IETF Logo Mail Archive

Re: [jose] Stephen Farrell's Discuss on draft-ietf-jose-jws-signing-input-options-08: (with DISCUSS and COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 17 December 2015 13:31 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A32CE1B2C9A; Thu, 17 Dec 2015 05:31:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SSxer4rDokIS; Thu, 17 Dec 2015 05:31:47 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 645FD1B2C91; Thu, 17 Dec 2015 05:31:47 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 5876EBE9C; Thu, 17 Dec 2015 13:31:45 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HSFwQD2Ms8eG; Thu, 17 Dec 2015 13:31:43 +0000 (GMT)
Received: from [10.87.48.95] (unknown [86.46.31.96]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id E3A77BE32; Thu, 17 Dec 2015 13:31:42 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1450359103; bh=LXyZTGpLRD6LFIdTugbatL4TY65goIEEv4yvz8dnQ8A=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=mpbbcmwmdAAys6bDfT3sVPqhEJCDwmz9Tk0dCkeE+d/vzZscB0dywgyeVfnEjiaHf H1KS3DeHjCwu/aGigF+D9DAbbqTE4xbvC4MRvalvZrmOEfMsSRRgqXHDupOlS55w6k 7b3aa3IAAHSwVwfoIzS9SyO+HhFoGKukXcRQmMmo=
To: Mike Jones <Michael.Jones@microsoft.com>, The IESG <iesg@ietf.org>
References: <20151217112025.22801.65457.idtracker@ietfa.amsl.com> <BY2PR03MB4429A8A55EB13BCF8227BEBF5E00@BY2PR03MB442.namprd03.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5672B939.4020507@cs.tcd.ie>
Date: Thu, 17 Dec 2015 13:31:37 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <BY2PR03MB4429A8A55EB13BCF8227BEBF5E00@BY2PR03MB442.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/b4h1rl7DLJgda-ojAxigakAxPh8>
Cc: "ietf@augustcellars.com" <ietf@augustcellars.com>, "jose-chairs@ietf.org" <jose-chairs@ietf.org>, "draft-ietf-jose-jws-signing-input-options@ietf.org" <draft-ietf-jose-jws-signing-input-options@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Stephen Farrell's Discuss on draft-ietf-jose-jws-signing-input-options-08: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 13:31:50 -0000

Hiya,

On 17/12/15 13:20, Mike Jones wrote:
> Thanks for your review, Stephen.  Replies inline below...
> 
>> -----Original Message----- From: Stephen Farrell
>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Thursday, December 17,
>> 2015 12:20 PM To: The IESG <iesg@ietf.org> Cc:
>> draft-ietf-jose-jws-signing-input-options@ietf.org; Mike Jones 
>> <Michael.Jones@microsoft.com>; Jim Schaad
>> <ietf@augustcellars.com>; jose-chairs@ietf.org;
>> ietf@augustcellars.com; jose@ietf.org Subject: Stephen Farrell's
>> Discuss on draft-ietf-jose-jws-signing-input- options-08: (with
>> DISCUSS and COMMENT)
>> 
>> Stephen Farrell has entered the following ballot position for 
>> draft-ietf-jose-jws-signing-input-options-08: Discuss
>> 
>> When responding, please keep the subject line intact and reply to
>> all email addresses included in the To and CC lines. (Feel free to
>> cut this introductory paragraph, however.)
>> 
>> 
>> Please refer to
>> https://www.ietf.org/iesg/statement/discuss-criteria.html for more
>> information about IESG DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found
>> here: 
>> https://datatracker.ietf.org/doc/draft-ietf-jose-jws-signing-input-options/
>>
>>
>>
>>
>> 
----------------------------------------------------------------------
>> DISCUSS: 
>> ----------------------------------------------------------------------
>>
>>
>>
>> 
The "crit" point raised in the gen-art review and maybe elsewhere is I think
>> correct but I don't think section 6 of -08 is a good resolution of
>> this topic. However, I'll clear if this is the WG consensus but
>> it's hard to know that's the case for text just added yesterday. To
>> resolve this discuss we just need to see what the WG list says
>> about the new text.
> 
> Jim's shepherd write-up at
> https://datatracker.ietf.org/doc/draft-ietf-jose-jws-signing-input-options/shepherdwriteup/
> records the working group's desire to not require the use of "crit"
> when it isn't needed.  He wrote:
> 
> "(6)  The fact that there are two different versions of encoding that
> produce the same text string for signing is worrisome to me.  The WG
> had the ability to address this when producing the JWS specification
> and decided not to do so that time.  In this document, the desire to
> allow for things to be smaller has lead to the fact that the b64 and
> crit headers can be omitted as being implicit.  This was the desire
> of the WG, but I personally feel that it is the wrong decision."

Fair enough, so the chair/shepherd, gen-art reviewer and seems like
a few IESG members all find the current position unconvincing as
does the one implementer who posted to the WG list since the new
text was added. Wouldn't you agree there's enough there to justify
asking the WG once more what they think about that 13 byte overhead
to prevent interop and maybe even security problems?

> 
>> ----------------------------------------------------------------------
>>
>> 
COMMENT:
>> ----------------------------------------------------------------------
>>
>>
>>
>> 
- abstract: the description of the update to 7519 is odd. It seems to be
saying
>> "Here we define a thing. This specification updates 7519 to say you
>> must not use this thing." but prohibiting is an odd verb to use
>> there. (Since it wasn't previously there to be allowed or not.)
> 
> Would you like this text better?
> 
> "This specification updates RFC 7519 by stating that JSON Web Tokens
> (JWTs) MUST NOT use the unencoded payload option defined by this
> specification."

Better yep. Thanks.

> 
> Or do you think this spec doesn't need to have the "Updates 7519"
> clause at all?  People seemed split on whether this was needed or
> not.

Happens all the time. Personally I mostly don't care about updates
which is the case this time too:-)

> 
>> - section 6: "It is intended that application profiles specify up
>> front whether" "intended" is very wishy washy and "up front" makes
>> no sense at all.
> 
> How about this wording change? "It is intended that application
> profiles specify up front whether" -> "Application profiles should
> specify whether"

Also better,
Ta,
S.


> 
> Thanks again, -- Mike
>

v2.23.0 | Report a Bug | By Email