[OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)
Paul Wouters <paul.wouters@aiven.io> Wed, 31 July 2024 18:55 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91C7FC14F6F2 for <oauth@ietfa.amsl.com>; Wed, 31 Jul 2024 11:55:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRus6oWSx7eB for <oauth@ietfa.amsl.com>; Wed, 31 Jul 2024 11:55:51 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E2D2C151548 for <oauth@ietf.org>; Wed, 31 Jul 2024 11:55:51 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-a7d89bb07e7so288056466b.3 for <oauth@ietf.org>; Wed, 31 Jul 2024 11:55:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1722452149; x=1723056949; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WOHx31EXypgcVqqTF8HjR6FBSy+om5lGaaB9fuuET9w=; b=JjguQJUCWzzv7ABpnSGSWGjxY4l1jFQpS5ly52B8IkofmaTFJssXABXZ++Z9uEPuvX f04QtyUo5LkddcxD2F2AYEd5SS3RLMpHUu7WgeztoUO5PYofg1x3qXDEFL/oqt/nqiSC lI7kDZqVEWYriS45PfaTvKeATgl9IQ8v4+LLM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722452149; x=1723056949; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WOHx31EXypgcVqqTF8HjR6FBSy+om5lGaaB9fuuET9w=; b=uAUQl2cfsi7h6m0Ik/yx/GC6fxTKT4I5YK+FZ5WCBRIbTLG7+u4kRp7AFfBAHOcUhm AHJunDySOlKadviCWL3+Qvxuo32hBkQSicvbvsJqBTZ4T6Qbs/p85ERATkwQ5YAT1lLX nO/E7/FkDrSQzr7WMLiQCLFnBiQKieFfDsjjCYgyh+ZivoZIyVrupTBdWr61JxkMwOWc VuubsAOarXsyGkgI42YhsbNWx2vc/MUQlsU8UCCVbWSujzU5EMlLsoytgMoTo2SwK4Xx UrBre6FQdHcIA5WonUWbehMTLv/pOZhAbA54IUe+a6PqAN8k/jDw12KzzaqT1ujoLmAi gxiQ==
X-Forwarded-Encrypted: i=1; AJvYcCWr2pe8AhCTQCLiamYWq4d2+c5/1TWuze+ZKUXeFQZN9gQcZ+ylMW4RQQWS8BTbYnpLJk/L7xSpxZ0N6jokBg==
X-Gm-Message-State: AOJu0YxxKwfUpKF53LJfRNvHwJzyW6RwknK2YAeVk8rSXMhwnV/H70Q8 7yNqoUfjIiH3tLJUyjiroqk4kPNt/h8ujLA0HYOMEGlW+Xwbe+hc84Xfae0lYp7g0diYzlEE4Qw 6fpzquoKHn4E+8+vqFpW7ydpbRcMrNhriOL5LWQ==
X-Google-Smtp-Source: AGHT+IEewOUIME/CBvsIqFkRTvBr3TvhwYnVpQTgYRvCMI9gzYctXcOsCG8joPoSIDY1RvrZb+VnBj25tiBhfZ+iRac=
X-Received: by 2002:a17:907:8e07:b0:a7a:8586:d36b with SMTP id a640c23a62f3a-a7daf4feeacmr2940466b.3.1722452149183; Wed, 31 Jul 2024 11:55:49 -0700 (PDT)
MIME-Version: 1.0
References: <20240731132617.0FE6C3B873@rfcpa.rfc-editor.org> <CA+k3eCSU45mnmRQxdNhf-cJ6FEfxon9d64bO0jJ4u3G99bEvqA@mail.gmail.com> <DBAPR83MB0437A90177CB7B34DBD67F1291B12@DBAPR83MB0437.EURPRD83.prod.outlook.com> <CA+k3eCQ_8NAmdYejmj7oLW=QeLM1=AHKnPQyM2qhc65=hNwqTw@mail.gmail.com>
In-Reply-To: <CA+k3eCQ_8NAmdYejmj7oLW=QeLM1=AHKnPQyM2qhc65=hNwqTw@mail.gmail.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Wed, 31 Jul 2024 14:55:37 -0400
Message-ID: <CAGL5yWYde01JQYc5h4iESgQG=rRNGBREbKDD3U3oYvNHH4VG9Q@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="0000000000007f1174061e8fa416"
Message-ID-Hash: GGTWQ4RNNSKFWTQXDQMTHLDU722MYJX4
X-Message-ID-Hash: GGTWQ4RNNSKFWTQXDQMTHLDU722MYJX4
X-MailFrom: paul.wouters@aiven.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>, "prkasselman@gmail.com" <prkasselman@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Lwr3eynWNcRQRqJkTuqH5POArUA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
The ADs can make edits. Go ahead and propose your edits via this email thread. Paul On Wed, Jul 31, 2024 at 12:45 PM Brian Campbell <bcampbell@pingidentity.com> wrote: > I honestly don't know. Perhaps the copied AD or someone on the receiving > end of the also copied rfc-editor@rfc-editor.org can advise on the best > course of action with respect to the errata process. > > On Wed, Jul 31, 2024 at 8:01 AM Pieter Kasselman <pieter.kasselman= > 40microsoft.com@dmarc.ietf.org> wrote: > >> Thanks Brain – is there a way to edit errata, or do I just submit another >> one? >> >> >> >> *From:* Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> >> *Sent:* Wednesday, July 31, 2024 2:49 PM >> *To:* RFC Errata System <rfc-editor@rfc-editor.org> >> *Cc:* mbj@microsoft.com; n-sakimura@nri.co.jp; paul.wouters@aiven.io; >> prkasselman@gmail.com; oauth@ietf.org >> *Subject:* [OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060) >> >> >> >> >> >> That is a good catch of an inconsistency in JWT/RFC7519 that is deserving >> of errata. Note however that JWE/RFC7516 says that the "rules about >> handling Header Parameters that are not understood by the implementation >> are also the same [as JWS]"* so the correcting errata text should probably >> be more generally applicable to all JWTs. >> >> >> >> * see https://datatracker.ietf.org/doc/html/rfc7516#section-4 >> >> >> >> On Wed, Jul 31, 2024 at 7:27 AM RFC Errata System < >> rfc-editor@rfc-editor.org> wrote: >> >> The following errata report has been submitted for RFC7519, >> "JSON Web Token (JWT)". >> >> -------------------------------------- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid8060 >> >> -------------------------------------- >> Type: Technical >> Reported by: Pieter Kasselman <prkasselman@gmail.com> >> >> Section: 7.2 >> >> Original Text >> ------------- >> 5. Verify that the resulting JOSE Header includes only parameters >> and values whose syntax and semantics are both understood and >> supported or that are specified as being ignored when not >> understood. >> >> Corrected Text >> -------------- >> 5. Verify that the resulting JOSE Header includes only parameters >> and values whose syntax and semantics are both understood and >> supported or that are specified as being ignored when not >> understood. If the JWT is a JWS, the steps specified in >> RFC7515 takes precedence when validating JOSE Header parameters. >> >> Notes >> ----- >> Validation step 5 in section 7.2 of RFC 7519 states that header >> parameters should only be ignored if they are explicitly specified as >> needing to be ignored. >> >> This is contrary to step 7 in section 7.2 which requires that the >> processing rules of RFC 1515 be used if the JWT is a JWS (defined in RFC >> 1515). RFC 7515 does not include any special provisions for only ignoring >> header parameters if they are specified as being ignored, but instead >> requires all header parameters to be ignored if they are not understood >> (repeated below for convenience). >> >> "Unless listed as a critical Header Parameter, per >> Section 4.1.11, all Header Parameters not defined by this >> specification MUST be ignored when not understood." >> >> A discussion with the authors at IETF 120 confirmed that all header >> parameters that are not understood must be ignored. >> >> The proposed errata aims to clarify that if the JWT is a JWS, the >> processing rules of RFC 7151 should apply (including ignoring header >> parameters that are not understood). This is consistent with point 7.2, >> which requires that RFC 7515 [JWS] rules applies and avoids the impression >> that a new requirement on when parameters are ignored is being introduced >> in (i.e. the need to be explicitly defined as needing to be ignored). >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". (If it is spam, it >> will be removed shortly by the RFC Production Center.) Please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party >> will log in to change the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC7519 (draft-ietf-oauth-json-web-token-32) >> -------------------------------------- >> Title : JSON Web Token (JWT) >> Publication Date : May 2015 >> Author(s) : M. Jones, J. Bradley, N. Sakimura >> Category : PROPOSED STANDARD >> Source : Web Authorization Protocol >> Stream : IETF >> Verifying Party : IESG >> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-leave@ietf.org >> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.* >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
- [OAUTH-WG] [Technical Errata Reported] RFC7519 (8… RFC Errata System
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Brian Campbell
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Brian Campbell
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Paul Wouters
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Brian Campbell
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… David Waite
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Brian Campbell
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Justin Richer