Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
Tony Hansen <tony@att.com> Tue, 25 June 2013 03:14 UTC
Return-Path: <tony@att.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9906B21F9CEC for <jose@ietfa.amsl.com>; Mon, 24 Jun 2013 20:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.698
X-Spam-Level:
X-Spam-Status: No, score=-105.698 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XkUXlIq1QD8L for <jose@ietfa.amsl.com>; Mon, 24 Jun 2013 20:14:32 -0700 (PDT)
Received: from nbfkord-smmo06.seg.att.com (nbfkord-smmo06.seg.att.com [209.65.160.94]) by ietfa.amsl.com (Postfix) with ESMTP id 164CB21F9CF1 for <jose@ietf.org>; Mon, 24 Jun 2013 20:14:32 -0700 (PDT)
Received: from unknown [144.160.20.145] (EHLO mlpd192.enaf.sfdc.sbc.com) by nbfkord-smmo06.seg.att.com(mxl_mta-6.15.0-1) over TLS secured channel with ESMTP id 71b09c15.0.3778248.00-272.10484624.nbfkord-smmo06.seg.att.com (envelope-from <tony@att.com>); Tue, 25 Jun 2013 03:14:32 +0000 (UTC)
X-MXL-Hash: 51c90b181f32a38a-3c8e392f72758a1ac6e2de7d3b7b9ce7b46b7afe
Received: from enaf.sfdc.sbc.com (localhost.localdomain [127.0.0.1]) by mlpd192.enaf.sfdc.sbc.com (8.14.5/8.14.5) with ESMTP id r5P3EVHU020456 for <jose@ietf.org>; Mon, 24 Jun 2013 23:14:31 -0400
Received: from alpi132.aldc.att.com (alpi132.aldc.att.com [130.8.217.2]) by mlpd192.enaf.sfdc.sbc.com (8.14.5/8.14.5) with ESMTP id r5P3EOVW020387 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <jose@ietf.org>; Mon, 24 Jun 2013 23:14:29 -0400
Received: from alpi153.aldc.att.com (alpi153.aldc.att.com [130.8.42.31]) by alpi132.aldc.att.com (RSA Interceptor) for <jose@ietf.org>; Tue, 25 Jun 2013 03:14:16 GMT
Received: from aldc.att.com (localhost [127.0.0.1]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id r5P3EGfw018400 for <jose@ietf.org>; Mon, 24 Jun 2013 23:14:16 -0400
Received: from mailgw1.maillennium.att.com (maillennium.att.com [135.25.114.99]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id r5P3EDGG018384 for <jose@ietf.org>; Mon, 24 Jun 2013 23:14:13 -0400
Received: from [135.70.3.126] (vpn-135-70-3-126.vpn.west.att.com[135.70.3.126]) by maillennium.att.com (mailgw1) with ESMTP id <20130625031410gw100bhhbge> (Authid: tony); Tue, 25 Jun 2013 03:14:11 +0000
X-Originating-IP: [135.70.3.126]
Message-ID: <51C90B09.9050305@att.com>
Date: Mon, 24 Jun 2013 23:14:17 -0400
From: Tony Hansen <tony@att.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: "jose@ietf.org" <jose@ietf.org>
References: <4E1F6AAD24975D4BA5B1680429673943678735D4@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgQUpbYLatgiaXa8T9oMMi+sA5KxEiocETLTEDXskTtqDQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678794EF@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgSui3q4co4sCRBZCsA_wEgSNUFx8v0jsx+H_2z761VN=Q@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678798E6@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgTf6-kbQmkOxgJX-aSDtLmcNPifPLVVwei9naBuELQ3OA@mail.gmail.com>
In-Reply-To: <CAL02cgTf6-kbQmkOxgJX-aSDtLmcNPifPLVVwei9naBuELQ3OA@mail.gmail.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/alternative; boundary="------------010202050803050008070405"
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2010122901)]
X-MAIL-FROM: <tony@att.com>
X-SOURCE-IP: [144.160.20.145]
X-AnalysisOut: [v=2.0 cv=VapAyiV9 c=1 sm=0 a=ZRNLZ4dFUbCvG8UMqPvVAA==:17 a]
X-AnalysisOut: [=ejDPqqJihJkA:10 a=bfzWQn4VrGAA:10 a=Youw7J1VjLsA:10 a=ofM]
X-AnalysisOut: [gfj31e3cA:10 a=BLceEmwcHowA:10 a=zQP7CpKOAAAA:8 a=GxhHSBoc]
X-AnalysisOut: [HF4A:10 a=yMhMjlubAAAA:8 a=48vgC7mUAAAA:8 a=Vt_-PteriqkSKN]
X-AnalysisOut: [erh98A:9 a=wPNLvfGTeEIA:10 a=-AOE9ft50oIA:10 a=lZB815dzVvQ]
X-AnalysisOut: [A:10 a=pGLkceISAAAA:8 a=Khvs_yYRcUdzI71M3zcA:9 a=_W_S_7Vec]
X-AnalysisOut: [oQA:10 a=tXsnliwV7b4A:10 a=dnEh7ZtaC97qqMXY:21]
Subject: Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2013 03:14:38 -0000
Of all of the suggestions I've seen so far on this topic, I think this one gives the best way to proceed on the media type. To paraphrase, it 1) replaces application/jws and application/jwe with application/jose and 2) replaces application/jws+json and application/jwe+json with application/jose+json And there is a simple algorithm that can be applied to determine whether it's jwe or jws. Tony Hansen On 6/20/2013 2:39 PM, Richard Barnes wrote: > What you mean to say is that there are really two algorithms here, > depending on the media type: > > application/jose > -> If 3 components, JWS > -> If 5 components, JWE > > application/jose+json > -> If 'payloaod', JWS > -> If 'ciphertext', JWE > > On Thu, Jun 20, 2013 at 1:41 PM, Mike Jones > <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> wrote: > > I know of no use cases where the application won't know whether > it's using the Compact Serialization or the JSON Serialization. > > > > *From:*Richard Barnes [mailto:rlb@ipv.sx <mailto:rlb@ipv.sx>] > *Sent:* Thursday, June 20, 2013 9:49 AM > > > *To:* Mike Jones > *Cc:* jose@ietf.org <mailto:jose@ietf.org> > *Subject:* Re: [jose] Should we keep or remove the JOSE JWS and > JWE MIME types? > > > > That algorithm is part of the story, but it's incomplete. What we > need is an algorithm that starts with an arbitrary octet string > and sorts by JWS/JWE and serialization. An outline of the flow chart: > > > > 1. If content parses as valid JSON > > 1.