[OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)
Justin Richer <jricher@mit.edu> Fri, 02 August 2024 12:45 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2CF4C14F5FE for <oauth@ietfa.amsl.com>; Fri, 2 Aug 2024 05:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xx3gMsm_hO-L for <oauth@ietfa.amsl.com>; Fri, 2 Aug 2024 05:45:21 -0700 (PDT)
Received: from SN4PR2101CU001.outbound.protection.outlook.com (mail-southcentralusazon11022113.outbound.protection.outlook.com [40.93.195.113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFBD8C16942B for <oauth@ietf.org>; Fri, 2 Aug 2024 05:45:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RQxH0CPw+vFAQzfMB1ux47xzMJTigyf+a91hJHF8XitAVZ3J3VFETK1k3WGdtKLORzHyq1bNp31oGCQ81Y076VxbTfYyr/hYpEDXBUUc3DYS/YqwmrT5yRLYYBDhAdgUVGZA9ya4ezhOowFOS2vyPD1+H5sQdjOCEpozS9fV0qZdiVL1V8K1M2WzPvnT7kQlEglef14kGft0vw1Rx96KE4otxDpGRNL3uMwe/ft4N6bDnThI5aPQDb7YleS8ya0Qwqy+0BC+0tVIRu7ehqVgn+ZveQmaTkhfwKR1wUqd2W9gnk24IxMH935hbLB5zbKZScfF85p08gdZ/YGdY9sFOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CKr4Y3Kh4WyzMD3PaGWXmxyzjQovukV+3Q6jp1NrBZc=; b=Y9DqyfXrP8s3dFcGQXxzz6n5zyrb4OexHajmD7/U+wd+KpcsXnSn6dl58zOprsJFxYCBWSvkGa5H3ZBeqU8ptPhD+FgZY8bxJ0HwuvT+a+gLUnAyGYnT+eVO76X1xYyj3CZW9acr4+EPsy8MobQPMinMCngu9KOBCLoka7Ntj0ebJfUJ3/1NownZjIM3gP6KKcPa3gqzULDYfNqE6pDsP8MVaLkuHY6Scqwxz2y4ljRHEMxRg1qY9Xz9fvb6QXNI711BqtFR8FQyglzoIBqRMhJL351J3xcujmtkjLA5iCkpKVB98t8LjXPxkLCHJ6PqyaRiG9XqgZ16d4/5fu2yOQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CKr4Y3Kh4WyzMD3PaGWXmxyzjQovukV+3Q6jp1NrBZc=; b=cDQ+A8eFlCHZtggMTDui0cGoCin+dl0q9LWLcfM74VuC0FoIL6i9zZhB8ZlMEOxcv355qDBxQccA0HwKpcQViCvI1bqK00YmbVFAFfX46fhbyd1XMu187jVj7vWYNyJUgoXx7HI5SNyIRrdCNysWRfhoeNkTz1u80Qbv8DAYois=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by MW4PR01MB6113.prod.exchangelabs.com (2603:10b6:303:7b::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7807.28; Fri, 2 Aug 2024 12:45:18 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820%6]) with mapi id 15.20.7828.023; Fri, 2 Aug 2024 12:45:18 +0000
From: Justin Richer <jricher@mit.edu>
To: RFC Errata System <rfc-editor@rfc-editor.org>, "mbj@microsoft.com" <mbj@microsoft.com>, "ve7jtb@ve7jtb.com" <ve7jtb@ve7jtb.com>, "n-sakimura@nri.co.jp" <n-sakimura@nri.co.jp>, "debcooley1@gmail.com" <debcooley1@gmail.com>, "paul.wouters@aiven.io" <paul.wouters@aiven.io>, "hannes.tschofenig@arm.com" <hannes.tschofenig@arm.com>, "rifaat.s.ietf@gmail.com" <rifaat.s.ietf@gmail.com>
Thread-Topic: [OAUTH-WG] [Technical Errata Reported] RFC7519 (8060)
Thread-Index: AQHa401Di96ww7Gg80ewf7jpu4Y7wLIT7Q1b
Date: Fri, 02 Aug 2024 12:45:18 +0000
Message-ID: <LV8PR01MB8677C614640F86EDAD0AEC3FBDB32@LV8PR01MB8677.prod.exchangelabs.com>
References: <20240731132617.0FE6C3B873@rfcpa.rfc-editor.org>
