Re: [jose] Should we delete the "typ" header field
Brian Campbell <bcampbell@pingidentity.com> Fri, 31 May 2013 21:46 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A34621F8C20 for <jose@ietfa.amsl.com>; Fri, 31 May 2013 14:46:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.959
X-Spam-Level:
X-Spam-Status: No, score=-0.959 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4, TRACKER_ID=2.003]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbsRMk3sHs78 for <jose@ietfa.amsl.com>; Fri, 31 May 2013 14:46:08 -0700 (PDT)
Received: from na3sys009aog117.obsmtp.com (na3sys009aog117.obsmtp.com [74.125.149.242]) by ietfa.amsl.com (Postfix) with ESMTP id 6973021F9058 for <jose@ietf.org>; Fri, 31 May 2013 14:46:02 -0700 (PDT)
Received: from mail-ie0-f175.google.com ([209.85.223.175]) (using TLSv1) by na3sys009aob117.postini.com ([74.125.148.12]) with SMTP ID DSNKUakaFXxIPCiiHES2huDmygQQDtBmnJF4@postini.com; Fri, 31 May 2013 14:46:03 PDT
Received: by mail-ie0-f175.google.com with SMTP id tp5so5337281ieb.20 for <jose@ietf.org>; Fri, 31 May 2013 14:45:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=T3lqljHSVeOHivETvoDbTfhBeqEpd1j1z01El3Q08V4=; b=lv5cwIguyHQTzURDRZZY4dSouJx78jzkoaIjoOUPjtQIxjvSUvs2vJtpR8K2yw7U4d b3uqKrlbguV4uLaJy10REbRiJykTgSXKTpgN9saNSOmOYqxQGe4Y/9/6IBe/Og9Eyvuv VVbMTIyBDoR2jMpOk43yQtA+9F35ix/VgG4IuOdg695aGRDA4g5uy+nRsfTNY6Husm9z FiQFcM5g+drwcNra3DZy7/PXS+4ncngkT5BBW1zTbniICLkarwgpjahb3xPtNKSCQcXx P8gkY0J0RonVwIJQKt+Xjw/3EBndUSTQy9hGxpL9lDU59b+U3wqlxmwbCt0XFAXElKYZ vPag==
X-Received: by 10.50.7.36 with SMTP id g4mr2678436iga.64.1370036757510; Fri, 31 May 2013 14:45:57 -0700 (PDT)
X-Received: by 10.50.7.36 with SMTP id g4mr2678426iga.64.1370036757141; Fri, 31 May 2013 14:45:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.27.68 with HTTP; Fri, 31 May 2013 14:45:27 -0700 (PDT)
In-Reply-To: <CABzCy2Cd6LJB63b8REsyW0yjS=2DMBaSwsL-ZUnwG-aCXJ5P-Q@mail.gmail.com>
References: <02b701ce5cb8$46ae77e0$d40b67a0$@augustcellars.com> <CAD9ie-vK3gY9b9GQrbUa=TACy5KVA1uPH_u_utucoKzVynjuiA@mail.gmail.com> <02f501ce5cc5$ec9a2200$c5ce6600$@augustcellars.com> <CAD9ie-uV-THE0+oL-dNUB0qXF7sx8jHMZDCz8vGESmUHWV=LMg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C58C4@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAD9ie-sm7q6gdzC-aTKt=+b=A8wB68ExTP1FwiT=zQTN7b69zA@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C5C0A@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR=Lh5_HogPtgoFM+qhwNkqOFaW0+TzOCAziUwK8ZqQaw@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C7399@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR6XfSwHxOLym_pkM+9EOE8yRUEncLToKbrLVJxoOgxDg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9B69@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgTrpkt0PyvLmnSKTchST5hgbzjkLQMq3hr6O2pij7LgjQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9E95@TK5EX14MBXC285.redmond.corp.microsoft.com> <CABzCy2Cd6LJB63b8REsyW0yjS=2DMBaSwsL-ZUnwG-aCXJ5P-Q@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 31 May 2013 15:45:27 -0600
Message-ID: <CA+k3eCT6Dq2jo6Lx6SEMkNDrLKREJTkzwNxT7ggJHDJtvQVG2A@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
Content-Type: multipart/alternative; boundary="089e011779413d30a604de0a8ab3"
X-Gm-Message-State: ALoCoQmrauiY/PkMYcu7RQIjmWYZl8bdPYh4uZayXwh/OF50TLW6iqeSB/aL4QsS8rSEYMubIc84WxEbnWgCol0fv2lJrv2t/xy4oKM+Jm2HyLUGFr6Uvqzc4DUjeyGJGUW104viV1Um
Cc: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [jose] Should we delete the "typ" header field
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2013 21:46:13 -0000
