Re: [jose] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)

Richard Barnes <rlb@ipv.sx> Wed, 17 September 2014 03:38 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCC1F1A0177 for <jose@ietfa.amsl.com>; Tue, 16 Sep 2014 20:38:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ftP729h86tMO for <jose@ietfa.amsl.com>; Tue, 16 Sep 2014 20:38:51 -0700 (PDT)
Received: from mail-la0-f44.google.com (mail-la0-f44.google.com [209.85.215.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA4E51A0193 for <jose@ietf.org>; Tue, 16 Sep 2014 20:38:48 -0700 (PDT)
Received: by mail-la0-f44.google.com with SMTP id mc6so1025541lab.17 for <jose@ietf.org>; Tue, 16 Sep 2014 20:38:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=DPHX2BGn0TUyqAt5krsIbK0YYCgT/dPWCTkpNVXGnpc=; b=kTwODkR5e/NExxG6BOlgN/KZQIe8J3vKwd1r9ZtePa43hPBndnPn55MsnktvvfNW/n QW6cta1UsO7NyFCjkRrXWnV3r+FhRkhe/pQtNtI/ajvXxI+Z0QCTTjUTDrAhvpp5Mdtx er/uwv6qRZtQl4hEqCXjCBzl2HeBnxnVU5ae465Unz2KYhoU1CwmFHYSZoNjDWGy+PNT EqzV+Ev2ptqHBrU5wALk8eKhA8XK7f9No5tr9a1OR81HoQnbiSVP4Ug8byF4j9tupr+Q j28Brm7kjzMks/hg/ROTBamm9OAxr0GFxrXUXh2xU7ucaQQ59QwV4wHShhgv/ZgjGR6o /eiw==
X-Gm-Message-State: ALoCoQkATzu4NqZl+nVp3xFIyCPgnNGCqnQtpA0qafeDzOZCanK+3ByH5rDg3PM0BZfJkfYhYXVu
MIME-Version: 1.0
X-Received: by 10.112.4.33 with SMTP id h1mr37966335lbh.67.1410925126700; Tue, 16 Sep 2014 20:38:46 -0700 (PDT)
Received: by 10.25.159.84 with HTTP; Tue, 16 Sep 2014 20:38:46 -0700 (PDT)
In-Reply-To: <CA+k3eCTpBi7Xh87JFkApYvJ1Bd8Kk6VfY0QH67UAVShjFx9G5A@mail.gmail.com>
References: <CA+k3eCTpBi7Xh87JFkApYvJ1Bd8Kk6VfY0QH67UAVShjFx9G5A@mail.gmail.com>
Date: Tue, 16 Sep 2014 23:38:46 -0400
Message-ID: <CAL02cgQvPX+znWqJmL+OroCwJbV1TvWBKCOEJbjEWPvJZmHp7g@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="bcaec52be6a7fb63df05033a9afc"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/cKoXV8LXf7BOy97blIEK5qgDSHU
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-oauth-json-web-token.all@tools.ietf.org" <draft-ietf-oauth-json-web-token.all@tools.ietf.org>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>, Warren Kumari <warren@kumari.net>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [jose] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Sep 2014 03:38:53 -0000

I will re-iterate here my strong preference that an "unsecured" or
"plaintext" JWS object be syntactically distinct from a real JWS object.
E.g. by having two dot-separated components instead of three.

Beyond that, seems like just shuffling deck chairs.

On Mon, Sep 8, 2014 at 12:10 PM, Brian Campbell <bcampbell@pingidentity.com>
wrote:

> cc'ing JOSE on a minor JWT review comment that might impact JWS/JWA.
>
> I agree that "plaintext” is not the most intuitive wording choice and that
> "unsecured" might better convey what's going on with the "none" JWS
> algorithm.
>
> Mike mentioned that, if this change is made in JWT, there are parallel
> changes in JWS. But note that there are also such changes in JWA (more than
> in JWS actually).
>
> On Fri, Sep 5, 2014 at 6:28 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
>>  -----Original Message-----
>> From: Warren Kumari [mailto:warren@kumari.net]
>> Sent: Monday, September 01, 2014 3:40 PM
>> To: secdir@ietf.org; draft-ietf-oauth-json-web-token.all@tools.ietf.org
>> Subject: Review of: draft-ietf-oauth-json-web-token
>>
>> I'm a little confused by something in the Terminology section (Section 2):
>>
>> Plaintext JWT
>>
>> A JWT whose Claims are not integrity protected or encrypted.
>>
>> The term plaintext to me means something like "is readable without
>> decrypting / much decoding" (something like, if you cat the file to a
>> terminal, you will see the information). Integrity protecting a string
>> doesn't make it not easily readable. If this document / JOSE uses
>> "plaintext" differently (and a quick skim didn't find anything about
>>
>> this) it might be good to clarify. Section 6 *does* discuss plaintext
>> JWTs, but doesn't really clarify the (IMO) unusual meaning of the term
>> "plaintext" here.
>>
>>
>>
>> I’ve discussed this with the other document editors and we agree with you
>> that “plaintext” is not the most intuitive wording choice in this context.
>> Possible alternative terms are “Unsecured JWT” or “Unsigned JWT”.  I think
>> that “Unsecured JWT” is probably the preferred term, since JWTs that are
>> JWEs are also unsigned, but they are secured.  Working group – are you OK
>> with this possible terminology change?  (Note that the parallel change
>> “Plaintext JWS” -> “Unsecured JWS” would also be made in the JWS spec.)
>>
>>
>>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>