In-Reply-To: <20240731132617.0FE6C3B873@rfcpa.rfc-editor.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|MW4PR01MB6113:EE_
x-ms-office365-filtering-correlation-id: d41bc0e6-ed78-4816-c1c3-08dcb2f0f6d4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|7416014|4022899009|38070700018;
x-microsoft-antispam-message-info: FHInB3TAhfmKkSwWX0T5fuDYZ6Oi8zK7S2YP2hLzbpDBecBbdNXe9g3to9eH4PCEG/vdgGj5BZSlQvzR4pp5bj34ehgoC911PCtoaEj4jHdc/v89UQSfxBI9SZNK+eEyowq3iZ2/3eAScq6kmlCm5OLi8RyYzQ4D8Xog4LX4pfgYQOIlShqdAVqfi0/5HaghKsmZua3XVlCagdIIyutQMXJFFWqekYXoWOrV/6lB9xVcxZgwyJJ8ULS7wxm1uydl0lpFDqu5haM5EKnTuTooc9jnO+hCbKYUQA+hFBuZ+xo/qJNEGRE63MJcgieMiLZ11/GsCJwcI1xlFdSyuyD4MWEprOaOMBKqB32mWVk9hP7jd8cMf5m9KPRNVoDzTdEeNABvFJPfG5jvxgm+St09CzKIwyx18+Bw5Cjjs7eXusZ2oq3/3DyC7w+zt0GYPv7kDDLfKHM0pGiSFMcHUCETLdVcm4Gx0QJhHA+Jpx0DOxiTzdxIc/F249hVCc+5GuRViuyb6cN1bm7a1pP5N5/UDAoHCICBdjI65W85DQJSbjlwIbhW1DnXHKpUyRjiLUXQSqIMpz3jdESOSNDAz9VQ9fYEGFC8eUm9O2trMWhjNim2dVAClQlutKTalkmvYwfUa93WnRhs89C4KezVxV2p1HcfOkwdoy53rtC/e+Tgk7lNMhe/kB8rktdUvQdQe2+/nTBIX3L+5NU1M1CYh/ubfbxhx71An5qWYsBUMn2seZS4XPeQc9Q/uKNtZPx9bGwEPpGd4PdNJTXaukp5ynP6Mr+czHphjpfuzmGECpMSCTe6H46B4orDbqFQfwjtPhunU4VjxGhWf5qdXaPEZbNBQSkx9+ZhxNj6YjXc3Jcl4+3L9zeF6i24oqqKkb4QntXqY/QAYDqufTPD94vvbZB6R4UuqcF6rGKv3VkSvlUIhkIuIIr9yr+/NK3y5ohjYGQ+4BvPjVR3q0dG8CLqNePGBggwhZOgZfPQUobaU8wH77iSpcmHzy0OWnMN/pg0LGtzjY0GO9GSsY59/UbnB9CLvElZkoN8e+TwjFFZKrD05rpWoP2Vz+Y4vvOCF6ChGde3ao257LswesK/tLH9GZavnh8igXrcO62UEE+yKO3lg5rFmmyJ6XMDBxUH7wJsujL4rqsO48FxJm607Tw5Q/54zvJH/5YXjfR1IyJucs2XKlc4gkrHcQHPJfE9ZL73SgJqapL+6IbQxlFHk3jDUZacS5WJGXe+GOvLkVTvSjDhSokE8nI+6NYC/wv8rvCSiMnlzhtkEIZPz5yeEvwJIAqnIdWbAQAQT1Lzjt3jq2dc7Gsm1pHX7UnNio6hfDIBAfkYYgQA5tYBwdqKGvY1pDDYBk9/Dv+ASLzn/gr+sLLcy5A=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR01MB8677.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(7416014)(4022899009)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: AiyKV/3VD26AtWKVCSUHRAhw2U+/9TP8BZic5O20/8jXthi1J1WBAeMp7OGCms5BcfQ9/8zrST3r7gZvxDrX8OcaKJXlt3GPMy4m/lGF1ALpFqrzb4/mSeF7F24hopQcuFUG5Cgpvss6IRgelb8MUVPdxrwZi520dW5B8PukIRRs3uo1Eg9Esj2IxL1dhMS87EuuWvk5/+XxDb+PUlHPAzfJlg0JIKzRD21W7IZYXCdiRzYYAsjcgXKF11vNv4mMWRQVYp5B+rdngxSoFhBFoLvxKB/GgZJTm7lMbUK07YchSYkNERVNcdwjxh/cir9/AhW1CTZ5RHfGKu9Amo1XUx0s+B6VqLxKtQtgoa2FQwecDlfcZfbU4dl13OdjmFyAuHBGsSR3fv8QIrKYEhdNdpuUY5TsyeWPOxfH/Gqc3mzXUHRY875F2tDrzBU6PMPGcLqOlVwWy/fQzryJQjWA7/xjTUrzEsQPL3vliIi5gl0D4TYKWtmYOonDx9oQ0l3rMrdnGUZANmUJicC8kOCoEPmSctjELxKF0aWU5a/5Ybo6gLJ7OhcVWaXpm9UpzCYiHxSpBbxAYx2K++p24GAtwhpkPqHUda7VUCWlTUV553B/Gp6CQBO6S8b6CiNdGct6IHLjjYfmeQwaTFBZa3FfUsUig2HN3S791rI/Z1qbfZQEvmlxovqz7Dc75Qvy4uXHrgjLfANEPU0SPUqEA2t9srDEE8/DApXhRFryRRmcfG1/VFhO+OX/TbvL3o+o43hoaJuTODFntRuzSwLF1d+5meOcuamn+I0qUt8XgFtzaaJnGVq6pjg0XxIlviT8fWjig+Kev5QQzh2++56MskC6prHWB4sOjfw