Re: [jose] POLL(s): header criticality

Richard Barnes <rlb@ipv.sx> Fri, 08 February 2013 22:22 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2096421F87FA for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 14:22:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[AWL=0.276, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X3oirchj4Gqz for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 14:22:40 -0800 (PST)
Received: from mail-lb0-f176.google.com (mail-lb0-f176.google.com [209.85.217.176]) by ietfa.amsl.com (Postfix) with ESMTP id ACC1321F87D7 for <jose@ietf.org>; Fri, 8 Feb 2013 14:22:39 -0800 (PST)
Received: by mail-lb0-f176.google.com with SMTP id s4so3362849lbc.35 for <jose@ietf.org>; Fri, 08 Feb 2013 14:22:38 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=sU3lw/VQZSVJRkNsqDRx0KCLTZTbdr0X+9CMRdYhKXc=; b=JsF2WnlZoO6VSEmKsq8fdEJ+AdH89/U6eWRSSncagy3h/M91hyyWqHCeStVjAEQGAT JEySPocczW18pNQd3vTJYQhG931OhRjQICLHrW3Tqhwi9d4DHWDHRiwf4PU1YRVlQ7tq GuZTTr/apKRGHiHhYc8rcPjM4/lzk1xjJxspk0s39lr5ZCpAd0CGFGmzTLQkrCWgwXUx rTjpxRIwTe2VvJmnX0ZdpPn67loNrOfjHO6/THKFvEOWquYbeBJu7i2ui6qTz/21Yzdf dxZHkOO5JqB5bYA9HUgpmx+rh1fQNCuN9IHxxrrscZ/oopYEO2KvKJvMBdvMQgf6u3iq CQmg==
MIME-Version: 1.0
X-Received: by 10.152.109.176 with SMTP id ht16mr6360814lab.2.1360362158392; Fri, 08 Feb 2013 14:22:38 -0800 (PST)
Received: by 10.112.147.164 with HTTP; Fri, 8 Feb 2013 14:22:38 -0800 (PST)
X-Originating-IP: [192.1.51.63]
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436741F960@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436741E22F@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgSCPMY9PWU9A8st0ZUhOC7D6OCapXtWKuEg1gr3riMOHQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436741F960@TK5EX14MBXC284.redmond.corp.microsoft.com>
Date: Fri, 08 Feb 2013 17:22:38 -0500
Message-ID: <CAL02cgQ-aSR-Ot3jnTqtyjsFC=vgJpf1VF5nDSr2bHUY2Rd1Mg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="bcaec54eea2437870304d53dff6f"
X-Gm-Message-State: ALoCoQkre0NW1sRbf9uUb0DirvhIMaLXXuBy2YZWkH81Nxu/eu8jdYDcwhz2e6r2Lj+YBZj+k/vP
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Karen O'Donoghue <odonoghue@isoc.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] POLL(s): header criticality
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2013 22:22:42 -0000

So you're saying that if any of these systems wants to define an optional
parameter, they need to coordinate with all of the others.

For example: The Persona verification process is largely server-based.
 Suppose the Persona spec wanted to include an optional attribute 'vsf'
that has the key fingerprint of the server that should be used to verify
the assertion.  Not mandatory, because you can still fall back to PKIX and
domain-based verification, but adds another layer of security.  Suddenly,
Persona cannot use the same JOSE library that OpenID Connect uses.

What benefit do you think comes from forcing all of these entities to
upgrade in lock-step?