Nat makes a good point here, I think. On Thu, May 30, 2013 at 9:31 AM, Nat Sakimura <sakimura@gmail.com> wrote: > From what I understand, both typ and cty are something to be consumed by > the application and not JOSE processor. From the point of view of the JOSE > processor, they should be ignored. > > We could drop both fields from JOSE specs, but that is going to cause each > and every application that uses JOSE to define their own field, which is a > waste. That is why we are defining them here. > > I would rather drop them than define JOSE processing semantics to these > fields. > > > 2013/5/31 Mike Jones <Michael.Jones@microsoft.com> > >> No, “cty” is used by the derived class to determine the type of the >> encapsulated field. But that’s not a complete description of the **entire >> object** - especially not the additional meaning imbued by the >> additional parameters the derived type may add to the JOSE header. “typ” >> is there to provide the type of the entire object, including what you’re >> calling the wrapper parts.**** >> >> ** ** >> >> -- Mike**** >> >> ** ** >> >> *From:* Richard Barnes [mailto:rlb@ipv.sx] >> *Sent:* Thursday, May 30, 2013 7:58 AM >> >> *To:* Mike Jones >> *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt >> *Subject:* Re: [jose] Should we delete the "typ" header field**** >> >> ** ** >> >> Isn't that requirement met by "cty"? The only thing JOSE adds is a >> crypto wrapper around the real application content. If you're an >> application, you know a JOSE object is the thing you want because it >> contains the content you want -- it's a JWT because it contains JWT claims. >> **** >> >> ** ** >> >> Inheritance is the wrong metaphor. This is encapsulation of application >> data:**** >> >> if (jws.valid && jws.cty == "application/jwt_claims") {**** >> >> jwtClaims = jws.content;**** >> >> }**** >> >> ** ** >> >> --Richard**** >> >> ** ** >> >> On Thu, May 30, 2013 at 10:43 AM, Mike Jones <Michael.Jones@microsoft.com> >> wrote:**** >> >> Thanks for sharing the S/MIME details. Although I was actually making >> the analogy to MIME – not S/MIME. Like many analogies, it’s imperfect, but >> I believe still illustrative.**** >> >> **** >> >> The reason that the analogy isn’t perfect is that the JOSE data >> structures are used to build application-specific data structures that are >> legal JOSE data structures but also have additional properties – including >> additional header fields with specific semantics. (When we agreed to >> ignore not-understood header fields we let that horse out of the barn.) >> For instance, Dick Hardt uses JWEs with issuer and audience fields in the >> headers, so they can be used by routing software.**** >> >> **** >> >> Think of JOSE as the base class and the application types built using it >> as derived classes. JWT is a derived class. Dick’s structures are a >> derived class. These derived classes sometimes need names. That’s what >> “typ” is for.**** >> >> **** >> >> -- Mike**** >> >> **** >> >> *From:* Richard Barnes [mailto:rlb@ipv.sx] >> *Sent:* Thursday, May 30, 2013 7:34 AM**** >> >> >> *To:* Mike Jones >> *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt >> *Subject:* Re: [jose] Should we delete the "typ" header field**** >> >> **** >> >> You're mixing up "typ" and "cty". If you want to make the analogy to >> S/MIME, "cty" is the equivalent to Content-Type inside the protected MIME >> body; "typ" is the content-type on the outer MIME header. Pasting in an >> example:**** >> >> **** >> >> -----BEGIN-----**** >> >> Content-Type: application/pkcs7-mime; smime-type=signed-data;**** >> >> name=smime.p7m**** >> >> Content-Transfer-Encoding: base64**** >> >> Content-Disposition: attachment; filename=smime.p7m**** >> >> **** >> >> 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7**** >> >> 77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH**** >> >> HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh**** >> >> 6YT64V0GhIGfHfQbnj75**** >> >> -----END-----**** >> >> <http://tools.ietf.org/html/rfc3851#section-3.4.2>**** >> >> **** >> >> The outer Content-Type, which is analogous to "typ", MUST be >> application/pkcs7-mime, with a parameter indicating the type of CMS object. >> This is the same as requiring "typ" to be JWE or JWS. The inner >> Content-Type (ASN.1/base64 encoded in the example) can be anything, just >> like "cty".