IETF Logo Mail Archive

Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?

Mike Jones <Michael.Jones@microsoft.com> Thu, 20 June 2013 17:41 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08BBD21F9E14 for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 10:41:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.21
X-Spam-Level:
X-Spam-Status: No, score=-2.21 tagged_above=-999 required=5 tests=[AWL=-0.212, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5o7jJYAEqph for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 10:41:34 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0243.outbound.protection.outlook.com [207.46.163.243]) by ietfa.amsl.com (Postfix) with ESMTP id B388B21F9DFB for <jose@ietf.org>; Thu, 20 Jun 2013 10:41:34 -0700 (PDT)
Received: from BL2FFO11FD006.protection.gbl (10.173.161.203) by BL2FFO11HUB026.protection.gbl (10.173.161.50) with Microsoft SMTP Server (TLS) id 15.0.707.0; Thu, 20 Jun 2013 17:41:20 +0000
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD006.mail.protection.outlook.com (10.173.161.2) with Microsoft SMTP Server (TLS) id 15.0.707.0 via Frontend Transport; Thu, 20 Jun 2013 17:41:20 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.25]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0136.001; Thu, 20 Jun 2013 17:41:08 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>
Thread-Topic: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
Thread-Index: Ac5si+PCJyNtJjwFQ3SCQ8Y9W8ChrQBPRl+AAAAPBOAAAzZugAAByUwg
Date: Thu, 20 Jun 2013 17:41:07 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943678798E6@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943678735D4@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgQUpbYLatgiaXa8T9oMMi+sA5KxEiocETLTEDXskTtqDQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678794EF@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgSui3q4co4sCRBZCsA_wEgSNUFx8v0jsx+H_2z761VN=Q@mail.gmail.com>
In-Reply-To: <CAL02cgSui3q4co4sCRBZCsA_wEgSNUFx8v0jsx+H_2z761VN=Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943678798E6TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454003)(199002)(189002)(51444003)(24454002)(49866001)(50986001)(54356001)(19300405003)(46102001)(44976003)(76796001)(53806001)(33656001)(74366001)(47736001)(81542001)(47446002)(77982001)(81342001)(51856001)(4396001)(77096001)(76786001)(16297215004)(79102001)(512954002)(15202345003)(6806003)(16406001)(76482001)(71186001)(54316002)(74502001)(16236675002)(47976001)(69226001)(66066001)(80022001)(65816001)(56816003)(74706001)(74662001)(55846006)(59766001)(31966008)(56776001)(20776003)(74876001)(63696002)(217873001); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB026; H:TK5EX14HUBC101.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 08831F51DC
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2013 17:41:40 -0000

I know of no use cases where the application won't know whether it's using the Compact Serialization or the JSON Serialization.

From: Richard Barnes [mailto:rlb@ipv.sx]
Sent: Thursday, June 20, 2013 9:49 AM
To: Mike Jones
Cc: jose@ietf.org
Subject: Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?

That algorithm is part of the story, but it's incomplete.  What we need is an algorithm that starts with an arbitrary octet string and sorts by JWS/JWE and serialization.  An outline of the flow chart:

1. If content parses as valid JSON
1.*. Parse JSON
1.1. Iontains a "ciphertext" field -> JWE + JSON
1.2. Contains a "payload" field -> JWS + JSON
1.3. Else fail
2. Else if content matches the regex "^[a-zA-Z0-9_.-]*$"
2.*. Split on "."
2.1. If 5 components -> JWE + compact
2.2. If 3 components -> JWS + compact
2.3. Else fail
3. Else fail

There's also the question of which document this goes in.  It would be a natural thing for a combined JWS+JWE document, but we don't have one of those :(



On Thu, Jun 20, 2013 at 11:19 AM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
There is a defined algorithm to distinguish between the JWS and JWE objects in the third paragraph of http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-11#section-4.

                                                            -- Mike

From: Richard Barnes [mailto:rlb@ipv.sx<mailto:rlb@ipv.sx>]
Sent: Thursday, June 20, 2013 8:15 AM
To: Mike Jones
Cc: jose@ietf.org<mailto:jose@ietf.org>

Subject: Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?

Multiplexing JWE and JWS under a single JOSE media type only makes sense if there's a defined algorithm to demux them.  So if you want to do this, you would need to write down the algorithm.

Personally, it seems simpler and clearer to me to just have the four current types, so that you know which type of object you're dealing with, and in what serialization, without having to do content sniffing.

On Tue, Jun 18, 2013 at 9:26 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
The JWS and JWE documents currently define these MIME types for the convenience of applications that may want to use them:
                application/jws
                application/jws+json
                application/jwe
                application/jwe+json

That being said, I'm not aware of any uses of these by applications at present.  Thus, I think that makes it fair game to ask whether we want to keep them or remove them - in which case, if applications ever needed them, they could define them later.

Another dimension of this question for JWS and JWE is that it's not clear that the four types application/jws, application/jws+json, application/jwe, and application/jwe+json are even the right ones.  It might be more useful to have generic application/jose and application/jose+json types, which could hold either JWS or JWE objects respectively using the compact or JSON serializations (although I'm not advocating adding them at this time).

Having different JWS versus JWE MIME types apparently did contribute to at least Dick's confusion about the purpose of the "typ" field, so deleting them could help eliminate this possibility of confusion in the future.  Thus, I'm increasingly convinced we should get rid of the JWS and JWE types and leave it up to applications to define the types they need, when they need them.

Do people have use cases for these four MIME types now or should we leave them to future specs to define, if needed?

                                                                -- Mike

P.S.  For completeness, I'll add that the JWK document also defines these MIME types:
                application/jwk+json
                application/jwk-set+json

There are already clear use cases for these types, so I'm not advocating deleting them, but wanted to call that out explicitly.  For instance, when retrieving a JWK Set document referenced by a "jku" header parameter, I believe that the result should use the application/jwk-set+json type.  (In fact, I'll add this to the specs, unless there are any objections.)  Likewise, draft-miller-jose-jwe-protected-jwk-02 already uses application/jwk+json.  Both could also be as "cty" values when encrypting JWKs and JWK Sets, in contexts where that that would be useful.


_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email