IETF Logo Mail Archive

Re: [jose] Should we delete the "typ" header field

Richard Barnes <rlb@ipv.sx> Tue, 04 June 2013 17:20 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C3D621F9CD0 for <jose@ietfa.amsl.com>; Tue, 4 Jun 2013 10:20:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.178
X-Spam-Level: **
X-Spam-Status: No, score=2.178 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RDNS_NONE=0.1, TRACKER_ID=2.003]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lbp2+h4Ut0te for <jose@ietfa.amsl.com>; Tue, 4 Jun 2013 10:20:43 -0700 (PDT)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 9B89821E80A4 for <jose@ietf.org>; Tue, 4 Jun 2013 08:28:58 -0700 (PDT)
Received: by mail-ob0-f176.google.com with SMTP id v19so614876obq.35 for <jose@ietf.org>; Tue, 04 Jun 2013 08:28:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=IiNpoxc81Z3ujJMRIRBN7YCMqnrqEYTJWx3V+RnP9oU=; b=gAGAHJG86sL/6ozmyN98sR9J7TO61H9B7fCgLVi1lm80OHFVkDvBNX1BXAsti2ZzS8 WJFoSTI3p+POL2NQsVGQNQGTvdW07YAmIROBGYT4wxwN40W9KYdjuP+2Pjy451eQQNlC r8obV2/zaufhGIicKxQSY7Kbb7oVuQ9viRtCK6bnYYdFN8momfqcxjqMg6Rp8wwduPyE 53aK8Of7uA6Jahz2XTF7+2MpnEg8FK/5kLIPxmnfypJ76+sk1q+EJz4lAQPhpXmpIHNU VskohcUZJAoyQCwId44OxilNRvPcrRiGoVlURx52QGaEN24phySs+Pq5hMvR8XT7EIAm mzIg==
MIME-Version: 1.0
X-Received: by 10.182.236.104 with SMTP id ut8mr12169879obc.75.1370359738010; Tue, 04 Jun 2013 08:28:58 -0700 (PDT)
Received: by 10.60.84.8 with HTTP; Tue, 4 Jun 2013 08:28:57 -0700 (PDT)
X-Originating-IP: [192.1.51.101]
In-Reply-To: <CA+k3eCT6Dq2jo6Lx6SEMkNDrLKREJTkzwNxT7ggJHDJtvQVG2A@mail.gmail.com>
References: <02b701ce5cb8$46ae77e0$d40b67a0$@augustcellars.com> <CAD9ie-vK3gY9b9GQrbUa=TACy5KVA1uPH_u_utucoKzVynjuiA@mail.gmail.com> <02f501ce5cc5$ec9a2200$c5ce6600$@augustcellars.com> <CAD9ie-uV-THE0+oL-dNUB0qXF7sx8jHMZDCz8vGESmUHWV=LMg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C58C4@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAD9ie-sm7q6gdzC-aTKt=+b=A8wB68ExTP1FwiT=zQTN7b69zA@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C5C0A@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR=Lh5_HogPtgoFM+qhwNkqOFaW0+TzOCAziUwK8ZqQaw@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C7399@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR6XfSwHxOLym_pkM+9EOE8yRUEncLToKbrLVJxoOgxDg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9B69@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgTrpkt0PyvLmnSKTchST5hgbzjkLQMq3hr6O2pij7LgjQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9E95@TK5EX14MBXC285.redmond.corp.microsoft.com> <CABzCy2Cd6LJB63b8REsyW0yjS=2DMBaSwsL-ZUnwG-aCXJ5P-Q@mail.gmail.com> <CA+k3eCT6Dq2jo6Lx6SEMkNDrLKREJTkzwNxT7ggJHDJtvQVG2A@mail.gmail.com>
Date: Tue, 04 Jun 2013 11:28:57 -0400
Message-ID: <CAL02cgSeurHAEsAtEaEDYAko2Or8dFAOx8QWe-G2e4nss_AX4g@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="001a11c3183866707c04de55bdd9"
X-Gm-Message-State: ALoCoQmeYX8Cz852Y2P70vUcYtKGWhdI72prGRVY5ofn91qRo/1LqiDohi3TXga7GJOhb+IVrPZh
Cc: Mike Jones <Michael.Jones@microsoft.com>, Nat Sakimura <sakimura@gmail.com>, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [jose] Should we delete the "typ" header field
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 17:20:47 -0000

It would be a good point, if it were true :)  In particular, this part:
"[dropping 'typ'] is going to cause each and every application that uses
JOSE to define their own field"

So far, I've heard of exactly one application of JOSE that requires "typ"
in the way it is currently specified, namely JWT.

