IETF Logo Mail Archive

Re: [jose] thoughts on header criticality from recent polls

Anthony Nadalin <tonynad@microsoft.com> Mon, 25 February 2013 22:22 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B55421E8126 for <jose@ietfa.amsl.com>; Mon, 25 Feb 2013 14:22:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.534
X-Spam-Level:
X-Spam-Status: No, score=0.534 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KNsB-5KSQk1h for <jose@ietfa.amsl.com>; Mon, 25 Feb 2013 14:22:14 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0209.outbound.protection.outlook.com [207.46.163.209]) by ietfa.amsl.com (Postfix) with ESMTP id 3A86521E8123 for <jose@ietf.org>; Mon, 25 Feb 2013 14:22:13 -0800 (PST)
Received: from BY2FFO11FD008.protection.gbl (10.1.15.200) by BY2FFO11HUB005.protection.gbl (10.1.14.163) with Microsoft SMTP Server (TLS) id 15.0.620.12; Mon, 25 Feb 2013 22:22:09 +0000
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD008.mail.protection.outlook.com (10.1.14.159) with Microsoft SMTP Server (TLS) id 15.0.620.12 via Frontend Transport; Mon, 25 Feb 2013 22:22:09 +0000
Received: from DB9EHSOBE002.bigfish.com (157.54.51.113) by mail.microsoft.com (157.54.80.48) with Microsoft SMTP Server (TLS) id 14.2.318.3; Mon, 25 Feb 2013 22:21:54 +0000
Received: from mail23-db9-R.bigfish.com (10.174.16.240) by DB9EHSOBE002.bigfish.com (10.174.14.65) with Microsoft SMTP Server id 14.1.225.23; Mon, 25 Feb 2013 22:20:51 +0000
Received: from mail23-db9 (localhost [127.0.0.1]) by mail23-db9-R.bigfish.com (Postfix) with ESMTP id 3A5AB18006D for <jose@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Mon, 25 Feb 2013 22:20:51 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT001.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -20
X-BigFish: PS-20(zz98dI9371Ic85fh148cI146cJdb82hzz1f42h1ee6h1de0h1202h1e76h1d1ah1d2ah1082kz97hz18de19h1033IL17326ah8275dh18c673h8275bhz31h2a8h668h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh9a9j1155h)
Received-SPF: softfail (mail23-db9: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=tonynad@microsoft.com; helo=BL2PRD0310HT001.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB042; H:BY2PR03MB041.namprd03.prod.outlook.com; LANG:en;
Received: from mail23-db9 (localhost.localdomain [127.0.0.1]) by mail23-db9 (MessageSwitch) id 1361830848717523_20913; Mon, 25 Feb 2013 22:20:48 +0000 (UTC)
Received: from DB9EHSMHS008.bigfish.com (unknown [10.174.16.247]) by mail23-db9.bigfish.com (Postfix) with ESMTP id AA98F4A0046; Mon, 25 Feb 2013 22:20:48 +0000 (UTC)
Received: from BL2PRD0310HT001.namprd03.prod.outlook.com (157.56.240.21) by DB9EHSMHS008.bigfish.com (10.174.14.18) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 25 Feb 2013 22:20:48 +0000
Received: from BY2PR03MB042.namprd03.prod.outlook.com (10.255.241.146) by BL2PRD0310HT001.namprd03.prod.outlook.com (10.255.97.36) with Microsoft SMTP Server (TLS) id 14.16.275.5; Mon, 25 Feb 2013 22:20:47 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BY2PR03MB042.namprd03.prod.outlook.com (10.255.241.146) with Microsoft SMTP Server (TLS) id 15.0.620.20; Mon, 25 Feb 2013 22:20:45 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com ([169.254.7.143]) by BY2PR03MB041.namprd03.prod.outlook.com ([169.254.7.143]) with mapi id 15.00.0620.020; Mon, 25 Feb 2013 22:20:45 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Tim Bray <tbray@textuality.com>, Mike Jones <Michael.Jones@microsoft.com>
Thread-Topic: [jose] thoughts on header criticality from recent polls
Thread-Index: AQHOE0rwcYeI1RVAZEedEIuXmbuoEJiKtocAgABuvgCAAAClkA==
Date: Mon, 25 Feb 2013 22:20:44 +0000
Message-ID: <c2c1dd9d1aeb427c80252035fa251fa5@BY2PR03MB041.namprd03.prod.outlook.com>
References: <512B4A34.9090305@isoc.org> <4E1F6AAD24975D4BA5B1680429673943674A42FA@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAHBU6iupD-1B2w6HO4ttxwBk3Tr-Pp2PHkZqqgj0HoMv00LHAw@mail.gmail.com>
In-Reply-To: <CAHBU6iupD-1B2w6HO4ttxwBk3Tr-Pp2PHkZqqgj0HoMv00LHAw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [71.4.138.3]
Content-Type: multipart/alternative; boundary="_000_c2c1dd9d1aeb427c80252035fa251fa5BY2PR03MB041namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB042.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%ISOC.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%TEXTUALITY.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC105.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC105.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(24454001)(189002)(52284001)(199002)(52604002)(377454001)(16676001)(31966008)(56776001)(49866001)(63696002)(53806001)(16297215001)(54356001)(74662001)(5343635001)(54316002)(6806001)(47446002)(5343655001)(47976001)(33646001)(50986001)(20776003)(59766001)(16236675001)(76482001)(15202345001)(561944001)(56816002)(74502001)(79102001)(51856001)(44976002)(1511001)(512954001)(77982001)(65816001)(47736001)(80022001)(46102001)(4396001)(66066001)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB005; H:TK5EX14HUBC105.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 076804FE30
Cc: "odonoghue@isoc.org" <odonoghue@isoc.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] thoughts on header criticality from recent polls
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2013 22:22:21 -0000

