[OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)

Brian Campbell <bcampbell@pingidentity.com> Mon, 05 August 2024 19:14 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA3D7C1CAE7D for <oauth@ietfa.amsl.com>; Mon, 5 Aug 2024 12:14:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h61L-uwUFP-V for <oauth@ietfa.amsl.com>; Mon, 5 Aug 2024 12:14:43 -0700 (PDT)
Received: from mail-vk1-xa36.google.com (mail-vk1-xa36.google.com [IPv6:2607:f8b0:4864:20::a36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 045A0C1CAE81 for <oauth@ietf.org>; Mon, 5 Aug 2024 12:14:42 -0700 (PDT)
Received: by mail-vk1-xa36.google.com with SMTP id 71dfb90a1353d-4f6b8b7d85bso3838541e0c.1 for <oauth@ietf.org>; Mon, 05 Aug 2024 12:14:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1722885282; x=1723490082; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=kAvHaZc/3bob88dRAZXK834MKeKe9GC0kyb/iHj7YYE=; b=IaKKw5jvqiiis3aBBDFNaEhMgD8uWfML0kMCUzVwGoC5JFJW+Oj41NrciYjYq60uNO /CNSB9EhlC67UIrdf2RunnjDW+uy8yTuGJdre40YGPIRYQySyDM6zcoVoYStwR4YtcSC ywF/n693yHePXY1B1xd+zL1KSKPKIFh/hlE/sboWQNgBkfXNN3vvjbbq9z2ngby9Fvl5 TjBcpNi3srOdHCUT/aSsqBoZhPl3ha2fg5+lKBIu7m82HoExVvrSVDaIr1x3Jb+75Erq vjmG+HtIaUioTWzJkDGoDlM1AF/7Ym3bwye9LxUFXNWThj4HEryx6nUewknVyC2iP/ST y7OQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722885282; x=1723490082; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=kAvHaZc/3bob88dRAZXK834MKeKe9GC0kyb/iHj7YYE=; b=wkdvJjiXzVCxp45CUFJ5mqE9uqV3LyWMx+IyyLx0/sV+Lz/7jJu3bJIN+NjcKI21SN KRySwO7A66cXeBeQpaUzHXaxTZRjeHwLZtMCjj/C4xDib3NkDb3TLu7FRDWDbT6RZ0ks VktIdE6oRT6DFnAArCPgIt4A7VhuEajgLZW3doYsjeL+Ioi0Vj8GLvHm4K73bp0L0Ks9 YNG/yqPEUu/sm77g+sCkWjcP/fSwxEb3mOj7s3qM1nP+vEfTSdGevqyJMnjbsbCkwvJO MA3M5J/Txtl5WKMW/vAjDYjpQh6c55KLuz/lZWbLNI04TqGP8skYV+gojcc7TR+CVKj5 OqgA==
X-Forwarded-Encrypted: i=1; AJvYcCVCWPYxbuFR7z037kNC2gM5jq7g/3wTnkt24A/8nWP0AG+6BMy1d/hKzNfs7X0UShs/ETegUon7RirpEdNRXA==
X-Gm-Message-State: AOJu0YxKnAcQZOrTMLjzjZERBZt9apOTlBZfDR0nO1Io+iPzjVse1S6A jIA8GMaGgZyJcfLzBg/gSYAcnBY5dy9flisiikVTQgnyIpS/09Km1/wT6sLRoNes67JyRYRiC7u MPiEUkGJaZwUzVM18pZprMRypW6gH7cIjJT2mZlvMYhFuZlAZYbl6pS6L4gIGyhkvMfZ2nh5YOD qpwoTuG+qMfg==
X-Google-Smtp-Source: AGHT+IGBziw0rPvQLvhuiDhQ/loGu9R4GowUwtdi7zI8UL8cL4pCjJkms2qCxiJnLdvHQxMSVAdZk96O686UytEWSLk=
X-Received: by 2002:a05:6122:4581:b0:4f5:23e4:b7c with SMTP id 71dfb90a1353d-4f89fe608fbmr15148992e0c.0.1722885281656; Mon, 05 Aug 2024 12:14:41 -0700 (PDT)
MIME-Version: 1.0
References: <20240731132617.0FE6C3B873@rfcpa.rfc-editor.org> <CA+k3eCSU45mnmRQxdNhf-cJ6FEfxon9d64bO0jJ4u3G99bEvqA@mail.gmail.com> <DBAPR83MB0437A90177CB7B34DBD67F1291B12@DBAPR83MB0437.EURPRD83.prod.outlook.com> <CA+k3eCQ_8NAmdYejmj7oLW=QeLM1=AHKnPQyM2qhc65=hNwqTw@mail.gmail.com> <CAGL5yWYde01JQYc5h4iESgQG=rRNGBREbKDD3U3oYvNHH4VG9Q@mail.gmail.com> <DBAPR83MB043762B970631E79DACA729191B22@DBAPR83MB0437.EURPRD83.prod.outlook.com>
In-Reply-To: <DBAPR83MB043762B970631E79DACA729191B22@DBAPR83MB0437.EURPRD83.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 05 Aug 2024 13:14:15 -0600
Message-ID: <CA+k3eCS7x9p0ZB5J7hu0=TkWt1kuFzgQQO979ViJ0qnFUXfAdA@mail.gmail.com>
To: Pieter Kasselman <pieter.kasselman@microsoft.com>
Content-Type: multipart/alternative; boundary="00000000000033c8d8061ef47d3c"
Message-ID-Hash: 4KYEKD6VGWEMRZLELLH5Y53OAQBLQCI3
X-Message-ID-Hash: 4KYEKD6VGWEMRZLELLH5Y53OAQBLQCI3
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>, "prkasselman@gmail.com" <prkasselman@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BAfrXPDMzgMrJes49nU0LqM_dx0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