On the other hand, Dick's applications are apparently using it differently
(and, IMO, properly) to distinguish JWE/JWS.  Then there are all the
applications out there that are OK using application context and "cty" to
recognize what type of object they have.  Apps using CMS have been doing
this for ages.

So it's not at all clear to me that there's any other application that
would use "typ" besides JWT.  And it's not clear to me that JWT needs it.

--Richard





On Fri, May 31, 2013 at 5:45 PM, Brian Campbell
<bcampbell@pingidentity.com>wrote:

> Nat makes a good point here, I think.
>
>
> On Thu, May 30, 2013 at 9:31 AM, Nat Sakimura <sakimura@gmail.com> wrote:
>
>> From what I understand, both typ and cty are something to be consumed by
>> the application and not JOSE processor. From the point of view of the JOSE
>> processor, they should be ignored.
>>
>> We could drop both fields from JOSE specs, but that is going to cause
>> each and every application that uses JOSE to define their own field, which
>> is a waste. That is why we are defining them here.
>>
>> I would rather drop them than define JOSE processing semantics to these
>> fields.
>>
>>
>> 2013/5/31 Mike Jones <Michael.Jones@microsoft.com>
>>
>>>  No, “cty” is used by the derived class to determine the type of the
>>> encapsulated field.  But that’s not a complete description of the **entire
>>> object** - especially not the additional meaning imbued by the
>>> additional parameters the derived type may add to the JOSE header.  “typ”
>>> is there to provide the type of the entire object, including what you’re
>>> calling the wrapper parts.****
>>>
>>> ** **
>>>
>>>                                                             -- Mike****
>>>
>>> ** **
>>>
>>> *From:* Richard Barnes [mailto:rlb@ipv.sx]
>>> *Sent:* Thursday, May 30, 2013 7:58 AM
>>>
>>> *To:* Mike Jones
>>> *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt
>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>
>>> ** **
>>>
>>> Isn't that requirement met by "cty"?  The only thing JOSE adds is a
>>> crypto wrapper around the real application content.  If you're an
>>> application, you know a JOSE object is the thing you want because it
>>> contains the content you want -- it's a JWT because it contains JWT claims.
>>> ****
>>>
>>> ** **
>>>
>>> Inheritance is the wrong metaphor.  This is encapsulation of application
>>> data:****
>>>
>>> if (jws.valid && jws.cty == "application/jwt_claims") {****
>>>
>>>     jwtClaims = jws.content;****
>>>
>>> }****
>>>
>>> ** **
>>>
>>> --Richard****
>>>
>>> ** **
>>>
>>> On Thu, May 30, 2013 at 10:43 AM, Mike Jones <
>>> Michael.Jones@microsoft.com> wrote:****
>>>
>>> Thanks for sharing the S/MIME details.  Although I was actually making
>>> the analogy to MIME – not S/MIME.  Like many analogies, it’s imperfect, but
>>> I believe still illustrative.****
>>>
>>>  ****
>>>
>>> The reason that the analogy isn’t perfect is that the JOSE data
>>> structures are used to build application-specific data structures that are
>>> legal JOSE data structures but also have additional properties – including
>>> additional header fields with specific semantics.  (When we agreed to
>>> ignore not-understood header fields we let that horse out of the barn.)
>>> For instance, Dick Hardt uses JWEs with issuer and audience fields in the
>>> headers, so they can be used by routing software.****
>>>
>>>  ****
>>>
>>> Think of JOSE as the base class and the application types built using it
>>> as derived classes.  JWT is a derived class.  Dick’s structures are a
>>> derived class.  These derived classes sometimes need names.  That’s what
>>> “typ” is for.****
>>>
>>>  ****
>>>
>>>                                                             -- Mike****
>>>
>>>  ****
>>>
>>> *From:* Richard Barnes [mailto:rlb@ipv.sx]
>>> *Sent:* Thursday, May 30, 2013 7:34 AM****
>>>
>>>
>>> *To:* Mike Jones
>>> *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt
>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>
>>>  ****
>>>
>>> You're mixing up "typ" and "cty".  If you want to make the analogy to
>>> S/MIME, "cty" is the equivalent to Content-Type inside the protected MIME
