Re: [jose] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)
Richard Barnes <rlb@ipv.sx> Wed, 17 September 2014 03:38 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCC1F1A0177 for <jose@ietfa.amsl.com>; Tue, 16 Sep 2014 20:38:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ftP729h86tMO for <jose@ietfa.amsl.com>; Tue, 16 Sep 2014 20:38:51 -0700 (PDT)
Received: from mail-la0-f44.google.com (mail-la0-f44.google.com [209.85.215.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA4E51A0193 for <jose@ietf.org>; Tue, 16 Sep 2014 20:38:48 -0700 (PDT)
Received: by mail-la0-f44.google.com with SMTP id mc6so1025541lab.17 for <jose@ietf.org>; Tue, 16 Sep 2014 20:38:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=DPHX2BGn0TUyqAt5krsIbK0YYCgT/dPWCTkpNVXGnpc=; b=kTwODkR5e/NExxG6BOlgN/KZQIe8J3vKwd1r9ZtePa43hPBndnPn55MsnktvvfNW/n QW6cta1UsO7NyFCjkRrXWnV3r+FhRkhe/pQtNtI/ajvXxI+Z0QCTTjUTDrAhvpp5Mdtx er/uwv6qRZtQl4hEqCXjCBzl2HeBnxnVU5ae465Unz2KYhoU1CwmFHYSZoNjDWGy+PNT EqzV+Ev2ptqHBrU5wALk8eKhA8XK7f9No5tr9a1OR81HoQnbiSVP4Ug8byF4j9tupr+Q j28Brm7kjzMks/hg/ROTBamm9OAxr0GFxrXUXh2xU7ucaQQ59QwV4wHShhgv/ZgjGR6o /eiw==
X-Gm-Message-State: ALoCoQkATzu4NqZl+nVp3xFIyCPgnNGCqnQtpA0qafeDzOZCanK+3ByH5rDg3PM0BZfJkfYhYXVu
MIME-Version: 1.0
X-Received: by 10.112.4.33 with SMTP id h1mr37966335lbh.67.1410925126700; Tue, 16 Sep 2014 20:38:46 -0700 (PDT)
Received: by 10.25.159.84 with HTTP; Tue, 16 Sep 2014 20:38:46 -0700 (PDT)
In-Reply-To: <CA+k3eCTpBi7Xh87JFkApYvJ1Bd8Kk6VfY0QH67UAVShjFx9G5A@mail.gmail.com>
References: <CA+k3eCTpBi7Xh87JFkApYvJ1Bd8Kk6VfY0QH67UAVShjFx9G5A@mail.gmail.com>
Date: Tue, 16 Sep 2014 23:38:46 -0400
Message-ID: <CAL02cgQvPX+znWqJmL+OroCwJbV1TvWBKCOEJbjEWPvJZmHp7g@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="bcaec52be6a7fb63df05033a9afc"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/cKoXV8LXf7BOy97blIEK5qgDSHU
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-oauth-json-web-token.all@tools.ietf.org" <draft-ietf-oauth-json-web-token.all@tools.ietf.org>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>, Warren Kumari <warren@kumari.net>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [jose] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Sep 2014 03:38:53 -0000
I will re-iterate here my strong preference that an "unsecured" or "plaintext" JWS object be syntactically distinct from a real JWS object. E.g. by having two dot-separated components instead of three. Beyond that, seems like just shuffling deck chairs. On Mon, Sep 8, 2014 at 12:10 PM, Brian Campbell <bcampbell@pingidentity.com> wrote: > cc'ing JOSE on a minor JWT review comment that might impact JWS/JWA. > > I agree that "plaintext” is not the most intuitive wording choice and that > "unsecured" might better convey what's going on with the "none" JWS > algorithm. > > Mike mentioned that, if this change is made in JWT, there are parallel > changes in JWS. But note that there are also such changes in JWA (more than > in JWS actually). > > On Fri, Sep 5, 2014 at 6:28 PM, Mike Jones <Michael.Jones@microsoft.com> > wrote: > >> -----Original Message----- >> From: Warren Kumari [mailto:warren@kumari.net] >> Sent: Monday, September 01, 2014 3:40 PM >> To: secdir@ietf.org; draft-ietf-oauth-json-web-token.all@tools.ietf.org >> Subject: Review of: draft-ietf-oauth-json-web-token >> >> I'm a little confused by something in the Terminology section (Section 2): >> >> Plaintext JWT >> >> A JWT whose Claims are not integrity protected or encrypted. >> >> The term plaintext to me means something like "is readable without >> decrypting / much decoding" (something like, if you cat the file to a >> terminal, you will see the information). Integrity protecting a string >> doesn't make it not easily readable. If this document / JOSE uses >> "plaintext" differently (and a quick skim didn't find anything about >> >> this) it might be good to clarify. Section 6 *does* discuss plaintext >> JWTs, but doesn't really clarify the (IMO) unusual meaning of the term >> "plaintext" here. >> >> >> >> I’ve discussed this with the other document editors and we agree with you >> that “plaintext” is not the most intuitive wording choice in this context. >> Possible alternative terms are “Unsecured JWT” or “Unsigned JWT”. I think >> that “Unsecured JWT” is probably the preferred term, since JWTs that are >> JWEs are also unsigned, but they are secured. Working group – are you OK >> with this possible terminology change? (Note that the parallel change >> “Plaintext JWS” -> “Unsecured JWS” would also be made in the JWS spec.) >> >> >> > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] alternative term to "plaintext" for the "n… Brian Campbell
- Re: [jose] alternative term to "plaintext" for th… Richard Barnes
- Re: [jose] alternative term to "plaintext" for th… Warren Kumari
- Re: [jose] alternative term to "plaintext" for th… Mike Jones
- Re: [jose] alternative term to "plaintext" for th… Warren Kumari
- Re: [jose] alternative term to "plaintext" for th… Mike Jones
- Re: [jose] alternative term to "plaintext" for th… Mike Jones