[OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)

Pieter Kasselman <pieter.kasselman@microsoft.com> Mon, 12 August 2024 11:00 UTC

Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4EFAC151549 for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2024 04:00:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.256
X-Spam-Level:
X-Spam-Status: No, score=-2.256 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id APWXMna1OXM1 for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2024 04:00:24 -0700 (PDT)
Received: from EUR03-VI1-obe.outbound.protection.outlook.com (mail-vi1eur03on2138.outbound.protection.outlook.com [40.107.103.138]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2B5BC15109C for <oauth@ietf.org>; Mon, 12 Aug 2024 04:00:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dsaScenTSVaPIjHmGYrt9jjRM+fsXPLL7EljkvR/RVHSjcmF2+J4rRDK4rTs31/lkdd+bR/klFntGu8ISqg8HL9LuEVrha4ey40SrQL7WfBHskCiVVv9eVsyHG55zURkVf3ecgzojZZAZjpSjwcVxYrf5eIKwF41bEvcjzkncfvBHOpDctEdWgiuHU4gcjQyZyTfjZ0OezmoMo14RQf7RHG4Vzc/du0DmhHaORkaTKNa/7bzgWFnaOH/EDAjy4tIiV06+20Ixt4VTtKNA3fjflCLIjHRvIU/vjCmEgx1tUaAZ+R4F/Qajs1eQ3CEk1kMJks2k3irajgJa1alzfn2FQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rrbltle87gjdVxDvK5UUgpPTFngsbwK76bVRNyyC9Fo=; b=c3Uno5IfMF+8GOebrKcmx3EZ+OnIwvYAonhjnpbtNFP3bgYGLfqO7TgJ5DrFX8jTRseT9Dq07l5Uozxv1791GPTe8DXf5TLr3CFmw+NT26Gw9Cu2t5y7V5UDBYbmgUCHZUWr4gJ8DS0Gz35SQFpZkPtLmgYd9/AxzNLoHfIij69uJDN2EWBfINdzNTl8g9EQYsEcOw03aCSzFR8nTROst0BmV178rsnB1hyCuG5SXVABs73tH+hIcoYe72OoA9Gbty5iUqjI1pDtpTWfB3/tIpQf63GZV5sk5hl2VvJoj4xUS/eDM/GJcPSHP/4dvqB6x+jycNAT2mmshZnCCQdRTg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rrbltle87gjdVxDvK5UUgpPTFngsbwK76bVRNyyC9Fo=; b=YAcxcpy7PBrRCdo3LTVlrnFuKWJiqRkEt/HqO9I2o7XAzU2WhSX0apKGdY9dvpCHC9ef+vzGZABmekYHRkj5rS5vobGS3F/sEQwt4ZDIwq15qQxRTQ0u+Bf/PWFWocef4Bt/E1F1VSQFBnMKaUoIetTGeJ63LYgGbbtg4MPeY2o=
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com (2603:10a6:10:19e::6) by VI0PR83MB0738.EURPRD83.prod.outlook.com (2603:10a6:800:262::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.4; Mon, 12 Aug 2024 11:00:20 +0000
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded]) by DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded%6]) with mapi id 15.20.7897.003; Mon, 12 Aug 2024 11:00:19 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>, Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
Thread-Topic: [OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)
Thread-Index: AQHa41CeTZar3Osyq0OMWLFy+Hb0NLIQ3QtQgAAuWQCAACRwgIABQ0IggAadm4CAAAUrMIAAJEgAgApLtKA=
Date: Mon, 12 Aug 2024 11:00:19 +0000
Message-ID: <DBAPR83MB04373531FDFC605A6437614291852@DBAPR83MB0437.EURPRD83.prod.outlook.com>