>>> body; "typ" is the content-type on the outer MIME header.  Pasting in an
>>> example:****
>>>
>>>  ****
>>>
>>> -----BEGIN-----****
>>>
>>> Content-Type: application/pkcs7-mime; smime-type=signed-data;****
>>>
>>>      name=smime.p7m****
>>>
>>> Content-Transfer-Encoding: base64****
>>>
>>> Content-Disposition: attachment; filename=smime.p7m****
>>>
>>>  ****
>>>
>>> 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7****
>>>
>>> 77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH****
>>>
>>> HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh****
>>>
>>> 6YT64V0GhIGfHfQbnj75****
>>>
>>> -----END-----****
>>>
>>> <http://tools.ietf.org/html/rfc3851#section-3.4.2>****
>>>
>>>  ****
>>>
>>> The outer Content-Type, which is analogous to "typ", MUST be
>>> application/pkcs7-mime, with a parameter indicating the type of CMS object.
>>>  This is the same as requiring "typ" to be JWE or JWS.  The inner
>>> Content-Type (ASN.1/base64 encoded in the example) can be anything, just
>>> like "cty".****
>>>
>>>  ****
>>>
>>> --Richard****
>>>
>>>  ****
>>>
>>>  ****
>>>
>>>  ****
>>>
>>>  ****
>>>
>>> On Thu, May 30, 2013 at 12:53 AM, Mike Jones <
>>> Michael.Jones@microsoft.com> wrote:****
>>>
>>> Requiring that the “typ” value be only “JWS” or “JWE” would be analogous
>>> to the MIME spec requiring that the Content-Type: field be only
>>> “text/plain” or “message/external-body”.  It would render it useless.***
>>> *
>>>
>>>  ****
>>>
>>>                                                             -- Mike****
>>>
>>>  ****
>>>
>>> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf
>>> Of *Richard Barnes
>>> *Sent:* Wednesday, May 29, 2013 8:03 PM
>>> *To:* Mike Jones
>>> *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt****
>>>
>>>
>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>
>>>  ****
>>>
>>> If this is the level of "type" you're referring to, I think we should
>>> drop it from the spec.  It's an application-layer thing that the app can
>>> add or not according to its wishes.****
>>>
>>>  ****
>>>
>>> I'm with Dick on this.  I think we should either have a mandatory
>>> indicator of what type of JOSE object this, or nothing at all.   If the
>>> former, the allowable values are "JWE" and "JWS".  The "+JSON" options are
>>> non-sensical -- the app needs to know what it's parsing before it gets this
>>> header.  While I have a preference for the former (for clarity), the latter
>>> approach is also OK with me, since the MIME types are specific to JWE/JWS.
>>> ****
>>>
>>>  ****
>>>
>>> Another approach here would be to address the JSON and compact forms
>>> separately.  The JSON form has no need of "typ" at all, since the type of
>>> the object is completely clear from what fields are there, e.g.,
>>> "recipients" vs. "signatures".  For the compact form, we could do something
>>> like James's "E."/"S." prefix idea, which you need because the
>>> dot-separated components have different meanings and no field names to
>>> indicate this.****
>>>
>>>  ****
>>>
>>> --Richard****
>>>
>>>  ****
>>>
>>> On Wed, May 29, 2013 at 8:30 PM, Mike Jones <Michael.Jones@microsoft.com>
>>> wrote:****
>>>
>>> A standard library is unlikely to know the meanings of all possible
>>> “typ” values – and more to the point, *it doesn’t have to*.  It’s the
>>> application’s job to determine that “this blob is a JOSE object” and then
>>> pass it to a standard library, which will then ignore the “typ” value.**
>>> **
>>>
>>>  ****
>>>
>>> A standard JOSE library won’t know what “typ”: “JWT” means.  It won’t
>>> know what “typ”: “BCGovToken” is, should the BC Government want to declare
>>> that it’s using a token with particular characteristics.  It won’t know
>>> what “typ”: “XMPP” is, should XMPP want to declare that it’s using a JOSE
>>> data structure with particular characteristics.  Etc.****
>>>
>>>  ****
>>>
>>> All these values can be registered in the registry and used by
>>> applications that understand them.  That’s the application’s job – not the
>>> library’s job.  The “typ” field is just there so that applications have a
>>> standard place to make any such declarations that they may need.****