--Richard




On Fri, Feb 8, 2013 at 1:02 AM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  I agree with you that we don’t need to define a negotiation mechanism.
> As I believe Hannes correctly observed, either negotiation or out-of-band
> agreement will typically be used to agree on parameters to be used, but
> it’s not the job of this working group to define them.  In fact, the right
> choices are typically dependent upon the particular use case.****
>
> ** **
>
> I know of three publicly known systems built using the current JOSE specs
> (Mozilla Persona, a system Dick Hardt is building for the province of BC,
> and OpenID Connect) where one of these techniques are applied.  None of
> them needs to ignore parameters, to my knowledge.  See
> http://openid.net/specs/openid-connect-discovery-1_0.html for the
> discovery system used by latter.****
>
> ** **
>
> My main point is that just because we don’t define a discovery mechanism,
> that doesn’t mean that one won’t be used, when appropriate.****
>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> *From:* Richard Barnes [mailto:rlb@ipv.sx]
> *Sent:* Thursday, February 07, 2013 8:08 PM
> *To:* Mike Jones
> *Cc:* Karen O'Donoghue; Hannes Tschofenig; jose@ietf.org
>
> *Subject:* Re: [jose] POLL(s): header criticality****
>
> ** **
>
> One might note that TLS does not require that all headers be understood.
>  You can send SNI, say, without the risk of breaking interop with older
> servers. ****
>
> ** **
>
> More to the point, unless you're going to actually define a negotiation
> mechanism, saying that one would help is not all that constructive. This
> group needs to either define a negotiation mechanism, or else not add
> features for which negotiation is a absolute requirement.  And I would
> strongly oppose the former, as an unnecessary expansion of scope.
>
> --Richard
>
>
> On Thursday, February 7, 2013, Mike Jones wrote:****
>
> I agree that this should be described in the document.****
>
>  ****
>
> One common application that uses discovery/negotiation to decide what
> algorithms are supported and to use is TLS (https).****
>
>  ****
>
> Cheers,****
>
> -- Mike****
>
>  ****
>
> *From:* Hannes Tschofenig
> *Sent:* February 7, 2013 12:51 AM
> *To:* Mike Jones, odonoghue@isoc.org, hannes.tschofenig@gmx.net
> *CC:* jose@ietf.org
> *Subject:* Re: RE: [jose] POLL(s): header criticality****
>
>  ****
>
> Hi Mike,
>
> whatever story the group comes up with I believe it would be important to
> describe this in the document since other specifications have followed a
> different approach.
>
> Knowing you guys I had already expected that you try to solve this
> extensibility issue using additional OpenID Connect specifications.
>
> I am wondering what approach other specifications have used in the past.
> My understanding is that XML, CMS, and PSKC follow a model where the
> mandatory to implement functionality is defined in the specification and
> additional specifications indicate what additional extensions have to be
> used. Is my understanding correct?
>
> Ciao
> Hannes
>
> -------- Original-Nachricht --------
> > Datum: Thu, 7 Feb 2013 07:20:32 +0000
> > Von: Mike Jones <Michael.Jones@microsoft.com>
> > An: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "odonoghue@isoc.org"
> <odonoghue@isoc.org>
> > CC: "jose@ietf.org" <jose@ietf.org>
> > Betreff: RE: [jose] POLL(s): header criticality
>
> > Hi Hannes,
> >
> > One tried-and-true method of enabling extensions is through discovery
> > and/or negotiation.  (This fits into your (b) - there is another higher
> layer
> > specification that says what is required.)  For instance, if two parties
> > come to understand through discovery that both support an extension,
> then they
> > are free to use it between themselves.
> >
> > For instance, yes, in OpenID Connect, implementations can discover what
> > algorithms and other features are supported and then use only those that
> are
> > implemented by both communicating parties.  I can't imagine that this is
> > the only JOSE use case that will employ discovery and/or negotiation.
> >
> > When discovery and/or negotiation is used, implementations don't have to
> > ignore not-understood features, because none would be used in the first
> > place.
> >
> >     Best wishes,
> >     -- Mike
> >
> > P.S.  Yes, you're right that (a) - out-of-band agreement - could be used
> > in some cases too.  For instance, OAuth deployments almost all employ
> > out-of-band agreements.
> >
> > -----Original Message-----
> > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
> > Hannes Tschofenig
> > Sent: Wednesday, February 06, 2013 10:32 PM
> > To: odonoghue@isoc.org
> > Cc: hannes.tschofenig@gmx.net; jose@ietf.org
> > Subject: Re: [jose] POLL(s): header criticality
> >
> > Hi Karen,
> >
> > thanks for running this poll.
> >
> > My problem with answering your questions is the following:
> >
> > The question you are raising deals with how you want to handle
> extensions.
> > While it is easy to say that all the features in specification X must be
> > implemented it is not even clear which specifications you are actually
> > referring to with question #1.
> >
> > So, I am wondering how you plan to handle any extension when someone
> > answers question #1 with YES. I see only the following ways:
> >
> > a) there is an out-of-band agreement (for a specific system, such a
> > federation) that defines what values need to be present, or
> >
> > b) there is another higher layer specification that says what is
> required.
> >
> > I assume that many of the OAuth folks have answered the question with YES
> > since they are thinking that they will just write that specification as
> > part of OpenID Connect.
> >
> > If that's the plan I think it should be clearly articulated to avoid
> > raising wrong expectations of the level of interoperability this work
> provides.
> >
> > If there is a different plan then please let me know.
> >
> > Ciao
> > Hannes
> >
> >
> > On 02/04/2013 04:48 PM, Karen O'Donoghue wrote:
> > > Folks,
> > >
> > > I am wrestling with how to help drive consensus on the topic of
> > > criticality of headers. For background, please review the current
> > > specification text, the minutes to the Atlanta meeting (IETF85), and
> > > the mailing list (especially the discussion in December with (Subj:
> > > Whether implementations must understand all JOSE header fields)). We
> > > need to come to closure on this issue in order to progress the
> > specifications.
> > >
> > > As a tool to gather further information on determining a way forward,
> > > the following polls have been created. Please respond before 11
> > > February 2013.
> > >
> > > Thanks,
> > > Karen
> > >
> > > *******************
> > > FIRST POLL: Should all header fields be critical for implementations
> > > to understand?
> > >
> > > YES - All header fields must continue to be understood by
> > > implementations or the input must be rejected.
> > >
> > > NO - A means of listing that specific header fields may be safely
> > > ignored should be defined.
> > >
> > > ********************
> > > SECOND POLL: Should the result of the first poll be "YES", should text
> > > like the following be added? "Implementation Note: The requirement to
> > > understand all header fields is a requirement on the system as a whole
> > > - not on any particular level of library software. For instance, a
> > > JOSE library could process the headers that it understands and then
> > > leave the processing of the rest of them up to the application. For
> > > those headers that the JOSE library didn't understand, the
> > > responsibility for fulfilling the 'MUST understand' requirement for
> > > the remaining headers would then fall to the application."
> > >
> > > YES - Add the text clarifying that the "MUST understand" requirement
> > > is a requirement on the system as a whole - not specifically on JOSE
> > > libraries.
> > >
> > > NO - Don't add the clarifying text.
> > >
> > > ************************
> > > THIRD POLL: Should the result of the first poll be "NO", which syntax
> > > would you prefer for designating the header fields that may be ignored
> > > if not understood?
> > >
> > > A - Define a header field that explicitly lists the fields that may be
> > > safely ignored if not understood.
> > >
> > > B - Introduce a second header, where implementations must understand
> > > all fields in the first but they may ignore not-understood fields in
> > > the second.
> > >
> > > C - Other??? (Please specify in detail.)
> > > _______________________________________________
> > > jose mailing list
> > > jose@ietf.org
> > > https://www.ietf.org/mailman/listinfo/jose
> >
> > _______________________________________________
> > jose mailing list
> > jose@ietf.org
> > https://www.ietf.org/mailman/listinfo/jose****
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>