IETF Logo Mail Archive

Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

Tim Bray <tbray@textuality.com> Mon, 15 September 2014 16:48 UTC

Return-Path: <tbray@textuality.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C66201A9231 for <jose@ietfa.amsl.com>; Mon, 15 Sep 2014 09:48:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ym_JV5-qRZMd for <jose@ietfa.amsl.com>; Mon, 15 Sep 2014 09:48:00 -0700 (PDT)
Received: from mail-vc0-f170.google.com (mail-vc0-f170.google.com [209.85.220.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 443D81A8724 for <jose@ietf.org>; Mon, 15 Sep 2014 09:13:34 -0700 (PDT)
Received: by mail-vc0-f170.google.com with SMTP id hy4so3670825vcb.29 for <jose@ietf.org>; Mon, 15 Sep 2014 09:13:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=apONAkUtMrdm/3ZShR+XOgbqwCqx9VqOdn1V7ixJBGU=; b=PiPK09Gp556ikB9Jd6mXXXedD0VXvavhi/r3WQgynU4eh/c5APLZcjciOe4GuiiyGe 6u0SDvlSUnx83Gx1UhtKQIhXanrc4qWSpegNmp6akg1upfCVvm8HZeMd/gCVBLQJdLeO +SXWi73E8bk1kZo8qFDAYZ7n2/J2d4wvNw2q0TSXVukEKZib6IRbmJydC8B77busGwyO aZIuYRbYgg1qYywHWXy0xFX1WSzkv4HDEAzuQeA7C/G91/m2b7UVCAc2KJvqzjzSgxSB kCs3DWKBEVPQPKRHwAyMINa1c2SZWaxEQuPvqd5hYaL3pyJYSD9pz2pUe4Luxx8/JhV0 5NLA==
X-Gm-Message-State: ALoCoQkd0xz7rJsPDN+PRLtI9YdYIY2WB4tCAs8GZAJjJeyGJu48BL0sqUYY5OqqF85gmxAEhhvQ
X-Received: by 10.52.183.136 with SMTP id em8mr1829418vdc.76.1410797613274; Mon, 15 Sep 2014 09:13:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.214.4 with HTTP; Mon, 15 Sep 2014 09:13:13 -0700 (PDT)
X-Originating-IP: [24.84.235.32]
In-Reply-To: <5416FE10.3060608@bbn.com>
References: <CAHbuEH4Ccn2Z=8kEECzvgjmtshwsFoa-EH_NpkJPos7zirGeaQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AEC00DB@TK5EX14MBXC292.redmond.corp.microsoft.com> <5416FE10.3060608@bbn.com>
From: Tim Bray <tbray@textuality.com>
Date: Mon, 15 Sep 2014 09:13:13 -0700
Message-ID: <CAHBU6iu3GfsLCAint3z7risZUnVW4EK0WrGVW6Dv=gvppiHSxQ@mail.gmail.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="bcaec5489e4396f24905031ceac1"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/cJR1OeedqfPrQZMwsXzq-F80QI4
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-jose-json-web-key.all@tools.ietf.org" <draft-ietf-jose-json-web-key.all@tools.ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Sep 2014 16:48:04 -0000

On Mon, Sep 15, 2014 at 7:56 AM, Stephen Kent <kent@bbn.com> wrote:


> Also, in a reply to Tim, I think you argued that people have already
> implemented JOSE and so
> we ought not make any changes at this late stage. If that's what you said,
> I disagree emphatically.
> The IETF always warns implementers that specs may change until an RFC is
> published, and thus
> one implements a pre-RFC spec at risk.
>

​No; In theory I would entirely support requiring receivers of malformed
messages to reject them.

In practice, it’s problematic to say that the format is JSON, and then to
require any particular policy concerning duplicate keys, because existing
software generally doesn’t handle them in a consistent manner, and in
particular may not even inform receiving software that dupes existed.




>
> Steve
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>


-- 
- Tim Bray (If you’d like to send me a private message, see
https://keybase.io/timbray)

v2.23.0 | Report a Bug | By Email