14La+b6JQVQcnuwzWSCoVlQ6YxMVw31N+oSH8FhZzM2cd0Cu83NsZgJ6EyBuv5ds2zwM2vKpDMgFbfE2JcfgsKPwJHUpWVH1yHsTt+zDAOYBpX5MizQ9g2q2370ylrUzhozTZfPfrqvfvW+ytWmscCxyfzbAAXYdefIBFq8Vpsu+YiMbyGnW7OIrkJ4GwMOvR9Xn13sa8iDoqkxWnhy03GA7TjLXD9L+VINeoQZOgeg9Upu3sPT9N8XXOGeiCKCkZqQRyBbbn6ixdSJL0dHsdx2X6uh082RSGT2gJEDU6mdQudWQxIkFFrpS4uXCej4WHW26RKfvaPWORROrHqwGpbLUbhufBr9tm6ABFj0yc72wDbTF1l/IiVa/WJg046OSoTiB0McHdU6CLCEkd/sac32gt9aIgbs9H6TxZRKQyXVd4hAH9V/4rfKGOkUnLTONqKR3dDohBnnBUJS8ZD/qO+xRtDuzbRhKmnhAW83njWcbKVKxLU/8fkLOvznLWV372wXpJx5iW7cYzeOdJ+SOARl5XK75UvIf1CcP1w8MLPCYcD5p1Isjx7TREenPyntktySngzyP1TMb2bhbgJcjqifmyNDKvT2pGuLIqApTQo3DVVYWgP5Ajm0pE3svqyahBFvm6Mt/teSGFCbNcu0ZtAnPINPpRarNzK8R8XRADKK1i+cd9XTTFJi54oqVNeem6mCmWpX+9iMc=
Content-Type: multipart/alternative; boundary="_000_LV8PR01MB8677C614640F86EDAD0AEC3FBDB32LV8PR01MB8677prod_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d41bc0e6-ed78-4816-c1c3-08dcb2f0f6d4
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2024 12:45:18.2745 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OdAE4fOdfx893Gt7tYzTC6YlIRPLfe5J4bIO1/IzrIj6xkkIbAHNuKbpNtGhjP8g
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR01MB6113
Message-ID-Hash: NIPYHVLVF5GNC7NMBJCWV7LEV5WRP2UI
X-Message-ID-Hash: NIPYHVLVF5GNC7NMBJCWV7LEV5WRP2UI
X-MailFrom: jricher@mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "prkasselman@gmail.com" <prkasselman@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/U9zwDVSXxs8VmS8h7e6fdcQT4CY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
This errata looks correct to me, we should confirm it. ________________________________ From: RFC Errata System <rfc-editor@rfc-editor.org> Sent: Wednesday, July 31, 2024 9:26 AM To: mbj@microsoft.com <mbj@microsoft.com>; ve7jtb@ve7jtb.com <ve7jtb@ve7jtb.com>; n-sakimura@nri.co.jp <n-sakimura@nri.co.jp>; debcooley1@gmail.com <debcooley1@gmail.com>; paul.wouters@aiven.io <paul.wouters@aiven.io>; hannes.tschofenig@arm.com <hannes.tschofenig@arm.com>; rifaat.s.ietf@gmail.com <rifaat.s.ietf@gmail.com> Cc: prkasselman@gmail.com <prkasselman@gmail.com>; oauth@ietf.org <oauth@ietf.org>; rfc-editor@rfc-editor.org <rfc-editor@rfc-editor.org> Subject: [OAUTH-WG] [Technical Errata Reported] RFC7519 (8060) The following errata report has been submitted for RFC7519, "JSON Web Token (JWT)". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid8060 -------------------------------------- Type: Technical Reported by: Pieter Kasselman <prkasselman@gmail.com> Section: 7.2 Original Text ------------- 5. Verify that the resulting JOSE Header includes only parameters and values whose syntax and semantics are both understood and supported or that are specified as being ignored when not understood. Corrected Text -------------- 5. Verify that the resulting