Re: [jose] Question about "crit" header parameter
Brian Campbell <bcampbell@pingidentity.com> Wed, 23 October 2019 11:50 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08F66120889 for <jose@ietfa.amsl.com>; Wed, 23 Oct 2019 04:50:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YMOrCcptkp-X for <jose@ietfa.amsl.com>; Wed, 23 Oct 2019 04:50:14 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 029E11208A6 for <jose@ietf.org>; Wed, 23 Oct 2019 04:50:13 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id z12so15799113lfj.9 for <jose@ietf.org>; Wed, 23 Oct 2019 04:50:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=supGjMld+a18XXi+z0aprL6yPYUt/SDhFuZ+CeHZMzw=; b=GKpxSWCQAEFhlaN60aK4OIdCzBtIz3Y9jbu6Sc0PiPQmw73Uc5QtpHgp6XMwuPQ2Ha 7I+GIxsDKSItFOo38eG8Dehk8YiKtskSYR2Us6g69f6LYYyrySlirSBt28aadKSaM053 6YE/4hsk3FJS2UGvs/ySu+0tseL7hOyqIIKrU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=supGjMld+a18XXi+z0aprL6yPYUt/SDhFuZ+CeHZMzw=; b=olhH2KkJhLsG3ByBBqn9mYonQqFpYOu4rU/L1D4/bF1tebz6oA+8v2UZ01sKTvn3OV IsMWdo2JTmatQAg+5vV6d+b+CCkEAJN8ecz48q3P/WCT/gMAb+KmLAAvWtq2+jzry68i DNCR4x9yLMxg4++UEP+Sz58TfOwx8eUHooiwPbSFB4uvRyo3ymWgscZDC/EUXNq2Tx9V TOa4vd68koaQQOB+0s2ljkUeqgENeP0pmfggok3U/yCZzCGordbaKDVjCxXnFE3FpXlH Z+AQ4pV7791XQup1sbRIT80e81vUywc06XT9WuX68eXIOjapbbcurxkyCj3yAYRFMFVf CE6g==
X-Gm-Message-State: APjAAAXwRobtg3ZC4LzDnFFm1NmNQ2yo5PkSuU2rZ94//5himSLXf2a5 BWjo3SD4gn5oD7tMb/yBFkk+d92YySgo1yTHAdkVp4eobya+mdObJ42L9N7w04R98x31cOZ6qKg yammNzhPPbOKoep56Dw==
X-Google-Smtp-Source: APXvYqwDdQ6ndPCkt3F6J9YDxH+lnofbhJed1ts4foVWmQz6njGI3547BE2nHYzfv2aI7Dsa73T5nvp80XSU/L+d3Uc=
X-Received: by 2002:ac2:5595:: with SMTP id v21mr16700288lfg.10.1571831411982; Wed, 23 Oct 2019 04:50:11 -0700 (PDT)
MIME-Version: 1.0
References: <EF986837-2FE4-481A-8A33-870789171C55@pega.com>
In-Reply-To: <EF986837-2FE4-481A-8A33-870789171C55@pega.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 23 Oct 2019 05:49:45 -0600
Message-ID: <CA+k3eCTSK9diUFGd2ca-5dtxrtqHOevP6VjdfZfsD200T4xMyw@mail.gmail.com>
To: "Seraphin, Vinod" <Vinod.Seraphin@pega.com>
Cc: "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f55e260595928467"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/da1_N-7eBUKd7wAlzEBxeaxkGY0>
Subject: Re: [jose] Question about "crit" header parameter
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 11:50:17 -0000
No, per https://tools.ietf.org/html/rfc7515#section-4.1.11 the "crit" header is only to indicate what JWS/JWE extension *headers* must be understood and processed by the recipient. It has no bearing on the payload whatsoever. Typically designating a set of mandatory claims is done by the profile or application of JWT and enforced by policy set up (configured or coded) at the receiver. On Mon, Oct 21, 2019 at 2:44 PM Seraphin, Vinod <Vinod.Seraphin@pega.com> wrote: > Can this header be used to designate which claims within the payload are > deemed mandatory? The desire is to have any token verification fail if > such a specified list of mandatory claims are not found within the payload. > > > > Our security team has currently implemented such a feature by utilizing > the “crit” header to contain this list of mandatory claims. I’ve recently > found that the jose library fails any validation attempt of our token as it > doesn’t find matching parameters for each of the crit array elements within > the header portion of the token (the parameters are only within the payload > at present), and the author has informed me that his interpretation of RFC > 7515 is that any values within the crit array MUST also be in the header. > There is an example in section 4.1.11 with trying to make “exp” mandatory, > and shows “exp” with other header parameters. There is no mention of > whether in such an example the “exp” would also be repeated within the > payload or not. What would be the expectation? > > > > If “crit” is not meant to convey mandatory parameters, are there any other > standardization efforts for designating mandatory claims within a token? > > > > Thanks > > - Vinod > > > > > > *[image: id:image001.png@01D2DA13.2711AFB0] * > > *Vinod Seraphin *|* Senior Fellow Engineer, Emerging Technologies *|* Pegasystems > Inc.* > > Office: (617) 528.5272 | E-Mail: vinod.seraphin@pega.com | LinkedIn: > vinodseraphin <https://www.linkedin.com/in/vinodseraphin> | www.pega.com > > > > > > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [jose] Question about "crit" header parameter Seraphin, Vinod
- Re: [jose] Question about "crit" header parameter Brian Campbell