Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
Tony Hansen <tony@att.com> Tue, 25 June 2013 03:14 UTC
Return-Path: <tony@att.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9906B21F9CEC for <jose@ietfa.amsl.com>; Mon, 24 Jun 2013 20:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.698
X-Spam-Level:
X-Spam-Status: No, score=-105.698 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XkUXlIq1QD8L for <jose@ietfa.amsl.com>; Mon, 24 Jun 2013 20:14:32 -0700 (PDT)
Received: from nbfkord-smmo06.seg.att.com (nbfkord-smmo06.seg.att.com [209.65.160.94]) by ietfa.amsl.com (Postfix) with ESMTP id 164CB21F9CF1 for <jose@ietf.org>; Mon, 24 Jun 2013 20:14:32 -0700 (PDT)
Received: from unknown [144.160.20.145] (EHLO mlpd192.enaf.sfdc.sbc.com) by nbfkord-smmo06.seg.att.com(mxl_mta-6.15.0-1) over TLS secured channel with ESMTP id 71b09c15.0.3778248.00-272.10484624.nbfkord-smmo06.seg.att.com (envelope-from <tony@att.com>); Tue, 25 Jun 2013 03:14:32 +0000 (UTC)
X-MXL-Hash: 51c90b181f32a38a-3c8e392f72758a1ac6e2de7d3b7b9ce7b46b7afe
Received: from enaf.sfdc.sbc.com (localhost.localdomain [127.0.0.1]) by mlpd192.enaf.sfdc.sbc.com (8.14.5/8.14.5) with ESMTP id r5P3EVHU020456 for <jose@ietf.org>; Mon, 24 Jun 2013 23:14:31 -0400
Received: from alpi132.aldc.att.com (alpi132.aldc.att.com [130.8.217.2]) by mlpd192.enaf.sfdc.sbc.com (8.14.5/8.14.5) with ESMTP id r5P3EOVW020387 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <jose@ietf.org>; Mon, 24 Jun 2013 23:14:29 -0400
Received: from alpi153.aldc.att.com (alpi153.aldc.att.com [130.8.42.31]) by alpi132.aldc.att.com (RSA Interceptor) for <jose@ietf.org>; Tue, 25 Jun 2013 03:14:16 GMT
Received: from aldc.att.com (localhost [127.0.0.1]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id r5P3EGfw018400 for <jose@ietf.org>; Mon, 24 Jun 2013 23:14:16 -0400
Received: from mailgw1.maillennium.att.com (maillennium.att.com [135.25.114.99]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id r5P3EDGG018384 for <jose@ietf.org>; Mon, 24 Jun 2013 23:14:13 -0400
Received: from [135.70.3.126] (vpn-135-70-3-126.vpn.west.att.com[135.70.3.126]) by maillennium.att.com (mailgw1) with ESMTP id <20130625031410gw100bhhbge> (Authid: tony); Tue, 25 Jun 2013 03:14:11 +0000
X-Originating-IP: [135.70.3.126]
Message-ID: <51C90B09.9050305@att.com>
Date: Mon, 24 Jun 2013 23:14:17 -0400
From: Tony Hansen <tony@att.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: "jose@ietf.org" <jose@ietf.org>
References: <4E1F6AAD24975D4BA5B1680429673943678735D4@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgQUpbYLatgiaXa8T9oMMi+sA5KxEiocETLTEDXskTtqDQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678794EF@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgSui3q4co4sCRBZCsA_wEgSNUFx8v0jsx+H_2z761VN=Q@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678798E6@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgTf6-kbQmkOxgJX-aSDtLmcNPifPLVVwei9naBuELQ3OA@mail.gmail.com>
In-Reply-To: <CAL02cgTf6-kbQmkOxgJX-aSDtLmcNPifPLVVwei9naBuELQ3OA@mail.gmail.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/alternative; boundary="------------010202050803050008070405"
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2010122901)]
X-MAIL-FROM: <tony@att.com>
X-SOURCE-IP: [144.160.20.145]
X-AnalysisOut: [v=2.0 cv=VapAyiV9 c=1 sm=0 a=ZRNLZ4dFUbCvG8UMqPvVAA==:17 a]
X-AnalysisOut: [=ejDPqqJihJkA:10 a=bfzWQn4VrGAA:10 a=Youw7J1VjLsA:10 a=ofM]
X-AnalysisOut: [gfj31e3cA:10 a=BLceEmwcHowA:10 a=zQP7CpKOAAAA:8 a=GxhHSBoc]
X-AnalysisOut: [HF4A:10 a=yMhMjlubAAAA:8 a=48vgC7mUAAAA:8 a=Vt_-PteriqkSKN]
X-AnalysisOut: [erh98A:9 a=wPNLvfGTeEIA:10 a=-AOE9ft50oIA:10 a=lZB815dzVvQ]
X-AnalysisOut: [A:10 a=pGLkceISAAAA:8 a=Khvs_yYRcUdzI71M3zcA:9 a=_W_S_7Vec]
X-AnalysisOut: [oQA:10 a=tXsnliwV7b4A:10 a=dnEh7ZtaC97qqMXY:21]
Subject: Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2013 03:14:38 -0000
Of all of the suggestions I've seen so far on this topic, I think this
one gives the best way to proceed on the media type.
To paraphrase, it
1) replaces application/jws and application/jwe with application/jose
and
2) replaces application/jws+json and application/jwe+json with
application/jose+json
And there is a simple algorithm that can be applied to determine whether
it's jwe or jws.
