IETF Logo Mail Archive

Re: [jose] For WG DISCUSSION: #50 - "cty" (content type) should hold a media type

Mike Jones <Michael.Jones@microsoft.com> Fri, 04 October 2013 02:31 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4FBE11E8108 for <jose@ietfa.amsl.com>; Thu, 3 Oct 2013 19:31:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.338
X-Spam-Level:
X-Spam-Status: No, score=-3.338 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pxLgR0jMR5cG for <jose@ietfa.amsl.com>; Thu, 3 Oct 2013 19:31:30 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0153.outbound.protection.outlook.com [207.46.163.153]) by ietfa.amsl.com (Postfix) with ESMTP id 2ABFB11E80FE for <jose@ietf.org>; Thu, 3 Oct 2013 19:31:29 -0700 (PDT)
Received: from BLUPR03CA036.namprd03.prod.outlook.com (10.141.30.29) by BLUPR03MB133.namprd03.prod.outlook.com (10.255.212.11) with Microsoft SMTP Server (TLS) id 15.0.785.10; Fri, 4 Oct 2013 02:31:27 +0000
Received: from BN1BFFO11FD043.protection.gbl (2a01:111:f400:7c10::160) by BLUPR03CA036.outlook.office365.com (2a01:111:e400:879::29) with Microsoft SMTP Server (TLS) id 15.0.785.10 via Frontend Transport; Fri, 4 Oct 2013 02:31:27 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD043.mail.protection.outlook.com (10.58.53.249) with Microsoft SMTP Server (TLS) id 15.0.785.10 via Frontend Transport; Fri, 4 Oct 2013 02:31:27 +0000
Received: from TK5EX14MBXC290.redmond.corp.microsoft.com ([169.254.1.157]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.03.0136.001; Fri, 4 Oct 2013 02:30:40 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] For WG DISCUSSION: #50 - "cty" (content type) should hold a media type
Thread-Index: AQHOvVvwvnMtgWDYvk2YOEGpRtUlxJndl8AAgAYfetCAABVr8IAACszg
Date: Fri, 04 Oct 2013 02:30:39 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739437201D715@TK5EX14MBXC290.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B168042967394371FDA44A@TK5EX14MBXC289.redmond.corp.microsoft.com> <013a01cebd5b$b48cc100$1da64300$@augustcellars.com> <255B9BB34FB7D647A506DC292726F6E115315562A9@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B16804296739437201D3F9@TK5EX14MBXC290.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E11531983BD6@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11531983BD6@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.79]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739437201D715TK5EX14MBXC290r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(189002)(377454003)(13464003)(51444003)(74502001)(47446002)(561944002)(74662001)(6806004)(63696002)(76796001)(56816003)(76786001)(512874002)(20776003)(46102001)(69226001)(55846006)(80022001)(80976001)(65816001)(19580395003)(59766001)(56776001)(54316002)(31966008)(77982001)(85306002)(77096001)(83322001)(19580405001)(16236675002)(66066001)(74706001)(79102001)(76482001)(44976005)(49866001)(33656001)(47736001)(4396001)(19300405004)(15202345003)(81686001)(53806001)(74366001)(54356001)(84326002)(83072001)(15975445006)(81816001)(74876001)(81542001)(51856001)(47976001)(50986001)(71186001)(81342001); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR03MB133; H:mail.microsoft.com; CLIP:131.107.125.37; FPR:; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0989A7979C
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Subject: Re: [jose] For WG DISCUSSION: #50 - "cty" (content type) should hold a media type
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Oct 2013 02:31:42 -0000

I’m more concerned about keeping things simple for recipients than senders, as there are orders of magnitude more relying parties than identity providers, and while identity providers tend to be written by professionals, relying parties are all over the map.

The “does it have a slash in it?” test is a one-liner in every programming language I know of.
The “is the media type name missing a prefix?” test, when the type may contain slashes in parameters, is not quite as simple.

                                                                -- Mike

From: Manger, James H [mailto:James.H.Manger@team.telstra.com]
Sent: Thursday, October 03, 2013 7:24 PM
To: Mike Jones; Jim Schaad; jose@ietf.org
Subject: RE: [jose] For WG DISCUSSION: #50 - "cty" (content type) should hold a media type

“if the major type is “application” omit the “application/” prefix” is an even simpler rule ;-)


Even if the spec text was “if it doesn’t have a slash in it, add application/ to the front of it” I would be tempted to implement “if it doesn’t have a slash in it (that isn’t after a semicolon), add application/ to the front of it”. That doesn’t break any correct cases. It is merely a little bit lenient in cases where the originator was slightly sloppy by checking the major type but not the parameters (perhaps a parameter was set in a different part of the originator’s code than setting the base media type). But if these slightly sloppy messages interoperate with some recipients, that pressures other recipients to be equally lenient otherwise they lose market share. Hence, I think a dirt-simple rule for originators (always omit “application/”) is a better for the spec.

--
James Manger

From: Mike Jones [mailto:Michael.Jones@microsoft.com]
Sent: Friday, 4 October 2013 10:34 AM
To: Manger, James H; Jim Schaad; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: [jose] For WG DISCUSSION: #50 - "cty" (content type) should hold a media type


I think that “application/foo;part="1/2"” should be required to retain the “application/” part.  Then the rule can still be the dirt-simple “if it doesn’t have a slash in it, add application/ to the front of it”.



                                                                Cheers,

                                                                -- Mike



-----Original Message-----
From: Manger, James H [mailto:James.H.Manger@team.telstra.com]
Sent: Sunday, September 29, 2013 8:01 PM
To: Jim Schaad; Mike Jones; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: [jose] For WG DISCUSSION: #50 - "cty" (content type) should hold a media type



Media types can have parameters. It is not worth making JOSE a special case by forbidding parameters in "cty" media type values.



