IETF Logo Mail Archive

Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Thu, 02 October 2014 15:39 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DED441A1C03; Thu, 2 Oct 2014 08:39:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FJtSNwbjgfpG; Thu, 2 Oct 2014 08:39:16 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0736.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:736]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80E6C1A0123; Thu, 2 Oct 2014 08:39:15 -0700 (PDT)
Received: from CO2PR03CA0038.namprd03.prod.outlook.com (10.141.194.165) by BY2PR03MB396.namprd03.prod.outlook.com (10.141.141.26) with Microsoft SMTP Server (TLS) id 15.0.1039.15; Thu, 2 Oct 2014 15:38:52 +0000
Received: from BY2FFO11FD025.protection.gbl (2a01:111:f400:7c0c::101) by CO2PR03CA0038.outlook.office365.com (2a01:111:e400:1414::37) with Microsoft SMTP Server (TLS) id 15.0.1044.10 via Frontend Transport; Thu, 2 Oct 2014 15:38:51 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD025.mail.protection.outlook.com (10.1.15.214) with Microsoft SMTP Server (TLS) id 15.0.1029.15 via Frontend Transport; Thu, 2 Oct 2014 15:38:50 +0000
Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.218]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0195.002; Thu, 2 Oct 2014 15:38:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Richard Barnes <rlb@ipv.sx>
Thread-Topic: Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
Thread-Index: AQHP3j+4k95o/lu2P0+aZTjDdiu7bZwcyeOAgAAJ0gCAAAVkAIAACmgAgAAEvICAAAOeAIAAAdsAgAAA+4CAAAFZAIAAAK5Q
Date: Thu, 02 Oct 2014 15:38:11 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BAB3A9B@TK5EX14MBXC288.redmond.corp.microsoft.com>
References: <20141002125212.11440.59837.idtracker@ietfa.amsl.com> <CAHbuEH79Ad2PTJWw5eipjmbY6-mZ0_5hcoStopAHnE03JYKCbw@mail.gmail.com> <CAL02cgSxDjpTgvs6aw0aOLGgNXi819Wnm=j0GAZx+ROg+VOHoA@mail.gmail.com> <542D5D22.8080305@qti.qualcomm.com> <6E574431-E398-416E-9276-EAC88A272745@ve7jtb.com> <542D69D5.50607@qti.qualcomm.com> <993E0F9C-E049-49B7-A561-97090337BC57@nominum.com> <542D6E6C.1050605@qti.qualcomm.com> <CAL02cgSRzgsV-f63CZT8caWJm2x+3H4Pd3AnHqwOax1PXbB8YA@mail.gmail.com> <CAHbuEH73YHOajSuTD9UTWuijT+M3rwqf-OOANBEAbB57L8xCQA@mail.gmail.com>
In-Reply-To: <CAHbuEH73YHOajSuTD9UTWuijT+M3rwqf-OOANBEAbB57L8xCQA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439BAB3A9BTK5EX14MBXC288r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(24454002)(377454003)(199003)(479174003)(189002)(84676001)(77096002)(95666004)(85306004)(512874002)(15975445006)(84326002)(68736004)(21056001)(69596002)(20776003)(64706001)(92726001)(76176999)(19300405004)(80022003)(106116001)(55846006)(97736003)(54356999)(46102003)(99396003)(86612001)(15202345003)(71186001)(50986999)(26826002)(86362001)(10300001)(87936001)(19617315012)(107046002)(19580405001)(104016003)(19625215002)(120916001)(19580395003)(2656002)(33656002)(85852003)(66066001)(6806004)(44976005)(106466001)(4396001)(81156004)(16236675004)(93886004)(230783001)(76482002)(92566001)(31966008); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB396; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB396;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03524FBD26
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/wv1YWbftEKHZUQ88hRNVkQU3Ueg
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, The IESG <iesg@ietf.org>, Ted Lemon <Ted.Lemon@nominum.com>, "jose@ietf.org" <jose@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>, "draft-ietf-jose-json-web-signature@tools.ietf.org" <draft-ietf-jose-json-web-signature@tools.ietf.org>
Subject: Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 15:39:19 -0000


From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
Sent: Thursday, October 02, 2014 8:34 AM
To: Richard Barnes
Cc: Pete Resnick; Ted Lemon; John Bradley; jose-chairs@tools.ietf.org; The IESG; draft-ietf-jose-json-web-signature@tools.ietf.org
Subject: Re: Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)



On Thu, Oct 2, 2014 at 11:29 AM, Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:
On Thu, Oct 2, 2014 at 11:25 AM, Pete Resnick <presnick@qti.qualcomm.com<mailto:presnick@qti.qualcomm.com>> wrote:
On 10/2/14 10:18 AM, Ted Lemon wrote:
On Oct 2, 2014, at 11:05 AM, Pete Resnick<presnick@qti.qualcomm.com<mailto:presnick@qti.qualcomm.com>>  wrote:

If I use a instant messaging protocol that uses JWS as a payload format for signed instant messages, and in my client, when I receive a message with a broken signature, I display the message to the user but put a big red box around the message with a flashing title in the margin in 7 point Helvetica  that says, "Invalid Signature", will I have violated the JWS spec? This isn't as part of "error processing and display"; I'm displaying the text of the message to the user, but I'm marking it as invalid.

That seems like the wrong thing to do, unless you like to get a lot of nicely highlighted spam in your instant messaging client.

Very much depends on the environment and the purpose. Which is an implementation decision. "MUST reject" is, in fact, not right.

Look, the signature verification process has two outcomes:
1. This is a valid signed object
2. This is not a valid signed object
The common names for these are "accept" and "reject".  No further semantics apply.

I agree with Richard here.  If we go down the path of changing the language, then we'll have to explore qualifiers to make sure we are not introducing security risks as well.

+1 from me.  We can explore adding language saying that “reject” does not imply that error processing can’t occur, but I don’t see a compelling case for changing the accept/reject language throughout.

                                                            -- Mike

--Richard




pr

--
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478<tel:%2B1%20%28858%29651-4478>




--

Best regards,
Kathleen

v2.30.2 | Report a Bug | By Email | System Status