Worse is that "MUT UNDERSTAND" was never understood in SOAP

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Tim Bray
Sent: Monday, February 25, 2013 2:18 PM
To: Mike Jones
Cc: jose@ietf.org; odonoghue@isoc.org
Subject: Re: [jose] thoughts on header criticality from recent polls

One addition to Mike's notes.  If you are going to have ignorable fields, it'd be nice to avoid one of the (many, many) design botches that increased the difficulty of doing SOAP; it had a thing where you could specify, in among the SOAP headers, a MUST-UNDERSTAND rule. The effect was that you didn't know whether you could act on any header until you'd seen them all, because there might be a MUST-UNDERSTAND lurking somewhere.

The "ign" : [ "notes" ] idiom has, to my eye, that drawback.  The structured one lets you know, as soon as you see a field, whether it's OK to not understand it.  -T

On Mon, Feb 25, 2013 at 7:41 AM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
Thanks for sending this, Karen.  Hopefully your analysis will help the working group reach a resolution on this issue soon.  I'm writing this note primarily as an editor to help inform the working group's discussions, rather than as an individual contributor.

First, I want to point out that while we've been discussing criticality of header parameters, the specs actually currently have the "MUST be understood" language in the JWK specification as well, as that's another potential extension point.  The JWK description says "Additional members MAY be present in the JWK.  If present, they MUST be understood by implementations using them."  The same language is present for the JWK Set.  For our resolution of the issue to be complete, it should address those uses too.  Given that a number of additional JWK fields are being discussed, I expect that extensions will occur there.

Second, if we do decide to go with your approach (1), I'll summarize for the list what I believe the two syntax proposals on the table are for doing this.  One proposal is 2A in http://www.ietf.org/mail-archive/web/jose/current/msg01353.html (which I'll call the FLAT SYNTAX) and the other is the syntax that Dick Hardt proposed in http://www.ietf.org/mail-archive/web/jose/current/msg01457.html (which I'll call the STRUCTURED SYNTAX).  I believe that it would be useful for the working group to discuss which of those they would prefer in parallel to discussing the questions that you asked, so that if we do go with approach (1) or something like it, we'll know which to use.

FLAT SYNTAX:
    {"alg":"ES256",
     "ign":["notes"],
     "notes":"This header field can be safely ignored"
    }

STRUCTURED SYNTAX:
    {"alg":"ES256",
     "ign":{
       "notes":"This header field can be safely ignored"
      }
    }

As I see it, the advantage of the flat syntax is all header fields are in the same place.  This makes processing header fields easier and is more regular.  The disadvantage is that the list of fields that may be safely ignored repeats those field names.

As I see it, the advantage of the structured syntax is that nothing is repeated, resulting in cleaner JSON syntax.  The disadvantage is that then some header fields are in one place and some are in another, making the processing rules for header fields more complicated.