By definition a JWT is only ever a JWS or JWE so, while I suppose it's not
wrong, that text is much more complicated than necessary and has
conditional parts that are never relevant (like all of the original text).
I'm not entirely sure what would be most appropriate for the "Corrected
Text" but maybe something like this:

"Verify the resulting JOSE Header by processing parameters and values whose
syntax and semantics are both understood and supported while ignoring those
that are not."

or this:

"Verify the resulting JOSE Header according to RFC7515 or RFC7516."

or even just removal of the whole of that step 5?



On Thu, Aug 1, 2024 at 8:33 AM Pieter Kasselman <
pieter.kasselman@microsoft.com> wrote:

> Thanks Paul
>
>
>
> Brian, how about the following:
>
>
>
>    5.  Verify that the resulting JOSE Header includes only parameters
>         and values whose syntax and semantics are both understood and
>         supported or that are specified as being ignored when not
>         understood.
>
> *     If the JWT is a JWS, the steps specified in RFC7515 takes
>
>        precedence when validating JOSE Header parameters.
>
> *     If the JWT is a JWE, the steps specified in RFC7516 takes
>
>        precedence when validating JOSE Header parameters.
>
>
>
> Cheers
>
>
>
> Pieter
>
>
>
> *From:* Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
> *Sent:* Wednesday, July 31, 2024 7:56 PM
> *To:* Brian Campbell <bcampbell@pingidentity.com>
> *Cc:* Pieter Kasselman <pieter.kasselman@microsoft.com>; RFC Errata
> System <rfc-editor@rfc-editor.org>; prkasselman@gmail.com; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)
>
>
>
> You don't often get email from paul.wouters=40aiven.io@dmarc.ietf.org. Learn
> why this is important <https://aka.ms/LearnAboutSenderIdentification>
>
> The ADs can make edits. Go ahead and propose your edits via this email
> thread.
>
>
>
> Paul
>
>
>
> On Wed, Jul 31, 2024 at 12:45 PM Brian Campbell <
> bcampbell@pingidentity.com> wrote:
>
> I honestly don't know. Perhaps the copied AD or someone on the receiving
> end of the also copied rfc-editor@rfc-editor.org can advise on the best
> course of action with respect to the errata process.
>
>
>
> On Wed, Jul 31, 2024 at 8:01 AM Pieter Kasselman <pieter.kasselman=
> 40microsoft.com@dmarc.ietf.org> wrote:
>
> Thanks Brain – is there a way to edit errata, or do I just submit another
> one?
>
>
>
> *From:* Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
> *Sent:* Wednesday, July 31, 2024 2:49 PM
> *To:* RFC Errata System <rfc-editor@rfc-editor.org>
> *Cc:* mbj@microsoft.com; n-sakimura@nri.co.jp; paul.wouters@aiven.io;
> prkasselman@gmail.com; oauth@ietf.org
> *Subject:* [OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)
>
>
>
>
>
> That is a good catch of an inconsistency in JWT/RFC7519 that is deserving
> of errata. Note however that JWE/RFC7516 says that the "rules about
> handling Header Parameters that are not understood by the implementation
> are also the same [as JWS]"* so the correcting errata text should probably
> be more generally applicable to all JWTs.
>
>