JOSE Header includes only parameters and values whose syntax and semantics are both understood and supported or that are specified as being ignored when not understood. If the JWT is a JWS, the steps specified in RFC7515 takes precedence when validating JOSE Header parameters. Notes ----- Validation step 5 in section 7.2 of RFC 7519 states that header parameters should only be ignored if they are explicitly specified as needing to be ignored. This is contrary to step 7 in section 7.2 which requires that the processing rules of RFC 1515 be used if the JWT is a JWS (defined in RFC 1515). RFC 7515 does not include any special provisions for only ignoring header parameters if they are specified as being ignored, but instead requires all header parameters to be ignored if they are not understood (repeated below for convenience). "Unless listed as a critical Header Parameter, per Section 4.1.11, all Header Parameters not defined by this specification MUST be ignored when not understood." A discussion with the authors at IETF 120 confirmed that all header parameters that are not understood must be ignored. The proposed errata aims to clarify that if the JWT is a JWS, the processing rules of RFC 7151 should apply (including ignoring header parameters that are not understood). This is consistent with point 7.2, which requires that RFC 7515 [JWS] rules applies and avoids the impression that a new requirement on when parameters are ignored is being introduced in (i.e. the need to be explicitly defined as needing to be ignored). Instructions: ------------- This erratum is currently posted as "Reported". (If it is spam, it will be removed shortly by the RFC Production Center.) Please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party will log in to change the status and edit the report, if necessary. -------------------------------------- RFC7519 (draft-ietf-oauth-json-web-token-32) -------------------------------------- Title : JSON Web Token (JWT) Publication Date : May 2015 Author(s) : M. Jones, J. Bradley, N. Sakimura Category : PROPOSED STANDARD Source : Web Authorization Protocol Stream : IETF Verifying Party : IESG _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-leave@ietf.org
- [OAUTH-WG] [Technical Errata Reported] RFC7519 (8… RFC Errata System
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Brian Campbell
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Brian Campbell
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Paul Wouters
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Brian Campbell
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… David Waite
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Brian Campbell
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Justin Richer