>>>
>>>  ****
>>>
>>>                                                                 -- Mike*
>>> ***
>>>
>>>  ****
>>>
>>> *From:* Dick Hardt [mailto:dick.hardt@gmail.com]
>>> *Sent:* Wednesday, May 29, 2013 5:18 PM
>>> *To:* Mike Jones
>>> *Cc:* Jim Schaad; jose@ietf.org****
>>>
>>>
>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>
>>>  ****
>>>
>>> I'd prefer to be able to use standard libraries for creating and parsing
>>> tokens, and not specialized libraries dependent on the use case.****
>>>
>>>  ****
>>>
>>> I strongly think we either drop "typ" or make it required.****
>>>
>>>  ****
>>>
>>> On Wed, May 29, 2013 at 5:03 PM, Mike Jones <Michael.Jones@microsoft.com>
>>> wrote:****
>>>
>>> It’s fine for your application to specify that it’s required for your
>>> use case.  Not applications need it, so they shouldn’t be forced to pay the
>>> space penalty of an unnecessary field.****
>>>
>>>  ****
>>>
>>>                                                                 -- Mike*
>>> ***
>>>
>>>  ****
>>>
>>> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf
>>> Of *Dick Hardt
>>> *Sent:* Wednesday, May 29, 2013 4:56 PM****
>>>
>>>
>>> *To:* Jim Schaad
>>> *Cc:* jose@ietf.org
>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>
>>>  ****
>>>
>>> I use it all the time and my code would barf if it was not there.****
>>>
>>>  ****
>>>
>>> I think it should be required rather than be a hint if it is going ot be
>>> there.****
>>>
>>>  ****
>>>
>>> On Wed, May 29, 2013 at 4:40 PM, Jim Schaad <ietf@augustcellars.com>
>>> wrote:****
>>>
>>> I think the values just changed****
>>>
>>>  ****
>>>
>>> However the way you are using it would be an argument to say that it
>>> should be a required field.  Are you just using it as a hint if it exists
>>> and then looking at the rest of the fields if it is not present?****
>>>
>>>  ****
>>>
>>> Jim****
>>>
>>>  ****
>>>
>>>  ****
>>>
>>> *From:* Dick Hardt [mailto:dick.hardt@gmail.com]
>>> *Sent:* Wednesday, May 29, 2013 3:49 PM
>>> *To:* Jim Schaad
>>> *Cc:* jose@ietf.org
>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>
>>>  ****
>>>
>>> Well, I have been using, but now realize the spec changed or I was
>>> confused.****
>>>
>>>  ****
>>>
>>> I had been setting "typ" to be either "JWE" or "JWS" depending on the
>>> type of token I was creating or parsing as it was easier than looking at
>>> "alg"****
>>>
>>>  ****
>>>
>>> As currently defined, I don't see value in "typ".****
>>>
>>>  ****
>>>
>>> -- Dick****
>>>
>>>  ****
>>>
>>>  ****
>>>
>>> On Wed, May 29, 2013 at 3:02 PM, Jim Schaad <ietf@augustcellars.com>
>>> wrote:****
>>>
>>> In reading the documents, I am trying to understand the justification
>>> for having the “typ” header parameter in the JOSE documents.****
>>>
>>>  ****
>>>
>>> The purpose of the field is to hold the type of the object.  In the
>>> past, I believe that values which should now be placed in the cty field
>>> (such as “JWT”) were placed in this field as well.  However the parameter
>>> is optional and an implementation cannot rely on its being present.  This
>>> means that for all practical purposes all of the code to determine the
>>> value of the type field from the values of the alg and enc fields.  If the
>>> field was mandatory then this code would disappear at a fairly small space
>>> cost and I can understand why the parameter would be present.****
>>>
>>>  ****
>>>
>>> Can anybody justify why this field should be present in the document –
>>> or should it just disappear?****
>>>
>>>  ****
>>>
>>> Jim****
>>>
>>>  ****
>>>
>>>
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose****
>>>
>>>
>>>
>>> ****
>>>
>>>  ****
>>>
>>> --
>>> -- Dick ****
>>>
>>>
>>>
>>> ****
>>>
>>>  ****
>>>
>>> --
>>> -- Dick ****
>>>
>>>
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose****
>>>
>>>
>>>
>>> ****
>>>
>>>  ****
>>>
>>> --
>>> -- Dick ****
>>>
>>>
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose****
>>>
>>>  ****
>>>
>>>  ****
>>>
>>> ** **
>>>
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>>>
>>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>>
>

v2.23.0 | Report a Bug | By Email