IETF Logo Mail Archive

Re: [jose] Header criticality -- hidden consensus?

Mike Jones <Michael.Jones@microsoft.com> Sat, 09 February 2013 00:03 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 625BF21F8C2A for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 16:03:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.588
X-Spam-Level:
X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xvQx-yTdOE-u for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 16:03:08 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.30]) by ietfa.amsl.com (Postfix) with ESMTP id 1121821F8C11 for <jose@ietf.org>; Fri, 8 Feb 2013 16:03:07 -0800 (PST)
Received: from BL2FFO11FD017.protection.gbl (10.173.161.202) by BL2FFO11HUB013.protection.gbl (10.173.160.105) with Microsoft SMTP Server (TLS) id 15.0.620.12; Sat, 9 Feb 2013 00:03:05 +0000
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD017.mail.protection.outlook.com (10.173.161.35) with Microsoft SMTP Server (TLS) id 15.0.609.9 via Frontend Transport; Sat, 9 Feb 2013 00:03:05 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.132]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.02.0318.003; Sat, 9 Feb 2013 00:02:39 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [jose] Header criticality -- hidden consensus?
Thread-Index: Ac4GWLOZ9hZEJ+UxRO2oUv+d3yPW5g==
Date: Sat, 09 Feb 2013 00:02:37 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394367421FAC@TK5EX14MBXC284.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.73]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394367421FACTK5EX14MBXC284r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(24454001)(43544002)(199002)(189002)(54094002)(74662001)(4396001)(55846006)(63696002)(56816002)(33656001)(65816001)(15202345001)(76482001)(20776003)(46102001)(51856001)(49866001)(79102001)(53806001)(54316002)(77982001)(44976002)(47736001)(16236675001)(59766001)(47976001)(54356001)(50986001)(66066001)(5343635001)(5343655001)(80022001)(512954001)(47446002)(16406001)(74502001)(31966008)(56776001)(561044003); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB013; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 07521929C1
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Header criticality -- hidden consensus?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Feb 2013 00:03:10 -0000

FWIW, I believe that John Bradley's, Ryo Ito's, and Dick Hardt's responses are also incorrectly tallied below, the caveats on Breno de Medeiros' "B" are missing, and Chuck Mortimore's response is missing.  I believe that their responses were:

N       Y       A    Campbell
N       Y       A    Bradley
N       Y       A    Ito
Y       Y       C    Hardt           (Dick changed his answer on 3)
Y       Y       B*    de Medeiros         (*B if the new header can be omitted, so that 3-component JWTs are still valid. I don't support this option if backwards-incompatible.)
Y       Y       A    Mortimore

By my count, this would bring the answers to date on the first question to:

16 "yes"
10 "no"

FWIW

And yes, the IETF doesn't vote... :)  I'm sure we'll have an interesting discussion after the polling period is over on Monday.  As for me, I have been actively thinking about how to meet everyone's perceived needs, but will hold off on that until after Monday.

                                                                Take care,
                                                                -- Mike

From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Friday, February 08, 2013 3:35 PM
To: Richard Barnes
Cc: jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: [jose] Header criticality -- hidden consensus?

FWIW, I didn't see my name on the tabulation but I did 'vote' http://www.ietf.org/mail-archive/web/jose/current/msg01461.html

On Fri, Feb 8, 2013 at 4:11 PM, Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:
We're 24 votes into the header criticality poll, so I thought I would go ahead and take a look at how the results are shaping up.  My initial tabulation is below.  The result on the FIRST POLL (the main one) is as follows:

No: 10
Yes: 14

What I find striking, however, is that every single person that voted "Yes" on the FIRST POLL also voted "Yes" on the SECOND POLL.  So nobody who thinks that all headers should be critical thinks that a JOSE library should actually be required to enforce this constraint.  And that means that enforcing that all headers are supported cannot be a MUST according to RFC 2119.

So I wonder if there's consensus to remove the following text from JWE and JWS:
-----BEGIN-JWE-----
   4.   The resulting JWE Header MUST be validated to only include
        parameters and values whose syntax and semantics are both
        understood and supported.
-----END-JWE-----
-----BEGIN-JWS-----
   4.  The resulting JWS Header MUST be validated to only include
       parameters and values whose syntax and semantics are both
       understood and supported.
-----END-JWS-----

Otherewise, a JOSE library conforming to these specifications would be REQUIRED (a synonym to MUST in 2119) to reject a JWE/JWS that contains an unknown header, contradicting all those "Yes" votes on the SECOND POLL.

--Richard



-----BEGIN-Tabulation-----
1       2       3    Name:
N       -       -    Bradley
N       -       -    Ito
N       N       A    Yee
N       N       B    Barnes
N       N       B    Rescorla
N       N       C    Manger
N       N       C    Octman
N       Y       A    Fletcher
N       Y       A    Miller
N       Y       A    Sakimura
Y       Y       -    D'Agostino
Y       Y       A    Biering
Y       Y       A    Brault
Y       Y       A    Hedberg
Y       Y       A    Jay
Y       Y       A    Jones
Y       Y       A    Marais
Y       Y       A    Nadalin
Y       Y       A    Nara
Y       Y       A    Nennker
Y       Y       A    Solberg
Y       Y       B    Hardt
Y       Y       B    Medeiros
Y       Y       C    Matake
Y       Y       C    Mishra
-----END-Tabulation-----

_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email