Re: [jose] Gen-Art LC review: draft-ietf-jose-jws-signing-input-options-06

"Manger, James" <James.H.Manger@team.telstra.com> Thu, 17 December 2015 04:35 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F2711ACD45; Wed, 16 Dec 2015 20:35:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.902
X-Spam-Level:
X-Spam-Status: No, score=-0.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_LOW=-0.7, RELAY_IS_203=0.994] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FpTYH76VLbTq; Wed, 16 Dec 2015 20:35:02 -0800 (PST)
Received: from ipxano.tcif.telstra.com.au (ipxano.tcif.telstra.com.au [203.35.82.200]) by ietfa.amsl.com (Postfix) with ESMTP id 4A6AA1A8BC4; Wed, 16 Dec 2015 20:35:01 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.20,439,1444654800"; d="scan'208";a="50855619"
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([10.97.216.200]) by ipoani.tcif.telstra.com.au with ESMTP; 17 Dec 2015 15:34:59 +1100
X-IronPort-AV: E=McAfee;i="5700,7163,8017"; a="52355701"
Received: from wsmsg3753.srv.dir.telstra.com ([172.49.40.174]) by ipcani.tcif.telstra.com.au with ESMTP; 17 Dec 2015 15:34:59 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3753.srv.dir.telstra.com ([172.49.40.174]) with mapi; Thu, 17 Dec 2015 15:34:59 +1100
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Robert Sparks <rjsparks@nostrum.com>, General Area Review Team <gen-art@ietf.org>, "jose@ietf.org" <jose@ietf.org>, Ben Campbell <ben@nostrum.com>, Benoit Claise <bclaise@cisco.com>
Date: Thu, 17 Dec 2015 15:34:57 +1100
Thread-Topic: [jose] Gen-Art LC review: draft-ietf-jose-jws-signing-input-options-06
Thread-Index: AQHROG/CVGvdBvc6pkWammxFQfwa1J7Ob37AgAAh/dA=
Message-ID: <255B9BB34FB7D647A506DC292726F6E13BB5320F79@WSMSG3153V.srv.dir.telstra.com>
References: <5661E491.9050007@nostrum.com> <BY2PR03MB442B4D7B1E70A9957D43590F5EC0@BY2PR03MB442.namprd03.prod.outlook.com> <566DDF01.1020806@nostrum.com> <BY2PR03MB442BCE6CA07CC6EA7A86684F5ED0@BY2PR03MB442.namprd03.prod.outlook.com> <566EEA3E.8070302@nostrum.com> <BL2PR03MB433F920C8F6F7E0C0D570A1F5E00@BL2PR03MB433.namprd03.prod.outlook.com> <255B9BB34FB7D647A506DC292726F6E13BB5320C87@WSMSG3153V.srv.dir.telstra.com> <BL2PR03MB4332A83DA920EBB597AED08F5E00@BL2PR03MB433.namprd03.prod.outlook.com>
In-Reply-To: <BL2PR03MB4332A83DA920EBB597AED08F5E00@BL2PR03MB433.namprd03.prod.outlook.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/idip6ue0yGIWbEWy-dkGbDKejLY>
Subject: Re: [jose] Gen-Art LC review: draft-ietf-jose-jws-signing-input-options-06
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 04:35:03 -0000

Mike,

draft-ietf-jose-jws-signing-input-options-08 says:

   if used in environments in which all participants implement this extension, then "crit" need not be included

The clash here is whether such "environments" are reality, and if they are the audience of this IETF spec.
This sentence implies environment-specific JWS code, which rather goes against the point of a generic spec.

--
James Manger

-----Original Message-----
From: Mike Jones [mailto:Michael.Jones@microsoft.com] 
Sent: Thursday, 17 December 2015 2:52 PM
To: Manger, James <James.H.Manger@team.telstra.com>om>; Robert Sparks <rjsparks@nostrum.com>om>; General Area Review Team <gen-art@ietf.org>rg>; jose@ietf.org; Ben Campbell <ben@nostrum.com>om>; Benoit Claise <bclaise@cisco.com>
Subject: RE: [jose] Gen-Art LC review: draft-ietf-jose-jws-signing-input-options-06

James, as I see it, your proposal optimizes the Header Parameter requirements for the case in which the JWS isn't useful, rather than case in which it is.  This seems backwards, from an engineering point of view.

The new "crit" language in -08 already ensures clean failure in all the cases in which failure should occur.  There's then no need to include an extra parameter intended to cause a failure in cases in which the failure cannot occur.

				-- Mike

-----Original Message-----
From: Manger, James [mailto:James.H.Manger@team.telstra.com] 
Sent: Thursday, December 17, 2015 3:08 AM
To: Mike Jones <Michael.Jones@microsoft.com>om>; Robert Sparks <rjsparks@nostrum.com>om>; General Area Review Team <gen-art@ietf.org>rg>; jose@ietf.org; Ben Campbell <ben@nostrum.com>om>; Benoit Claise <bclaise@cisco.com>
Subject: RE: [jose] Gen-Art LC review: draft-ietf-jose-jws-signing-input-options-06

Mike proposes the following:

   "Using "crit" with "b64"

   If a JWS using "b64" with a value of "false" might be processed by implementations not implementing this extension, then the "crit" Header Parameter MUST be included with "b64" in its set of values to cause such implementations to reject the JWS.  Conversely, if used in environments in which all participants implement this extension, then "crit" need not be included, since its inclusion would have no effect, other than increasing the JWS size and processing costs."


"crit":"xxx" is not needed once everyone understands xxx, for any value of xxx. This is the nature of "crit". draft-ietf-jose-jws-signing-input-options is precisely the case where "crit" should be used (new messages that can be misunderstood by old implementations). If it isn't used here, I doubt it will ever get used.

The fact Mike is pushing back so much on using "crit" despite being an author of the JWS spec defining "crit" is a sign that "crit" itself is a poor design for supporting extensibility. There were alternative versioning mechanisms discussed before JWS was published, but "crit" was picked.

Alternative suggested wording:

   The "crit" Header Parameter MUST be included with "b64" in its set of values to ensure the JWS is rejected (instead of being misinterpreted) by implementations that do not understand this specification.

If people need hope that the 13-char overhead ("crit":"b64",) will not last forever, perhaps add the following:

   A future specification might be able to relax this requirement if there is another mechanism to prevent misinterpretation, such as another "crit" value that also implies "b64" understanding, or the elimination of all old implementations.


Please don't add:

   "Implementations receiving JWSs using "b64" with a value of "false" will not be able to successful use those JWSs unless they support this extension, since they will be unable to obtain the payload value.  ... including "crit" is insufficient to enable the receiving implementation to use the JWS; that requires supporting this extension."

The last part is too obvious. The first part is either too obvious (if "successful" means from the senders point of view) or wrong (as the recipient thinks they have been successful when they have actually misinterpreted the message).

Please remove method 3: sending a payload with non-base64url chars. This makes too many assumptions about how a base64url-decoder will handle unexpected chars. Some will reject anything outside A-Za-z0-9-_, others will ignore whitespace, others will happily decode +/ and -_, others will ignore =, perhaps others ignore any unexpected chars.

--
James Manger