IETF Logo Mail Archive

Re: [jose] Should we delete the "typ" header field

Dick Hardt <dick.hardt@gmail.com> Thu, 30 May 2013 01:02 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83E4421F8F38 for <jose@ietfa.amsl.com>; Wed, 29 May 2013 18:02:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oryDQv4E9oee for <jose@ietfa.amsl.com>; Wed, 29 May 2013 18:02:23 -0700 (PDT)
Received: from mail-vb0-x233.google.com (mail-vb0-x233.google.com [IPv6:2607:f8b0:400c:c02::233]) by ietfa.amsl.com (Postfix) with ESMTP id 1D6E621F8EEC for <jose@ietf.org>; Wed, 29 May 2013 18:02:22 -0700 (PDT)
Received: by mail-vb0-f51.google.com with SMTP id x16so6669049vbf.38 for <jose@ietf.org>; Wed, 29 May 2013 18:02:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qK+y51/IkdsrnuU1f9zkQ4x839RYoAIVAZB7X/Yc7mU=; b=www3DhONyRd+J2j2Yf6epTEcZALE20f22dM1mAWVwFoTSF0qjG0+ezVJAXC2jijZ1c 22T0NSxSnhhSxNzT+PAAuoCRTt37ea8LeOeDifUymAMnMnmore+BFZldxNtwQ4usDGPk qzG6KXVxi1ToGnKaNlod+VxU4KYhyR0Q/6eUIk/eak88GFzviCzcX8whja1VkU9DF3LJ dczNde2TtF5NRyyMBe+VINk+U4PRDRgW0kcoJGYoohrDuyrS/BvUB+YqmNavgN+Q7xjd YPQkoS5vEJVLZE7iv1FeyiIGIBGeWJ4Q12W9oHEwqeBqNocT4n8MYwzbl+tvTLbzFqEQ qUjw==
MIME-Version: 1.0
X-Received: by 10.58.137.200 with SMTP id qk8mr3262802veb.54.1369875742480; Wed, 29 May 2013 18:02:22 -0700 (PDT)
Received: by 10.52.160.161 with HTTP; Wed, 29 May 2013 18:02:22 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943677C5D3E@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <02b701ce5cb8$46ae77e0$d40b67a0$@augustcellars.com> <CAD9ie-vK3gY9b9GQrbUa=TACy5KVA1uPH_u_utucoKzVynjuiA@mail.gmail.com> <02f501ce5cc5$ec9a2200$c5ce6600$@augustcellars.com> <CAD9ie-uV-THE0+oL-dNUB0qXF7sx8jHMZDCz8vGESmUHWV=LMg@mail.gmail.com> <C84C740C-CA7F-40F4-829B-1A1C09EF357F@ve7jtb.com> <CAD9ie-tgN7NyEU4_AP=KvcJZWSY_iOk85YYR_7zndb5ZGcP3Bw@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C5D3E@TK5EX14MBXC285.redmond.corp.microsoft.com>
Date: Wed, 29 May 2013 18:02:22 -0700
Message-ID: <CAD9ie-vQQNZBBHMnH7tesL+z8=CpPxi2yX+AyhHoLNVTfquRKA@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="047d7b5d393604671404dde50dd2"
Cc: John Bradley <ve7jtb@ve7jtb.com>, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Should we delete the "typ" header field
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 01:02:24 -0000

As currently defined, I won't use "typ"

I was using "typ" to signal if the library was doing JWS or JWE processing.

I don't understand the difference between a JWT which was the payload and a
JWT Claims Set. I personally think the term Claims to be confusing.


