IETF Logo Mail Archive

Re: [jose] Should we delete the "typ" header field

Dick Hardt <dick.hardt@gmail.com> Thu, 30 May 2013 00:29 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E33B21F93D4 for <jose@ietfa.amsl.com>; Wed, 29 May 2013 17:29:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.05
X-Spam-Level:
X-Spam-Status: No, score=-3.05 tagged_above=-999 required=5 tests=[AWL=0.548, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PxqT-O01uA+y for <jose@ietfa.amsl.com>; Wed, 29 May 2013 17:29:50 -0700 (PDT)
Received: from mail-vc0-f170.google.com (mail-vc0-f170.google.com [209.85.220.170]) by ietfa.amsl.com (Postfix) with ESMTP id CA8DE21F910D for <jose@ietf.org>; Wed, 29 May 2013 17:29:49 -0700 (PDT)
Received: by mail-vc0-f170.google.com with SMTP id gf11so6935384vcb.15 for <jose@ietf.org>; Wed, 29 May 2013 17:29:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zE8g27nNrnq/l/SBFcTMPkwXpUqSOTG6Z39WtILDEio=; b=YBjVRh1N0U97zeXoo3t2DD85eWUmY8hKlgJ5crkEFTlGLl3HFei95ZCMha43V8ZAa6 oimxxlk0hVCVSN4R0rlqVAxxxk20k6KcmAiGA7j5OfEc8KyY2eony1d80/bRMyBeaek7 WzpqimN6N4902BrmuLCSlal4i/gwpEn5ksjrR9n9yLQ6EvtBq0Q6EYplwQbH6n8DYKn2 QWfRZAnIb8EUNkjC7CK7aN+puphHm3MCjC3fBAyORaFQ6cK762pDybzIyegfIFvmC70H hiVlhC7wr+CubTn41ehs+YhhPTEhAtHrCOaMrwp3gjwV0S1dFJrHxIsa+iRk1l4JLnnH eIGQ==
MIME-Version: 1.0
X-Received: by 10.52.53.36 with SMTP id y4mr2726045vdo.51.1369873789153; Wed, 29 May 2013 17:29:49 -0700 (PDT)
Received: by 10.52.160.161 with HTTP; Wed, 29 May 2013 17:29:49 -0700 (PDT)
In-Reply-To: <C84C740C-CA7F-40F4-829B-1A1C09EF357F@ve7jtb.com>
References: <02b701ce5cb8$46ae77e0$d40b67a0$@augustcellars.com> <CAD9ie-vK3gY9b9GQrbUa=TACy5KVA1uPH_u_utucoKzVynjuiA@mail.gmail.com> <02f501ce5cc5$ec9a2200$c5ce6600$@augustcellars.com> <CAD9ie-uV-THE0+oL-dNUB0qXF7sx8jHMZDCz8vGESmUHWV=LMg@mail.gmail.com> <C84C740C-CA7F-40F4-829B-1A1C09EF357F@ve7jtb.com>
Date: Wed, 29 May 2013 17:29:49 -0700
Message-ID: <CAD9ie-tgN7NyEU4_AP=KvcJZWSY_iOk85YYR_7zndb5ZGcP3Bw@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="089e01183cea96f77b04dde498bf"
Cc: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Should we delete the "typ" header field
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 00:29:54 -0000

On Wed, May 29, 2013 at 5:25 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> In the JWT spec the value of "typ" SHOULD be "jwt".   That indicates as
> Mike stated that it is a JWT in compact format that has as its body a jwt
> claim set.   If the claim set is signed then encrypted, the inner JWT has a
> a typ of jwt and no cty , and the outer one has a typ of JWT and a cty of
> jws.
>

I'm doing symmetric encryption with an integrity check, so I don't have a
JWT in a JWE


>
> If a JOSE object has a typ of jws then one would assume that it is a jws
> in compact serialization with some other body type then a jwt claimset.
>
> I think this is somewhat a symptom of the JWT and JOSE specs getting split
> into different WG.
>
> So Mike can correct me but I don't think putting jwe or jws in typ is the
> intended use of that element if you are in fact sending JWT.
>
> I understand where Jim is coming from I think of JWT as a jwt claim-set
> and JWE and JWS as the outer layer, where JWT thinks of itself as a total
> security token definition including overall processing rules for security
> tokens, with a standard envelope segment and JWE or JWS encoding as
> determined by the alg.
>

That is confusing to me.


>
> In security token processing knowing that what you have will unwrap to a
> JWT claim-set , rather than to some other thing is quite important.
>

What else would it unwrap to?


>
> John B.
>
>
> On 2013-05-29, at 7:56 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
> I use it all the time and my code would barf if it was not there.
>
> I think it should be required rather than be a hint if it is going ot be
> there.
>
>
> On Wed, May 29, 2013 at 4:40 PM, Jim Schaad <ietf@augustcellars.com>wrote:
>
>> I think the values just changed****
>>
>> ** **
>>
>> However the way you are using it would be an argument to say that it
>> should be a required field.  Are you just using it as a hint if it exists
>> and then looking at the rest of the fields if it is not present?****
>>
>> ** **
>>
>> Jim****
>>
>> ** **
>>
>> ** **
>>
>> *From:* Dick Hardt [mailto:dick.hardt@gmail.com]
>> *Sent:* Wednesday, May 29, 2013 3:49 PM
>> *To:* Jim Schaad
>> *Cc:* jose@ietf.org
>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>
>> ** **
>>
>> Well, I have been using, but now realize the spec changed or I was
>> confused.****
>>
>> ** **
>>
>> I had been setting "typ" to be either "JWE" or "JWS" depending on the
>> type of token I was creating or parsing as it was easier than looking at
>> "alg"****
>>
>> ** **
>>
>> As currently defined, I don't see value in "typ".****
>>
>> ** **
>>
>> -- Dick****
>>
>> ** **
>>
>> ** **
>>
>> On Wed, May 29, 2013 at 3:02 PM, Jim Schaad <ietf@augustcellars.com>
>> wrote:****
>>
>> In reading the documents, I am trying to understand the justification for
>> having the “typ” header parameter in the JOSE documents.****
>>
>>  ****
>>
>> The purpose of the field is to hold the type of the object.  In the past,
>> I believe that values which should now be placed in the cty field (such as
>> “JWT”) were placed in this field as well.  However the parameter is
>> optional and an implementation cannot rely on its being present.  This
>> means that for all practical purposes all of the code to determine the
>> value of the type field from the values of the alg and enc fields.  If the
>> field was mandatory then this code would disappear at a fairly small space
>> cost and I can understand why the parameter would be present.****
>>
>>  ****
>>
>> Can anybody justify why this field should be present in the document – or
>> should it just disappear?****
>>
>>  ****
>>
>> Jim****
>>
>>  ****
>>
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose****
>>
>>
>>
>> ****
>>
>> ** **
>>
>> --
>> -- Dick ****
>>
>
>
>
> --
> -- Dick
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>
>


-- 
-- Dick

v2.23.0 | Report a Bug | By Email