IETF Logo Mail Archive

Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Thu, 20 November 2014 01:27 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ED791A1AFF; Wed, 19 Nov 2014 17:27:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Mjz59V8Rfvt; Wed, 19 Nov 2014 17:27:31 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0778.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::778]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC0031A03A6; Wed, 19 Nov 2014 17:27:30 -0800 (PST)
Received: from BN3PR0301CA0060.namprd03.prod.outlook.com (25.160.152.156) by BN3PR0301MB1203.namprd03.prod.outlook.com (25.161.207.156) with Microsoft SMTP Server (TLS) id 15.1.16.15; Thu, 20 Nov 2014 01:26:37 +0000
Received: from BN1AFFO11FD008.protection.gbl (2a01:111:f400:7c10::194) by BN3PR0301CA0060.outlook.office365.com (2a01:111:e400:401e::28) with Microsoft SMTP Server (TLS) id 15.1.26.15 via Frontend Transport; Thu, 20 Nov 2014 01:26:36 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD008.mail.protection.outlook.com (10.58.52.68) with Microsoft SMTP Server (TLS) id 15.1.6.13 via Frontend Transport; Thu, 20 Nov 2014 01:26:36 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.229]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0210.003; Thu, 20 Nov 2014 01:25:49 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Pete Resnick <presnick@qti.qualcomm.com>
Thread-Topic: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
Thread-Index: AQHP3fdK8YG+SRr1nECfcW20xykmgJwgtxPQgAJQ0QCAARwqgIArdnkAgARaq4CAFM/YYIAAQMgg
Date: Thu, 20 Nov 2014 01:25:49 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB8DC90@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20141002041344.8073.81288.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439BAEBD05@TK5EX14MBXC286.redmond.corp.microsoft.com> <008a01cfe161$f0ec5090$d2c4f1b0$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739439BAF370A@TK5EX14MBXC286.redmond.corp.microsoft.com> <CAHbuEH4dWUcUnP5_+w5tGY7eS0HKbu8Jr3WDVoq4s1eYvct8xA@mail.gmail.com> <545B9763.9050004@qti.qualcomm.com> <4E1F6AAD24975D4BA5B16804296739439BB8CF5A@TK5EX14MBXC286.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BB8CF5A@TK5EX14MBXC286.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.76]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(43784003)(51704005)(189002)(377454003)(13464003)(199003)(51874003)(106466001)(81156004)(15202345003)(46406003)(106116001)(15975445006)(6806004)(68736004)(69596002)(19580405001)(19580395003)(44976005)(107046002)(230783001)(84676001)(66066001)(20776003)(47776003)(110136001)(64706001)(86362001)(104016003)(86612001)(95666004)(92726001)(92566001)(99396003)(4396001)(120916001)(97736003)(85806002)(26826002)(33656002)(23726002)(50466002)(87936001)(2656002)(55846006)(31966008)(46102003)(21056001)(93886004)(62966003)(77156002)(77096003)(97756001)(76176999)(54356999)(50986999); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1203; H:mail.microsoft.com; FPR:; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1203;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0401647B7F
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/stqozfpJETTALWAacMD6r3y9gz0
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, Jim Schaad <ietf@augustcellars.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>, "jose@ietf.org" <jose@ietf.org>, "draft-ietf-jose-json-web-signature@tools.ietf.org" <draft-ietf-jose-json-web-signature@tools.ietf.org>
Subject: Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 01:27:33 -0000

This resolution is incorporated in the -37 drafts.

				-- Mike

-----Original Message-----
From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Wednesday, November 19, 2014 1:49 PM
To: Pete Resnick
Cc: jose-chairs@tools.ietf.org; Jim Schaad; Kathleen Moriarty; The IESG; jose@ietf.org; draft-ietf-jose-json-web-signature@tools.ietf.org
Subject: Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)

Below I'm responding only to the remaining issue about "rejecting JWSs".   Pete, please let me know if the proposed language works for you.

> >>>>> 5.2:
> >>>>>
> >>>>> Strike the last sentence of the second paragraph. There's no 
> >>>>> requirement here. If none of them validate, I can do what I want 
> >>>>> with the JWS. I needn't "reject" it. I might just mark it as "invalid".
> >>>>>
> >>>>> [Get rid of all talk of "rejecting" throughout this document.
> >>>>> Again, I will note that the signatures are not valid, but 
> >>>>> rejecting is a local implementation detail.]
> >>>>>
> >>>> As discussed during the telechat and on subsequent threads, the 
> >>>> terms "accept" and "reject" are commonly used in this way, for 
> >>>> instance, in RFC 5820.  As Kathleen wrote after the call, "For 
> >>>> the
> "reject"
> >>>> language, Pete said on the call that he would go through each one 
> >>>> to see where it might be application specific and will suggest changes.
> >>>> Thanks in advance, Pete.".
> >>>>
> 
> So I've gone through all of the "reject"s in the document, and I think 
> I see a way to allay my concern without significantly changing the
> language: Instead of saying "reject the JWS" as it does in most 
> places, I believe it would be much clearer if it simply said "reject 
> the signature" as it does in 4.1.6. Then you're clearly not saying 
> "rejecting the data", as I'm afraid certain sorts of applications 
> developers will interpret it. In some instances, you'll need to say 
> something like "reject the signature of a JWS with foobar", but I don't think that significantly changes the intended meaning.

It turns out that way back in draft -15, in response to issue #35 (http://trac.tools.ietf.org/wg/jose/trac/ticket/35), we'd already changed statements about "rejecting the JWS" in contexts of signature failures to statements about  the JWS Signature being invalid.  So those uses of "reject the JWS" that remained were actually about rejecting the whole thing - not about rejecting the signature.  I'm revisiting that history because your suggested language about "reject the signature" doesn't actually convey the correct meaning in the remaining contexts.

But I understand and agree with your intent - which is to say that implementations will determine that some JWSs are invalid, rather than the "rejection" being some kind of cataclysmic failure.  To achieve this intent, I've instead changed the language "reject the JWS" to "consider the JWS to be invalid" in my current editor's draft.  Let me know if that works for you.

I've made the parallel changes in the JWE draft as well.

				Thanks again,
				-- Mike

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email