On Wed, May 29, 2013 at 5:41 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  Actually, John, the text in the JWT spec is<http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08#section-5.1>
> :****
>
> ** **
>
> *5.1*<http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08#section-5.1>
> *.  "typ" (Type) Header Parameter*
>
> ** **
>
> ** **
>
>    The "typ" (type) header parameter is used to declare the type of this**
> **
>
>    object.  If present, it is RECOMMENDED that its value be either "JWT"**
> **
>
>    or "urn:ietf:params:oauth:token-type:jwt" to indicate that this****
>
>    object is a JWT.  The "typ" value is a case sensitive string.  Use of**
> **
>
>    this header parameter is OPTIONAL.****
>
> ** **
>
> The reason I’m pointing this out is that your message could be read to
> mean that the JWT spec requires the use of the “typ” parameter, which it
> doesn’t.  What it does do is RECOMMEND values to use, should they be useful
> in context.  It needs to remain OPTIONAL.****
>
> ** **
>
> Answering Dick’s question “What else would it unwrap to?” – if you have a
> nested JWT, it could unwrap to a JWT which was the Payload or Plaintext
> value, rather than a JWT Claims Set.****
>
> ** **
>
>                                                                 -- Mike***
> *
>
> ** **
>
> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf
> Of *Dick Hardt
> *Sent:* Wednesday, May 29, 2013 5:30 PM
> *To:* John Bradley
> *Cc:* Jim Schaad; jose@ietf.org
>
> *Subject:* Re: [jose] Should we delete the "typ" header field****
>
> ** **
>
> ** **
>
> ** **
>
> On Wed, May 29, 2013 at 5:25 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:**
> **
>
> In the JWT spec the value of "typ" SHOULD be "jwt".   That indicates as
> Mike stated that it is a JWT in compact format that has as its body a jwt
> claim set.   If the claim set is signed then encrypted, the inner JWT has a
> a typ of jwt and no cty , and the outer one has a typ of JWT and a cty of
> jws.****
>
> ** **
>
> I'm doing symmetric encryption with an integrity check, so I don't have a
> JWT in a JWE****
>
>  ****
>
>  ** **
>
> If a JOSE object has a typ of jws then one would assume that it is a jws
> in compact serialization with some other body type then a jwt claimset.***
> *
>
> ** **
>
> I think this is somewhat a symptom of the JWT and JOSE specs getting split
> into different WG.****
>
> ** **
>
> So Mike can correct me but I don't think putting jwe or jws in typ is the
> intended use of that element if you are in fact sending JWT.****
>
> ** **
>
> I understand where Jim is coming from I think of JWT as a jwt claim-set
> and JWE and JWS as the outer layer, where JWT thinks of itself as a total
> security token definition including overall processing rules for security
> tokens, with a standard envelope segment and JWE or JWS encoding as
> determined by the alg.****
>
>  ** **
>
> That is confusing to me.****
>
>  ****
>
>  ** **
>
> In security token processing knowing that what you have will unwrap to a
> JWT claim-set , rather than to some other thing is quite important.****
>
>  ** **
>
> What else would it unwrap to?****
>
>  ****
>
>  ** **
>
> John B.****
>
> ** **
>
> ** **
>
> On 2013-05-29, at 7:56 PM, Dick Hardt <dick.hardt@gmail.com> wrote:****
>
>
>
> ****
>
> I use it all the time and my code would barf if it was not there.****
>
> ** **
>
> I think it should be required rather than be a hint if it is going ot be
> there.****
>
> ** **
>
> On Wed, May 29, 2013 at 4:40 PM, Jim Schaad <ietf@augustcellars.com>
> wrote:****
>
> I think the values just changed****
>
>  ****
>
> However the way you are using it would be an argument to say that it
> should be a required field.  Are you just using it as a hint if it exists
> and then looking at the rest of the fields if it is not present?****
>
>  ****
>
> Jim****
>
>  ****
>
>  ****
>
> *From:* Dick Hardt [mailto:dick.hardt@gmail.com]
> *Sent:* Wednesday, May 29, 2013 3:49 PM
> *To:* Jim Schaad
> *Cc:* jose@ietf.org
> *Subject:* Re: [jose] Should we delete the "typ" header field****
>
>  ****
>
> Well, I have been using, but now realize the spec changed or I was
> confused.****
>
>  ****
>
> I had been setting "typ" to be either "JWE" or "JWS" depending on the type
> of token I was creating or parsing as it was easier than looking at "alg"*
> ***
>
>  ****
>
> As currently defined, I don't see value in "typ".****
>
>  ****
>
> -- Dick****
>
>  ****
>
>  ****
>
> On Wed, May 29, 2013 at 3:02 PM, Jim Schaad <ietf@augustcellars.com>
> wrote:****
>
> In reading the documents, I am trying to understand the justification for
> having the “typ” header parameter in the JOSE documents.****
>
>  ****
>
> The purpose of the field is to hold the type of the object.  In the past,
> I believe that values which should now be placed in the cty field (such as
> “JWT”) were placed in this field as well.  However the parameter is
> optional and an implementation cannot rely on its being present.  This
> means that for all practical purposes all of the code to determine the
> value of the type field from the values of the alg and enc fields.  If the
> field was mandatory then this code would disappear at a fairly small space
> cost and I can understand why the parameter would be present.****
>
>  ****
>
> Can anybody justify why this field should be present in the document – or
> should it just disappear?****
>
>  ****
>
> Jim****
>
>  ****
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose****
>
>
>
> ****
>
>  ****
>
> --
> -- Dick ****
>
>
>
> ****
>
> ** **
>
> --
> -- Dick ****
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose****
>
> ** **
>
>
>
> ****
>
> ** **
>
> --
> -- Dick ****
>



-- 
-- Dick

v2.23.0 | Report a Bug | By Email