> *Sent:* Thursday, June 20, 2013 8:15 AM >>> *To:* Mike Jones >>> *Cc:* jose@ietf.org >>> >>> *Subject:* Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME >>> types?**** >>> >>> ** ** >>> >>> Multiplexing JWE and JWS under a single JOSE media type only makes sense >>> if there's a defined algorithm to demux them. So if you want to do this, >>> you would need to write down the algorithm.**** >>> >>> ** ** >>> >>> Personally, it seems simpler and clearer to me to just have the four >>> current types, so that you know which type of object you're dealing with, >>> and in what serialization, without having to do content sniffing.**** >>> >>> ** ** >>> >>> On Tue, Jun 18, 2013 at 9:26 PM, Mike Jones <Michael.Jones@microsoft.com> >>> wrote:**** >>> >>> The JWS and JWE documents currently define these MIME types for the >>> convenience of applications that may want to use them:**** >>> >>> application/jws**** >>> >>> application/jws+json**** >>> >>> application/jwe**** >>> >>> application/jwe+json**** >>> >>> **** >>> >>> That being said, I'm not aware of any uses of these by applications at >>> present. Thus, I think that makes it fair game to ask whether we want to >>> keep them or remove them -- in which case, if applications ever needed them, >>> they could define them later.**** >>> >>> **** >>> >>> Another dimension of this question for JWS and JWE is that it's not clear >>> that the four types application/jws, application/jws+json, application/jwe, >>> and application/jwe+json are even the right ones. It might be more useful >>> to have generic application/jose and application/jose+json types, which >>> could hold either JWS or JWE objects respectively using the compact or JSON >>> serializations (although I'm not advocating adding them at this time).**** >>> >>> **** >>> >>> Having different JWS versus JWE MIME types apparently did contribute to at >>> least Dick's confusion about the purpose of the "typ" field, so deleting >>> them could help eliminate this possibility of confusion in the future. >>> Thus, I'm increasingly convinced we should get rid of the JWS and JWE types >>> and leave it up to applications to define the types they need, when they >>> need them.**** >>> >>> **** >>> >>> Do people have use cases for these four MIME types now or should we leave >>> them to future specs to define, if needed?**** >>> >>> **** >>> >>> -- Mike*** >>> * >>> >>> **** >>> >>> P.S. For completeness, I'll add that the JWK document also defines these >>> MIME types:**** >>> >>> application/jwk+json**** >>> >>> application/jwk-set+json**** >>> >>> **** >>> >>> There are already clear use cases for these types, so I'm not advocating >>> deleting them, but wanted to call that out explicitly. For instance, when >>> retrieving a JWK Set document referenced by a "jku" header parameter, I >>> believe that the result should use the application/jwk-set+json type. (In >>> fact, I'll add this to the specs, unless there are any objections.) >>> Likewise, draft-miller-jose-jwe-protected-jwk-02 already uses >>> application/jwk+json. Both could also be as "cty" values when encrypting >>> JWKs and JWK Sets, in contexts where that that would be useful.**** >>> >>> **** >>> >>> >>> _______________________________________________ >>> jose mailing list >>> jose@ietf.org >>> https://www.ietf.org/mailman/listinfo/jose**** >>> >>> ** ** >>> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- [jose] Should we keep or remove the JOSE JWS and … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Jim Schaad
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Matt Miller (mamille2)
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Jim Schaad
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Edmund Jay
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Brian Campbell
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … John Bradley
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- Re: [jose] Should we keep or remove the JOSE JWS … Tony Hansen