Re: [jose] Feedback request on jose tracker issue #8: Should we add a "spi" header field?

[Russ Housley <housley@vigilsec.com>]

+1


On Apr 19, 2013, at 1:42 PM, Richard Barnes wrote:

> In principle, you could use the omission of the "alg" field as a signal that pre-negotiation is going on.  However, that seems like not the most useful way to do it, and it conflicts with current practice -- namely the examples currently in the JWE and JWS specs.  Those examples use pre-negotiation, but they also have an "alg" field.  It's not very useful because it doesn't provide the recipient any clue about how to populate the missing fields.  There's a semantic mis-match here as well, since a JWE with pre-negotiation is still a JWE, just an incomplete one.  
> 
> A dedicated flag field like SPI provides a clearer indication, and it also provides a hook that out-of-band protocols can use to connect in the pre-negotiated parameters.
> 
> --Richard
> 
> 
> 
> On Fri, Apr 19, 2013 at 12:06 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> Russ, I'm curious why you say that the "spi" field needs to be in the base spec.  From a spec factoring point of view, even if SPI remains a completely separate spec and nothing is said in the base spec, there would be no confusion or conflicts, including for implementations.  Here's why:
>   - A header without an "alg" field is not recognized as a JWS or JWE, so there's no conflict there
>   - A JWS or JWE can legally contain a "spi" header field and a registry is already provided to define the meanings of additional header fields, so there's no conflict there either
> 
> Therefore, it seems like the separate spec could use the registry to define the meaning of "spi" in a JWS and JWE and could furthermore define the semantics of objects using headers without an "alg" field but including a "spi" field.  No conflicts.  And clear separation of concerns.
> 
> Those wanting the SPI functionality could use it.  Those not needing it would need to do nothing - which I think is as it should be.
> 
>                                 Best wishes,
>                                 -- Mike
> 
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Russ Housley
> Sent: Friday, April 19, 2013 8:37 AM
> To: odonoghue@isoc.org; jose@ietf.org
> Subject: Re: [jose] Feedback request on jose tracker issue #8: Should we add a "spi" header field?
> 
> Combination of 1 and 2.  The field needs to be in the base specifications, but the only rule that needs to be included in the base specification is an exact match of the identifier.
> 
> Russ
> 
> = = = = = = = = = =
> 
> 1.  Have draft-barnes-jose-spi remain a separate specification that could optionally also be supported by JWS and JWE implementations.
> 2.  Incorporate draft-barnes-jose-spi into the JWS and JWE specifications as a mandatory feature.
> 3.  Incorporate draft-barnes-jose-spi into the JWS and JWE specifications as an optional feature.
> 4.  Another resolution (please specify in detail).
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>