**** >> >> **** >> >> --Richard**** >> >> **** >> >> **** >> >> **** >> >> **** >> >> On Thu, May 30, 2013 at 12:53 AM, Mike Jones <Michael.Jones@microsoft.com> >> wrote:**** >> >> Requiring that the “typ” value be only “JWS” or “JWE” would be analogous >> to the MIME spec requiring that the Content-Type: field be only >> “text/plain” or “message/external-body”. It would render it useless.**** >> >> **** >> >> -- Mike**** >> >> **** >> >> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf >> Of *Richard Barnes >> *Sent:* Wednesday, May 29, 2013 8:03 PM >> *To:* Mike Jones >> *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt**** >> >> >> *Subject:* Re: [jose] Should we delete the "typ" header field**** >> >> **** >> >> If this is the level of "type" you're referring to, I think we should >> drop it from the spec. It's an application-layer thing that the app can >> add or not according to its wishes.**** >> >> **** >> >> I'm with Dick on this. I think we should either have a mandatory >> indicator of what type of JOSE object this, or nothing at all. If the >> former, the allowable values are "JWE" and "JWS". The "+JSON" options are >> non-sensical -- the app needs to know what it's parsing before it gets this >> header. While I have a preference for the former (for clarity), the latter >> approach is also OK with me, since the MIME types are specific to JWE/JWS. >> **** >> >> **** >> >> Another approach here would be to address the JSON and compact forms >> separately. The JSON form has no need of "typ" at all, since the type of >> the object is completely clear from what fields are there, e.g., >> "recipients" vs. "signatures". For the compact form, we could do something >> like James's "E."/"S." prefix idea, which you need because the >> dot-separated components have different meanings and no field names to >> indicate this.**** >> >> **** >> >> --Richard**** >> >> **** >> >> On Wed, May 29, 2013 at 8:30 PM, Mike Jones <Michael.Jones@microsoft.com> >> wrote:**** >> >> A standard library is unlikely to know the meanings of all possible “typ” >> values – and more to the point, *it doesn’t have to*. It’s the >> application’s job to determine that “this blob is a JOSE object” and then >> pass it to a standard library, which will then ignore the “typ” value.*** >> * >> >> **** >> >> A standard JOSE library won’t know what “typ”: “JWT” means. It won’t >> know what “typ”: “BCGovToken” is, should the BC Government want to declare >> that it’s using a token with particular characteristics. It won’t know >> what “typ”: “XMPP” is, should XMPP want to declare that it’s using a JOSE >> data structure with particular characteristics. Etc.**** >> >> **** >> >> All these values can be registered in the registry and used by >> applications that understand them. That’s the application’s job – not the >> library’s job. The “typ” field is just there so that applications have a >> standard place to make any such declarations that they may need.**** >> >> **** >> >> -- Mike** >> ** >> >> **** >> >> *From:* Dick Hardt [mailto:dick.hardt@gmail.com] >> *Sent:* Wednesday, May 29, 2013 5:18 PM >> *To:* Mike Jones >> *Cc:* Jim Schaad; jose@ietf.org**** >> >> >> *Subject:* Re: [jose] Should we delete the "typ" header field**** >> >> **** >> >> I'd prefer to be able to use standard libraries for creating and parsing >> tokens, and not specialized libraries dependent on the use case.**** >> >> **** >> >> I strongly think we either drop "typ" or make it required.**** >> >> **** >> >> On Wed, May 29, 2013 at 5:03 PM, Mike Jones <Michael.Jones@microsoft.com> >> wrote:**** >> >> It’s fine for your application to specify that it’s required for your use >> case. Not applications need it, so they shouldn’t be forced to pay the >> space penalty of an unnecessary field.**** >> >> **** >> >> -- Mike** >> ** >> >> **** >> >> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf >> Of *Dick Hardt >> *Sent:* Wednesday, May 29, 2013 4:56 PM**** >> >> >> *To:* Jim Schaad >> *Cc:* jose@ietf.org >> *Subject:* Re: [jose] Should we delete the "typ" header field**** >> >> **** >> >> I use it all the time and my code would barf if it was not there.