As for when a sender omits "application/" and a receiver prepends it...

The “easy” choice for a sender is to drop the prefix when mediaType.startsWith("application/") or when mediaType.type == "application".

The “easy” choice for a receiver is to prepend "application/" when a "cty" value has no ‘/’ character.

These “easy” choices are incompatible when a parameter includes a ‘/’.



My initial suggested text tolerated receivers making the “easy” choice so it couldn’t allow senders to always drop “application/”.

That probably is the wrong way around. It would be better to allow senders to make the “easy” choice and, consequently, require receivers to consider ‘/’ and ‘;’ characters when deciding whether to prepend "application/". It would probably be worth including an example with a ‘/’ in a parameter to help recipients get this right. We may as well make omitting "application/" a MUST (as MUSTs are better than MAYs).



Current proposal:



  To keep messages compact in common situations, a sender MAY omit an

  "application/" prefix of a media type from a "cty" value when no

  other '/' appears in the media type. A recipient reconstructing the

  media type MUST prepend "application/" to a "cty" value that does not

  contain a '/'.



New proposal:



  To keep messages compact in common situations, a sender MUST omit the

  "application/" prefix when the top-level type is "application".

  A recipient reconstructing the media type MUST prepend "application/"

  to a "cty" value that contains no '/' character or no '/' before a ';' character.



  Example: {"cty":"foo;part=\"1/2\""} conveys the media type

  application/foo;part="1/2".



--

James Manger





From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad

Sent: Monday, 30 September 2013 7:34 AM

To: 'Mike Jones'; jose@ietf.org<mailto:jose@ietf.org>

Cc: Manger, James H

Subject: Re: [jose] For WG DISCUSSION: #50 - "cty" (content type) should hold a media type



I would prefer going with option 2, however based on the suggested text I got at least one surprise that I was not expecting and want to get confirmed.



It would appear from the text that parameters are expected to be allowed for the content type.  This makes it equivalent to what is allowed by MIME, but I don’t remember it ever being explicitly stated as something to be allowed.



(see below note on use of / as a marker)



Jim





From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones

Sent: Wednesday, September 18, 2013 4:05 PM

To: jose@ietf.org<mailto:jose@ietf.org>

Cc: James H Manger

Subject: [jose] For WG DISCUSSION: #50 - "cty" (content type) should hold a media type



We discussed issue #50 on Monday’s call and it seems like there are two viable choices before us:



1.  Continue to have “cty” values come from a JOSE registry, while allowing MIME Media Type values to also be used, if desired.

  ADVANTAGES:

    + Keeps values compact

    + Uses case-sensitive value comparison (like all other JOSE parameters), avoiding internationalization issues

    + Already working in production deployments

  DISADVANTAGES:

    - Creates a content type value space distinct from the widely used IANA Media Type Registry (http://www.iana.org/assignments/media-types).

    - Requires a convention to consistently spell media type names so they can be matched case sensitively, when used.

    - Names can come from one of two registries, rather than just one (possibly being disambiguated by the presence of a “/” in the name).



2.  Accept a form of James’ proposal described in http://trac.tools.ietf.org/wg/jose/trac/ticket/50, in which “cty” values are defined to hold MIME Media Type values, also specifying that the “application/” prefix may be omitted for compactness purposes.  (MIME Media Type values are not case sensitive and are limited to ASCII.)  Furthermore, we could keep this from being a breaking change for JWTs by RECOMMENDING that the value “cty”:”JWT” continue to be used for nested JWTs (rather than “application/jwt” or “jwt”, which would break existing deployments).

  ADVANTAGES:

    + Retains the ability to have compact values for application/* media types

    + Uses only the widely used IANA Media Type Registry

    + Can be deployed without breaking changes, provided people use the existing spellings “JWT”, “JWK”, and “JWK-SET” when creating content for those media types

  DISADVANTAGES:

    - Uses case-insensitive value comparison, which can lead to interoperability problems

    - Implementations have to be aware of the need to prefix values not containing a “/” with “application/” to get normal media type names



New text for “cty” under option 2 would look something like this:



4.1.9.  "cty" (Content Type) Header Parameter The cty (content type) header parameter is used to declare the MIME Media Type [IANA.MediaTypes] of the secured content (the payload) in contexts where this is useful to the application. This parameter has no effect upon the JWS processing. Use of this header parameter is OPTIONAL.

Per [RFC 2045], all media type values, subtype values, and parameter names are case-insensitive.  However, parameter values are case-sensitive unless otherwise specified for the specific parameter.

To keep messages compact in common situations, a sender MAY omit an "application/" prefix of a media type from a "cty" value when no other '/' appears in the media type. A recipient reconstructing the media type MUST prepend "application/" to a "cty" value that does not contain a '/'.



[JLS]  I think that this is too restrictive.  It would mean that Foo; separator=”/”

Would not be allowed as there is a slash character, but is not part of the front.  While it is true it makes the test easier, it seems odd that the parameter value should allow for that to be part of the criteria to omit the application text.



As background, see http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-16#section-4.1.9 for the current “cty” text, see http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-16#section-4.1.8 for the related “typ” text, and see http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-16#section-8.2 for the Type Values Registry.



I’m curious what people’s preferences are between the two choices.  I can personally live with either outcome, since both can be deployed without breaking existing deployments.  At this point, it seems to come down to a question of personal taste.  Your thoughts…?



                                                                -- Mike

v2.23.0 | Report a Bug | By Email