>
> * see https://datatracker.ietf.org/doc/html/rfc7516#section-4
>
>
>
> On Wed, Jul 31, 2024 at 7:27 AM RFC Errata System <
> rfc-editor@rfc-editor.org> wrote:
>
> The following errata report has been submitted for RFC7519,
> "JSON Web Token (JWT)".
>
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid8060
>
> --------------------------------------
> Type: Technical
> Reported by: Pieter Kasselman <prkasselman@gmail.com>
>
> Section: 7.2
>
> Original Text
> -------------
>    5.   Verify that the resulting JOSE Header includes only parameters
>         and values whose syntax and semantics are both understood and
>         supported or that are specified as being ignored when not
>         understood.
>
> Corrected Text
> --------------
>    5.   Verify that the resulting JOSE Header includes only parameters
>         and values whose syntax and semantics are both understood and
>         supported or that are specified as being ignored when not
>         understood. If the JWT is a JWS, the steps specified in
>         RFC7515 takes precedence when validating JOSE Header parameters.
>
> Notes
> -----
> Validation step 5 in section 7.2 of RFC 7519 states that header parameters
> should only be ignored if they are explicitly specified as needing to be
> ignored.
>
> This is contrary to step 7 in section 7.2 which requires that the
> processing rules of RFC 1515 be used if the JWT is a JWS (defined in RFC
> 1515). RFC 7515 does not include any special provisions for only ignoring
> header parameters if they are specified as being ignored, but instead
> requires all header parameters to be ignored if they are not understood
> (repeated below for convenience).
>
> "Unless listed as a critical Header Parameter, per
>    Section 4.1.11, all Header Parameters not defined by this
>    specification MUST be ignored when not understood."
>
> A discussion with the authors at IETF 120 confirmed that all header
> parameters that are not understood must be ignored.
>
> The proposed errata aims to clarify that if the JWT is a JWS, the
> processing rules of RFC 7151 should apply (including ignoring header
> parameters that are not understood). This is consistent with point 7.2,
> which requires that RFC 7515 [JWS] rules applies and avoids the impression
> that a new requirement on when parameters are ignored is being introduced
> in (i.e. the need to be explicitly defined as needing to be ignored).
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". (If it is spam, it
> will be removed shortly by the RFC Production Center.) Please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> will log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC7519 (draft-ietf-oauth-json-web-token-32)
> --------------------------------------
> Title               : JSON Web Token (JWT)
> Publication Date    : May 2015
> Author(s)           : M. Jones, J. Bradley, N. Sakimura
> Category            : PROPOSED STANDARD
> Source              : Web Authorization Protocol
> Stream              : IETF
> Verifying Party     : IESG
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._