**** >> >> **** >> >> I think it should be required rather than be a hint if it is going ot be >> there.**** >> >> **** >> >> On Wed, May 29, 2013 at 4:40 PM, Jim Schaad <ietf@augustcellars.com> >> wrote:**** >> >> I think the values just changed**** >> >> **** >> >> However the way you are using it would be an argument to say that it >> should be a required field. Are you just using it as a hint if it exists >> and then looking at the rest of the fields if it is not present?**** >> >> **** >> >> Jim**** >> >> **** >> >> **** >> >> *From:* Dick Hardt [mailto:dick.hardt@gmail.com] >> *Sent:* Wednesday, May 29, 2013 3:49 PM >> *To:* Jim Schaad >> *Cc:* jose@ietf.org >> *Subject:* Re: [jose] Should we delete the "typ" header field**** >> >> **** >> >> Well, I have been using, but now realize the spec changed or I was >> confused.**** >> >> **** >> >> I had been setting "typ" to be either "JWE" or "JWS" depending on the >> type of token I was creating or parsing as it was easier than looking at >> "alg"**** >> >> **** >> >> As currently defined, I don't see value in "typ".**** >> >> **** >> >> -- Dick**** >> >> **** >> >> **** >> >> On Wed, May 29, 2013 at 3:02 PM, Jim Schaad <ietf@augustcellars.com> >> wrote:**** >> >> In reading the documents, I am trying to understand the justification for >> having the “typ” header parameter in the JOSE documents.**** >> >> **** >> >> The purpose of the field is to hold the type of the object. In the past, >> I believe that values which should now be placed in the cty field (such as >> “JWT”) were placed in this field as well. However the parameter is >> optional and an implementation cannot rely on its being present. This >> means that for all practical purposes all of the code to determine the >> value of the type field from the values of the alg and enc fields. If the >> field was mandatory then this code would disappear at a fairly small space >> cost and I can understand why the parameter would be present.**** >> >> **** >> >> Can anybody justify why this field should be present in the document – or >> should it just disappear?**** >> >> **** >> >> Jim**** >> >> **** >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose**** >> >> >> >> **** >> >> **** >> >> -- >> -- Dick **** >> >> >> >> **** >> >> **** >> >> -- >> -- Dick **** >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose**** >> >> >> >> **** >> >> **** >> >> -- >> -- Dick **** >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose**** >> >> **** >> >> **** >> >> ** ** >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> >> > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] FW: Should we delete the "typ" header … Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Manger, James H
- Re: [jose] Should we delete the "typ" header field Mike Jones
- [jose] FW: Should we delete the "typ" header field Manger, James H
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Richer, Justin P.
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field John Bradley
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Anthony Nadalin
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Brian Campbell
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Dick Hardt
- Re: [jose] Should we delete the "typ" header field Nat Sakimura
- Re: [jose] Should we delete the "typ" header field Manger, James H
- Re: [jose] Should we delete the "typ" header field Axel.Nennker
- Re: [jose] Should we delete the "typ" header field Jim Schaad
- Re: [jose] Should we delete the "typ" header field Mike Jones
- Re: [jose] Should we delete the "typ" header field Richard Barnes
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Richard Barnes
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Jim Schaad
- Re: [jose] FW: Should we delete the "typ" header … Mike Jones
- Re: [jose] FW: Should we delete the "typ" header … Manger, James H