Tony Hansen
On 6/20/2013 2:39 PM, Richard Barnes wrote:
> What you mean to say is that there are really two algorithms here,
> depending on the media type:
>
> application/jose
> -> If 3 components, JWS
> -> If 5 components, JWE
>
> application/jose+json
> -> If 'payloaod', JWS
> -> If 'ciphertext', JWE
>
> On Thu, Jun 20, 2013 at 1:41 PM, Mike Jones
> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> wrote:
>
> I know of no use cases where the application won't know whether
> it's using the Compact Serialization or the JSON Serialization.
>
>
>
> *From:*Richard Barnes [mailto:rlb@ipv.sx <mailto:rlb@ipv.sx>]
> *Sent:* Thursday, June 20, 2013 9:49 AM
>
>
> *To:* Mike Jones
> *Cc:* jose@ietf.org <mailto:jose@ietf.org>
> *Subject:* Re: [jose] Should we keep or remove the JOSE JWS and
> JWE MIME types?
>
>
>
> That algorithm is part of the story, but it's incomplete. What we
> need is an algorithm that starts with an arbitrary octet string
> and sorts by JWS/JWE and serialization. An outline of the flow chart:
>
>
>
> 1. If content parses as valid JSON
>
> 1.*. Parse JSON
>
> 1.1. Iontains a "ciphertext" field -> JWE + JSON
>
> 1.2. Contains a "payload" field -> JWS + JSON
>
> 1.3. Else fail
>
> 2. Else if content matches the regex "^[a-zA-Z0-9_.-]*$"
>
> 2.*. Split on "."
>
> 2.1. If 5 components -> JWE + compact
>
> 2.2. If 3 components -> JWS + compact
>
> 2.3. Else fail
>
> 3. Else fail
>
>
>
> There's also the question of which document this goes in. It
> would be a natural thing for a combined JWS+JWE document, but we
> don't have one of those :(
>
>
>
>
>
>
>
> On Thu, Jun 20, 2013 at 11:19 AM, Mike Jones
> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>
> wrote:
>
> There is a defined algorithm to distinguish between the JWS and
> JWE objects in the third paragraph of
> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-11#section-4.
>
>
>
> -- Mike
>
>
>
> *From:*Richard Barnes [mailto:rlb@ipv.sx <mailto:rlb@ipv.sx>]
> *Sent:* Thursday, June 20, 2013 8:15 AM
> *To:* Mike Jones
> *Cc:* jose@ietf.org <mailto:jose@ietf.org>
>
>
> *Subject:* Re: [jose] Should we keep or remove the JOSE JWS and
> JWE MIME types?
>
>
>
> Multiplexing JWE and JWS under a single JOSE media type only makes
> sense if there's a defined algorithm to demux them. So if you
> want to do this, you would need to write down the algorithm.
>
>
>
> Personally, it seems simpler and clearer to me to just have the
> four current types, so that you know which type of object you're
> dealing with, and in what serialization, without having to do
> content sniffing.
>
>
>
> On Tue, Jun 18, 2013 at 9:26 PM, Mike Jones
> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>
> wrote:
>
> The JWS and JWE documents currently define these MIME types for
> the convenience of applications that may want to use them:
>
> application/jws
>
> application/jws+json
>
> application/jwe
>
> application/jwe+json
>
>
>
> That being said, I'm not aware of any uses of these by
> applications at present. Thus, I think that makes it fair game to
> ask whether we want to keep them or remove them -- in which case,
> if applications ever needed them, they could define them later.
>
>
>
> Another dimension of this question for JWS and JWE is that it's
> not clear that the four types application/jws,
> application/jws+json, application/jwe, and application/jwe+json
> are even the right ones. It might be more useful to have generic
> application/jose and application/jose+json types, which could hold
> either JWS or JWE objects respectively using the compact or JSON
> serializations (although I'm not advocating adding them at this time).
>
>
>
> Having different JWS versus JWE MIME types apparently did
> contribute to at least Dick's confusion about the purpose of the
> "typ" field, so deleting them could help eliminate this
> possibility of confusion in the future. Thus, I'm increasingly
> convinced we should get rid of the JWS and JWE types and leave it
> up to applications to define the types they need, when they need them.
>
>
>
> Do people have use cases for these four MIME types now or should
> we leave them to future specs to define, if needed?
>
>
>
> --
> Mike
>
>
>
> P.S. For completeness, I'll add that the JWK document also
> defines these MIME types:
>
> application/jwk+json
>
> application/jwk-set+json
>
>
>
> There are already clear use cases for these types, so I'm not
> advocating deleting them, but wanted to call that out explicitly.
> For instance, when retrieving a JWK Set document referenced by a
> "jku" header parameter, I believe that the result should use the
> application/jwk-set+json type. (In fact, I'll add this to the
> specs, unless there are any objections.) Likewise,
> draft-miller-jose-jwe-protected-jwk-02 already uses
> application/jwk+json. Both could also be as "cty" values when
> encrypting JWKs and JWK Sets, in contexts where that that would be
> useful.
>
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org <mailto:jose@ietf.org>
> https://www.ietf.org/mailman/listinfo/jose
>
>
>
>
>
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- [jose] Should we keep or remove the JOSE JWS and … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Jim Schaad
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Matt Miller (mamille2)
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Jim Schaad
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Edmund Jay
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Brian Campbell
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … John Bradley
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- Re: [jose] Should we keep or remove the JOSE JWS … Tony Hansen