[jose] [Technical Errata Reported] RFC7515 (7767)
RFC Errata System <rfc-editor@rfc-editor.org> Wed, 17 January 2024 00:25 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EE75C14CE51 for <jose@ietfa.amsl.com>; Tue, 16 Jan 2024 16:25:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.659
X-Spam-Level:
X-Spam-Status: No, score=-1.659 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SySnvNFhWfmA for <jose@ietfa.amsl.com>; Tue, 16 Jan 2024 16:25:07 -0800 (PST)
Received: from rfcpa.amsl.com (rfcpa.amsl.com [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C19A6C151993 for <jose@ietf.org>; Tue, 16 Jan 2024 16:24:59 -0800 (PST)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 82A781BA410B; Tue, 16 Jan 2024 16:24:59 -0800 (PST)
To: mbj@microsoft.com, ve7jtb@ve7jtb.com, n-sakimura@nri.co.jp, rdd@cert.org, paul.wouters@aiven.io, ve7jtb@ve7jtb.com, john.mattsson@ericsson.com, kodonog@pobox.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: jyasskin@google.com, jose@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20240117002459.82A781BA410B@rfcpa.amsl.com>
Date: Tue, 16 Jan 2024 16:24:59 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/w_hU181aW7QiRs5MX8pdIT5JsVw>
X-Mailman-Approved-At: Thu, 25 Jan 2024 06:00:41 -0800
Subject: [jose] [Technical Errata Reported] RFC7515 (7767)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2024 00:25:11 -0000
The following errata report has been submitted for RFC7515, "JSON Web Signature (JWS)". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid7767 -------------------------------------- Type: Technical Reported by: Jeffrey Yasskin <jyasskin@google.com> Section: 6 Original Text ------------- These Header Parameters MUST be integrity protected if the information that they convey is to be utilized in a trust decision; however, if the only information used in the trust decision is a key, these parameters need not be integrity protected, since changing them in a way that causes a different key to be used will cause the validation to fail. Corrected Text -------------- These Header Parameters MUST be integrity protected if the information that they convey is to be utilized in a trust decision. Notes ----- See the discussion for https://www.rfc-editor.org/errata/eid7719 at https://mailarchive.ietf.org/arch/msg/jose/I3_IuEfFSyiHWap7Pyn1BFAb4QM/. The deleted text is incorrect for both signature schemes and encryption schemes. You could consider adding text like "Note that some algorithms allow multiple keys to validate or decrypt the same signature or encrypted data." to prevent readers from making the same bad assumption as the original RFC authors, but it doesn't seem necessary if doing so is contentious. Similarly, it's probably ok to simply delete the whole "Original Text" if that seems better to the reviewers. Instructions: ------------- This erratum is currently posted as "Reported". (If it is spam, it will be removed shortly by the RFC Production Center.) Please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party will log in to change the status and edit the report, if necessary. -------------------------------------- RFC7515 (draft-ietf-jose-json-web-signature-41) -------------------------------------- Title : JSON Web Signature (JWS) Publication Date : May 2015 Author(s) : M. Jones, J. Bradley, N. Sakimura Category : PROPOSED STANDARD Source : Javascript Object Signing and Encryption Area : Security Stream : IETF Verifying Party : IESG
- [jose] [Technical Errata Reported] RFC7515 (7767) RFC Errata System
- Re: [jose] [Technical Errata Reported] RFC7515 (7… Orie Steele