Between these two, it seems to come down to a choice between cleaner syntax or cleaner semantics.  (I'd personally lean towards the simpler processing rules resulting from the flat syntax, but I would be fine with this coming out either way.)

Finally, I'll point out that I don't believe that your approaches (1) and (2) are mutually exclusive.  We could conceivably leave it up to application specifications using the JOSE specs whether they require header fields to be understood by default AND provide a syntax for declaring which fields may be safely ignored for use in those application contexts where the application spec does require that header fields be normally understood.  In fact, one might consider this to fall under the "(possibly providing guidance directed to those applications in the JOSE specs)" that you suggested below.

I hope the points above help further a productive discussion of this topic.

                                                            -- Mike

From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>] On Behalf Of Karen O'Donoghue
Sent: Monday, February 25, 2013 3:26 AM
To: jose@ietf.org<mailto:jose@ietf.org>
Subject: [jose] thoughts on header criticality from recent polls

Folks,

Thank you for your patience with me regarding the recent polls on header criticality. I realize I have taken too long to respond from a chairs perspective with some results and direction. I had hoped to provide either a decision or a clear set of choices, but after analyzing the poll results, rereading all the email traffic (multiple times), and talking to a few working group members, I find I am not quite able to do so. So, what next...

First, what I do believe...

I think it is clear that the working group remains divided on this issue with a significant number of members feeling that an approach must be defined that safely allows for some header fields to be considered non-critical. I think there is general consensus that there must be reasonable mechanisms for extensibility, and that the approach must be generic. Based on that, I would like to ask the working group to move forward with the strategy that all headers cannot be considered critical and move on to the discussion of how to approach non-critical headers.

In my review of the mailing list traffic (and my apologies if I missed something), I have seen a number of basic approaches proposed (summarized by Jim Schaad on 9 Oct 2012 with the response by James Manager on 10 Oct 2012). In particular, I found James' list of requirements to be very helpful, and I have repeated it here...

A. Want to be able to define messages with new semantics in future, without any risk that old implementations will misinterpret them with old semantics.

B. Want to be able to *redefine* (or constrain) the semantics of *existing* fields in future, without any risk that old implementations will misinterpret them with old semantics (or without the constraints).

C. Want to prevent large blobs of ignored data appearing in messages, as similar blobs have been used to create hash collisions between legitimate & malicious certificates that use weak algorithms (eg MD5).

D. Want to strongly discourage future extensions (feature-creep), under the philosophy that even well-intentioned extensions tend to do more harm (by adding complexity that is only deployed sporadically) than the good of any new functionality they bring.

E. Loosely coupling clients and servers is generally considered a good thing; but strongly coupling them is more appropriate for a secure message format for [insert a reason here]. A possible reason is that people are too likely to choose to make an extension non-critical for short-term ease of interoperability, instead of making it critical for better long-term security.

>From this list, I believe A is definitely a requirement. I am unclear regarding working group consensus on B, C, and E, and I believe D is not a requirement.

QUESTION: Is there working group consensus on the requirements we are trying to address? Perhaps a short discussion clarifying these would help drive consensus on the overall approach.

As for possible solutions, we appear to have evolved to the point where we are of two minds:

1) Define a header field that explicitly lists the fields that may be safely ignored if not understood. (Here I am assuming that we aren't going to define a separate header for non-critical elements.)

2) Remain silent on header criticality in the JOSE specifications and leave it up to the various application specifications (possibly providing guidance directed to those applications in the JOSE specs).

I sense that there is more support for the first approach, but I am concerned that there is a significant minority that favor the second approach.

QUESTION: Can the working group agree on whether to work on approach 1 or approach 2?

In conclusion, I am asking three things in this missive:
1. I am asking the working group to move forward based on a non-critical headers approach.
2. I am asking the working group to clarify the requirements driving the non-critical header discussion (A, B, C, D, E, or ?).
3. I am asking the working group to decide whether the right approach is to develop a specific syntax (if so, what?) or to defer to the applications with appropriate guidance (if so, what level of guidance)? To address this item, I welcome concise proposals of text.

I realize this message is long and not as specific or prescriptive as some would like, and I apologize in advance for any mistakes and misunderstandings on my part.

Regards,
Karen O'Donoghue

_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email