*. Parse JSON > > 1.1. Iontains a "ciphertext" field -> JWE + JSON > > 1.2. Contains a "payload" field -> JWS + JSON > > 1.3. Else fail > > 2. Else if content matches the regex "^[a-zA-Z0-9_.-]*$" > > 2.*. Split on "." > > 2.1. If 5 components -> JWE + compact > > 2.2. If 3 components -> JWS + compact > > 2.3. Else fail > > 3. Else fail > > > > There's also the question of which document this goes in. It > would be a natural thing for a combined JWS+JWE document, but we > don't have one of those :( > > > > > > > > On Thu, Jun 20, 2013 at 11:19 AM, Mike Jones > <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> > wrote: > > There is a defined algorithm to distinguish between the JWS and > JWE objects in the third paragraph of > http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-11#section-4. > > > > -- Mike > > > > *From:*Richard Barnes [mailto:rlb@ipv.sx <mailto:rlb@ipv.sx>] > *Sent:* Thursday, June 20, 2013 8:15 AM > *To:* Mike Jones > *Cc:* jose@ietf.org <mailto:jose@ietf.org> > > > *Subject:* Re: [jose] Should we keep or remove the JOSE JWS and > JWE MIME types? > > > > Multiplexing JWE and JWS under a single JOSE media type only makes > sense if there's a defined algorithm to demux them. So if you > want to do this, you would need to write down the algorithm. > > > > Personally, it seems simpler and clearer to me to just have the > four current types, so that you know which type of object you're > dealing with, and in what serialization, without having to do > content sniffing. > > > > On Tue, Jun 18, 2013 at 9:26 PM, Mike Jones > <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> > wrote: > > The JWS and JWE documents currently define these MIME types for > the convenience of applications that may want to use them: > > application/jws > > application/jws+json > > application/jwe > > application/jwe+json > > > > That being said, I'm not aware of any uses of these by > applications at present. Thus, I think that makes it fair game to > ask whether we want to keep them or remove them -- in which case, > if applications ever needed them, they could define them later. > > > > Another dimension of this question for JWS and JWE is that it's > not clear that the four types application/jws, > application/jws+json, application/jwe, and application/jwe+json > are even the right ones. It might be more useful to have generic > application/jose and application/jose+json types, which could hold > either JWS or JWE objects respectively using the compact or JSON > serializations (although I'm not advocating adding them at this time). > > > > Having different JWS versus JWE MIME types apparently did > contribute to at least Dick's confusion about the purpose of the > "typ" field, so deleting them could help eliminate this > possibility of confusion in the future. Thus, I'm increasingly > convinced we should get rid of the JWS and JWE types and leave it > up to applications to define the types they need, when they need them. > > > > Do people have use cases for these four MIME types now or should > we leave them to future specs to define, if needed? > > > > -- > Mike > > > > P.S. For completeness, I'll add that the JWK document also > defines these MIME types: > > application/jwk+json > > application/jwk-set+json > > > > There are already clear use cases for these types, so I'm not > advocating deleting them, but wanted to call that out explicitly. > For instance, when retrieving a JWK Set document referenced by a > "jku" header parameter, I believe that the result should use the > application/jwk-set+json type. (In fact, I'll add this to the > specs, unless there are any objections.) Likewise, > draft-miller-jose-jwe-protected-jwk-02 already uses > application/jwk+json. Both could also be as "cty" values when > encrypting JWKs and JWK Sets, in contexts where that that would be > useful. > > > > > _______________________________________________ > jose mailing list > jose@ietf.org <mailto:jose@ietf.org> > https://www.ietf.org/mailman/listinfo/jose > > > > > > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- [jose] Should we keep or remove the JOSE JWS and … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Jim Schaad
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Matt Miller (mamille2)
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Jim Schaad
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Edmund Jay
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Brian Campbell
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … John Bradley
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- Re: [jose] Should we keep or remove the JOSE JWS … Tony Hansen