IETF Logo Mail Archive

Re: [jose] Feedback request on jose tracker issue #8: Should we add a "spi" header field?

"Vladimir Dzhuvinov / NimbusDS" <vladimir@nimbusds.com> Sat, 20 April 2013 11:19 UTC

Return-Path: <vladimir@nimbusds.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B44921F86EA for <jose@ietfa.amsl.com>; Sat, 20 Apr 2013 04:19:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.177
X-Spam-Level:
X-Spam-Status: No, score=-2.177 tagged_above=-999 required=5 tests=[AWL=-0.330, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, SARE_SUB_ENC_UTF8=0.152]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mL3una2rCygM for <jose@ietfa.amsl.com>; Sat, 20 Apr 2013 04:19:28 -0700 (PDT)
Received: from n1plwbeout07-01.prod.ams1.secureserver.net (n1plsmtp07-01-02.prod.ams1.secureserver.net [188.121.52.106]) by ietfa.amsl.com (Postfix) with SMTP id 1F53121F86D3 for <jose@ietf.org>; Sat, 20 Apr 2013 04:19:27 -0700 (PDT)
Received: (qmail 10935 invoked from network); 20 Apr 2013 11:19:26 -0000
Received: from unknown (HELO localhost) (188.121.52.246) by n1plwbeout07-01.prod.ams1.secureserver.net with SMTP; 20 Apr 2013 11:19:25 -0000
Received: (qmail 8122 invoked by uid 99); 20 Apr 2013 11:19:26 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
X-Originating-IP: 77.85.85.163
User-Agent: Workspace Webmail 5.6.36
Message-Id: <20130420041925.cc40c4f3d92d2001859047cd8cabb9ab.8f64bcaad5.wbe@email07.europe.secureserver.net>
From: Vladimir Dzhuvinov / NimbusDS <vladimir@nimbusds.com>
To: Mike Jones <Michael.Jones@microsoft.com>, jose@ietf.org
Date: Sat, 20 Apr 2013 04:19:25 -0700
Mime-Version: 1.0
Subject: Re: [jose] Feedback request on jose tracker issue #8: Should we add a "spi" header field?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Apr 2013 11:19:30 -0000

+1 This looks like a neat way to link the proposed SPI spec to the base
JWS/JWE specs without requiring the latter to be changed (or be aware of
the SPI extension). In terms of coding in SPI support, I also imagine
that to be easier to implement with our Nimbus JOSE+JWT library in mind
- by simply adding a new JWS/JWE handler for "spi" algs, with none of
the core JOSE classes needing to be reworked.

Vladimir

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir@nimbusds.com


-------- Original Message --------
Subject: Re: [jose] Feedback request on jose tracker issue #8: Should we
add a "spi" header field?
From: Mike Jones <Michael.Jones@microsoft.com>
Date: Fri, April 19, 2013 7:10 pm
To: Russ Housley <housley@vigilsec.com>, Richard Barnes <rlb@ipv.sx>
Cc: "jose@ietf.org" <jose@ietf.org>, Karen O'Donoghue
<odonoghue@isoc.org>

  BTW, in terms of a “dedicated flag”, I’d previously suggested to
Richard in private communication that one way for the SPI spec to do his
cleanly would be to use “alg”: “spi”, rather than omitting the
“alg” field entirely.  The “spi” value would then be registered
by the SPI spec in the algorithms registry – pointing back to the SPI
spec.
  
 I personally think that this is cleaner than just omitting “alg”,
since it maintains the invariant that all JWS and JWE representations
have an “alg” value that is used to determine the processing rules.
  
                                                                 Cheers,
                                                                 -- Mike
  
   From: Russ Housley [mailto:housley@vigilsec.com] 
 Sent: Friday, April 19, 2013 10:51 AM
 To: Richard Barnes; Mike Jones
 Cc: Karen O'Donoghue; jose@ietf.org
 Subject: Re: [jose] Feedback request on jose tracker issue #8: Should
we add a "spi" header field?
 

 
 +1
   
 
 
   On Apr 19, 2013, at 1:42 PM, Richard Barnes wrote:
 

 
 
  In principle, you could use the omission of the "alg" field as a
signal that pre-negotiation is going on.  However, that seems like not
the most useful way to do it, and it conflicts with current practice --
namely the examples currently in the JWE and JWS specs.  Those examples
use pre-negotiation, but they also have an "alg" field.  It's not very
useful because it doesn't provide the recipient any clue about how to
populate the missing fields.  There's a semantic mis-match here as well,
since a JWE with pre-negotiation is still a JWE, just an incomplete one.
 
   
 
A dedicated flag field like SPI provides a clearer indication, and it
also provides a hook that out-of-band protocols can use to connect in
the pre-negotiated parameters.
 
 
 
--Richard
 
 
 


 
  On Fri, Apr 19, 2013 at 12:06 PM, Mike Jones
<Michael.Jones@microsoft.com> wrote:
 Russ, I'm curious why you say that the "spi" field needs to be in the
base spec.  From a spec factoring point of view, even if SPI remains a
completely separate spec and nothing is said in the base spec, there
would be no confusion or conflicts, including for implementations. 
Here's why:
   - A header without an "alg" field is not recognized as a JWS or JWE,
so there's no conflict there
   - A JWS or JWE can legally contain a "spi" header field and a
registry is already provided to define the meanings of additional header
fields, so there's no conflict there either
 
 Therefore, it seems like the separate spec could use the registry to
define the meaning of "spi" in a JWS and JWE and could furthermore
define the semantics of objects using headers without an "alg" field but
including a "spi" field.  No conflicts.  And clear separation of
concerns.
 
 Those wanting the SPI functionality could use it.  Those not needing it
would need to do nothing - which I think is as it should be.
 
                                 Best wishes,
                                 -- Mike
   
 -----Original Message-----
 From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
Russ Housley
 Sent: Friday, April 19, 2013 8:37 AM
 To: odonoghue@isoc.org;  jose@ietf.org
 Subject: Re: [jose] Feedback request on jose tracker issue #8: Should
we add a "spi" header field?
 
 Combination of 1 and 2.  The field needs to be in the base
specifications, but the only rule that needs to be included in the base
specification is an exact match of the identifier.
 
 Russ
 
 = = = = = = = = = =
 
 1.  Have draft-barnes-jose-spi remain a separate specification that
could optionally also be supported by JWS and JWE implementations.
 2.  Incorporate draft-barnes-jose-spi into the JWS and JWE
specifications as a mandatory feature.
 3.  Incorporate draft-barnes-jose-spi into the JWS and JWE
specifications as an optional feature.
 4.  Another resolution (please specify in detail).
 
 _______________________________________________
 jose mailing list
 jose@ietf.org
 https://www.ietf.org/mailman/listinfo/jose
 _______________________________________________
 jose mailing list
 jose@ietf.org
 https://www.ietf.org/mailman/listinfo/jose
 


 
 

 
 

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email