Re: [jose] For WG DISCUSSION: #50 - "cty" (content type) should hold a media type

Nat Sakimura <sakimura@gmail.com> Thu, 19 September 2013 16:32 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D60521F92C2 for <jose@ietfa.amsl.com>; Thu, 19 Sep 2013 09:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OhMVjG0cJQ-g for <jose@ietfa.amsl.com>; Thu, 19 Sep 2013 09:32:14 -0700 (PDT)
Received: from mail-la0-x230.google.com (mail-la0-x230.google.com [IPv6:2a00:1450:4010:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id 953C321F9473 for <jose@ietf.org>; Thu, 19 Sep 2013 09:32:13 -0700 (PDT)
Received: by mail-la0-f48.google.com with SMTP id er20so6979871lab.7 for <jose@ietf.org>; Thu, 19 Sep 2013 09:32:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=A1l3TS+ubV8BU8dNHLnRDoUKhfIh2ltVJtEKvR0GKOQ=; b=i9UlG6vFpp6ZIcln/f/Fci/gZAPMpM/znXmtbeipkxWxv5yN/tZYNgy/smJSSMXacu OIVm2yuk3tKePs9NZamlCpN55u0Z2OvlcIIZIc2eTzsGzxNBUqyOZLV5jpcarKxWB1PH 9raVACq4JdpMsKqp1t0SWMf53Z8CBOv21e7GtAEZUI2Go6PctMTnSF7hNuudhT5YuKO+ mAPDMX2GAvvqM51/ReDqoIUOoKdZPdixvyU9mVnZm5nmACVMVQYp7xzQ5IVHERVvg+P+ quDdBzpwdNc1q4t4vDQBroafiZyOoHvLtsXjFef4ffthUQoQHLdxYK9Y7jhxSMzEOmun 9oIw==
MIME-Version: 1.0
X-Received: by 10.152.115.242 with SMTP id jr18mr1927886lab.40.1379608332417; Thu, 19 Sep 2013 09:32:12 -0700 (PDT)
Received: by 10.112.134.38 with HTTP; Thu, 19 Sep 2013 09:32:12 -0700 (PDT)
In-Reply-To: <CA+k3eCQJG8O9gn2bz1nCzyq09rC26ao0gcNRxGeemg1zS8s5-g@mail.gmail.com>
References: <4E1F6AAD24975D4BA5B168042967394371FDA44A@TK5EX14MBXC289.redmond.corp.microsoft.com> <CA+k3eCQJG8O9gn2bz1nCzyq09rC26ao0gcNRxGeemg1zS8s5-g@mail.gmail.com>
Date: Fri, 20 Sep 2013 01:32:12 +0900
Message-ID: <CABzCy2CHaJ0ThTSaEr4yT-aBS4PEmMi+rGCe-Vnz2m4-9hZO7g@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="001a11c3327a953ffa04e6bf1868"
Cc: Mike Jones <Michael.Jones@microsoft.com>, James H Manger <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] For WG DISCUSSION: #50 - "cty" (content type) should hold a media type
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2013 16:32:15 -0000

I prefer #2.
#1 has certain appeal if there is a right use case, but I cannot think of
one easily.



2013/9/20 Brian Campbell <bcampbell@pingidentity.com>

> #2 seems like a reasonable path forward.
>
>
> On Wed, Sep 18, 2013 at 5:04 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:
>
>>  We discussed issue #50 on Monday’s call and it seems like there are two
>> viable choices before us:****
>>
>> ** **
>>
>> 1.  Continue to have “cty” values come from a JOSE registry, while
>> allowing MIME Media Type values to also be used, if desired.****
>>
>>   ADVANTAGES:****
>>
>>     + Keeps values compact****
>>
>>     + Uses case-sensitive value comparison (like all other JOSE
>> parameters), avoiding internationalization issues****
>>
>>     + Already working in production deployments****
>>
>>   DISADVANTAGES:****
>>
>>     - Creates a content type value space distinct from the widely used
>> IANA Media Type Registry (http://www.iana.org/assignments/media-types).**
>> **
>>
>>     - Requires a convention to consistently spell media type names so
>> they can be matched case sensitively, when used.****
>>
>>     - Names can come from one of two registries, rather than just one
>> (possibly being disambiguated by the presence of a “/” in the name).****
>>
>> ** **
>>
>> 2.  Accept a form of James’ proposal described in
>> http://trac.tools.ietf.org/wg/jose/trac/ticket/50, in which “cty” values
>> are defined to hold MIME Media Type values, also specifying that the
>> “application/” prefix may be omitted for compactness purposes.  (MIME Media
>> Type values are not case sensitive and are limited to ASCII.)  Furthermore,
>> we could keep this from being a breaking change for JWTs by RECOMMENDING
>> that the value “cty”:”JWT” continue to be used for nested JWTs (rather than
>> “application/jwt” or “jwt”, which would break existing deployments).****
>>
>>   ADVANTAGES:****
>>
>>     + Retains the ability to have compact values for application/* media
>> types****
>>
>>     + Uses only the widely used IANA Media Type Registry****
>>
>>     + Can be deployed without breaking changes, provided people use the
>> existing spellings “JWT”, “JWK”, and “JWK-SET” when creating content for
>> those media types****
>>
>>   DISADVANTAGES:****
>>
>>     - Uses case-insensitive value comparison, which can lead to
>> interoperability problems****
>>
>>     - Implementations have to be aware of the need to prefix values not
>> containing a “/” with “application/” to get normal media type names****
>>
>> ** **
>>
>> New text for “cty” under option 2 would look something like this:****
>>
>> ** **
>>
>> *4.1.9.  "cty" (Content Type) Header Parameter*
>>
>> The cty (content type) header parameter is used to declare the MIME
>> Media Type [IANA.MediaTypes] of the secured content (the payload) in
>> contexts where this is useful to the application. This parameter has no
>> effect upon the JWS processing. Use of this header parameter is OPTIONAL.
>> ****
>>
>> Per [RFC 2045], all media type values, subtype values, and parameter
>> names are case-insensitive.  However, parameter values are case-sensitive
>> unless otherwise specified for the specific parameter.****
>>
>> To keep messages compact in common situations, a sender MAY omit an
>> "application/" prefix of a media type from a "cty" value when no other '/'
>> appears in the media type. A recipient reconstructing the media type MUST
>> prepend "application/" to a "cty" value that does not contain a '/'.****
>>
>> ** **
>>
>> As background, see
>> http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-16#section-4.1.9for the current “cty” text, see
>> http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-16#section-4.1.8for the related “typ” text, and see
>> http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-16#section-8.2for the Type Values Registry.
>> ****
>>
>> ** **
>>
>> I’m curious what people’s preferences are between the two choices.  I can
>> personally live with either outcome, since both can be deployed without
>> breaking existing deployments.  At this point, it seems to come down to a
>> question of personal taste.  Your thoughts…?****
>>
>> ** **
>>
>>                                                                 -- Mike**
>> **
>>
>> ** **
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en