References: <20240731132617.0FE6C3B873@rfcpa.rfc-editor.org> <CA+k3eCSU45mnmRQxdNhf-cJ6FEfxon9d64bO0jJ4u3G99bEvqA@mail.gmail.com> <DBAPR83MB0437A90177CB7B34DBD67F1291B12@DBAPR83MB0437.EURPRD83.prod.outlook.com> <CA+k3eCQ_8NAmdYejmj7oLW=QeLM1=AHKnPQyM2qhc65=hNwqTw@mail.gmail.com> <CAGL5yWYde01JQYc5h4iESgQG=rRNGBREbKDD3U3oYvNHH4VG9Q@mail.gmail.com> <DBAPR83MB043762B970631E79DACA729191B22@DBAPR83MB0437.EURPRD83.prod.outlook.com> <CA+k3eCS7x9p0ZB5J7hu0=TkWt1kuFzgQQO979ViJ0qnFUXfAdA@mail.gmail.com> <DBAPR83MB04370C7F73A28363E06501D291BE2@DBAPR83MB0437.EURPRD83.prod.outlook.com> <66684D87-21C4-4FAC-8B40-401B6FA0F5C9@alkaline-solutions.com>
In-Reply-To: <66684D87-21C4-4FAC-8B40-401B6FA0F5C9@alkaline-solutions.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=333f3e56-13dc-45e9-9fb8-b2cdc3e8350a;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-08-12T10:56:08Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DBAPR83MB0437:EE_|VI0PR83MB0738:EE_
x-ms-office365-filtering-correlation-id: b07274bb-3701-4733-ea66-08dcbabdf4bd
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|38070700018;
x-microsoft-antispam-message-info: u1IlA2PWF1UTW12cBlryn9cFeJ06i3I8PXbygQefR41k2usfNOhAKchXBtKy8OKfHRGClcmvkZwzhzW03peFPwsn9gZg18lloKeoKZrEIYRFoYs9uvM66HeUFpmkWuSnyTtAPA2s3vtosJwyxB4RqTfacChfE6OZdyA+/cv5/twyHP1wrKLnjq2bwbuz5tfTtS5Zc9qFQCJjry9GERQGAH9PXmG4QcjoUKXzHCj4ciFmNVRphz6+cnQiQfUW6N+RXWBjUqIA0IaG0xbfgHVMn/8nWqgp1mvRmj8ge5VFt4RJhx6gLaVFfs3XB31v54qKUrr6INIIQo+kkh2OTsm13ooiCGgiqvp/v4Ay7NLPkPV+JEh/Vfz/K5rO+H/K+Zz3qCAlO/DkjfagFxuTFbmL491mtctAi25m1rQLxN2fRkPjCG+e9iz33pj4DXrJy8pQicuM0wgQrCKz3ugyAOXIMVfJ3DxFlzAghJ44jTmFwZ7rY66KpxPzpseWVQ1bMaBxFKcm8YcvOMxdaZPLODDZOW34aU/Bf9SVLHDyh5WhQaSDx+ZGhd81zeMtT7Y/8GpnzBCf6cJeTcZSxr2aSYy732GsnJjObjMuQd+zaomHWQ8Z75JJXsHSsgQX7myc3jJtjlWKqkYHfLXb+VATY/wOHJXXdk6Y56u4G41k+Cm+O+Gz15DdKVhIm4jL5W6wtyvcfOoyTeTC7LmnDjfiTq6f8zBSQ95GHz02/jVApVy41/oUqO9FYGeKUCi0ezqRR9KlRK1kt/KoFEnDlsgOzgMsAtyOUO5xlM2UsntiveNqtyKQgcr+pBUKN/PbkxSNi38iRBikmj36+t+xyZQ7iMp3UuG3GVBlt6SdKih1uKd6HqRkuI3T5yT8wGJ3rJL4gOg6ECLOmRfkSgdu7IQJXwQIY53YJ3MbXjt6pZRMEtXiDOmtvxC6RtdVZDlVDSDWzRp5FfHJ/+mqL7aIlhj29oFmgFCha0XrvVWt7jeITeYpHsqVLHMA+0VQUxqvH+isxP51tMpuYtOBHZll9E3XEgmEXbDIiiutC8T/XUqb8YMD+TwRDEo3OZ82ntaeTXs/OpOPl7069PMgPbmte5xITCWNYdAjKEOgXzYrbFCeOVHtF/CPtRPzehcG/Rbq/izvyicc6MRXhMJ3oxj1DBr7bi3mxiDC40R30cpfu+pc0vIVi8966DhWna//dlw5VKCLFGqzTqhO4TdRovOLcM2Ox3Utsn8TbdxvGRZxSJxzwv/ewp/TxeeReo/kBN7ngEaepZ9F2h56S8Kp2HFLRf7/WXrBK8u9PIE7+gPGWxRwXivh12eflrcovdR5Sob4CaCM1bKJ9K4jaAy7nWkFzofGe7FmqAYLpIO9/PJ3nr79RQnGllyB51BSerbJQktjsnwhq+4j2HtUeZeoAc7Kyyv3INx3fA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBAPR83MB0437.EURPRD83.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eFgGiLY7KQjmHYTYtotoWJvIT4lUXKLFCj58J7wOB49AZyFnXX5forq7mE3JMG16yb8wSabZ3b9IyS2ZJxgl6Dbtsgq8luhRxG7tNq2jS8Of/zhw0riqClDjHfEiFN8JnMZuD/KE+KTEGRLT94QUvlGQ4HO60BcXDHVWjKn3FE7FJILkFtO3bkgNpMQzuJzxEkJecrYRfAlqdTmIglfUy6wSZ9Gt1qWxCvCmKOXLLATE/ln6Re1KQ25XY4pe7euQdV/0nPqjI8+oMdP741UyJmTNz5iDWetjBIjyM7LbmexUI48DMmMl880Ec6/hu8haIYIp2hrgYlONWDwGMmBMmHEmMQdRDbjtZBiEht1I24FXVEBRiraCGujAlLNh/mtCWSqUZu5+a5JlKtR+eTGIEUtLoFx+dRT1PC1pV3+Bm6+MYe3muu7j6ZEnG22bxdNCh6OxqnkblR+j9PdtPuitN+SASJOb9b6eXPaLppn9zkCJcgkZR8BLYiL8TTfCy4FVgoKTZTAYR1+Zg7UC18SmtmSsF5LOrujNb3u4D9Q6yXbZKD+iA2eDlapq6SEZceK72VlpIXuBN/Yi4TwtE4ir+32uVpnNLyELhuPAthR98H8onPKGYgUE4Z9GVHRewFnlnwX6/ZieK3nOQUr7ko8QjqHDQP+NA4dVwCgaQZa4tPD+T3ZxTVvAkTecAlegXxfJEpYY0vHjcnIt++YwXHfWVU4MZ0r6T2K5OyBCBpZObysTnesfKlmq2UUVVTJKXay39pEptQvZxImjRziLT7kQBHFGP04Qxfyt01tzC3wgOvt5/WzJo2RRUvgSOArCnp/ruGRqzVfVe2NtPQnkW+rXJMyr+r9yI8rDVEcUZeAiYdyfKSHgvE0xGeswpIWBfYy3juwuN5VEXFasg6eAmnee8wh1ZMK8ArCiB1WvTm/CvIVS7wFiP48L950+uUHwa9urPztcVa8ySLK3FlND0vJPD09j7214B1cZ2IEYDX7mjml2aESIeBw71Ubf9GpA9fFKYZlKmEZIUDftWntwaG3qAeH2Tp3WbfziYtT/NFcV39pIgmYULDPom0I8P1qd1Yb8ax493jzQ9UteosyfajjmUNVArL8YuGk+VvMNpZLpNlpG9OYzgeS6ck2PqKerSGID5eXZzODV10WwSISsfqL7HSCAbKbI4/AqKUIUYBJtLJDUxIm7LjFmw+4gyHOQLSG4qQP6QndIhDPFdE1PZyA1toCvefWymThLWDprJxjC6bqdIM8PUKxtdZoGZQrwijPTVzHBjz8SKjZPAtrIDFKYoo1pNkXcqNUf/tt/ovmRyxJ3Z8WjS2daWKyYkdOhYP7eoanyXWBVy0aNYlCGYmNeJRcm9rSZiHevAOfD4ZeAeWb+uijxPfXeE5Y47PV1YkIeMpA5+VbSyfuTwZKa6ho016/AKW1XBqITUeYiXdZdi5cKSm8UWsuzv34HBkY/pQuT4teq1WQhK/UjC/O2f4XcDm/wsa6I/EYfbDSHv/TUw3qutKGsvufrP43C2wHjFuGd
Content-Type: multipart/alternative; boundary="_000_DBAPR83MB04373531FDFC605A6437614291852DBAPR83MB0437EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR83MB0437.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b07274bb-3701-4733-ea66-08dcbabdf4bd
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Aug 2024 11:00:19.6809 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rCn09ODENxoaJmciIQ4L4XgMIGduBZzMnN+2wo0ttFxh/kl166cXlCbP/1kkdxqmcru0UAwOeHQtOBK2yuC3c71X1YYRaHVadodZP55wCWo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI0PR83MB0738
Message-ID-Hash: O6NTOSOALMX2DE3QFQCZ2NY6DTKGEZD2
X-Message-ID-Hash: O6NTOSOALMX2DE3QFQCZ2NY6DTKGEZD2
X-MailFrom: pieter.kasselman@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>, "prkasselman@gmail.com" <prkasselman@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WPcqcdEoiVMVYFIk4-rsn-lYEPQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Thanks David and Brian.

Unless there are any concerns with adopting the alternative text, I would suggest the following for the errata in section 7.2 bullet 5:

Original Text
-------------
   5.   Verify that the resulting JOSE Header includes only parameters
        and values whose syntax and semantics are both understood and
        supported or that are specified as being ignored when not
        understood.

Corrected Text
--------------
   5.  Verify the resulting JOSE Header according to RFC7515 or RFC7516.

Cheers

Pieter

From: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>
Sent: Monday 5 August 2024 22:43
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
Cc: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>; RFC Errata System <rfc-editor@rfc-editor.org>; prkasselman@gmail.com; oauth@ietf.org
Subject: [OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)




On Aug 5, 2024, at 1:52 PM, Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org<mailto:pieter.kasselman=40microsoft.com@dmarc.ietf.org>> wrote:

I tried to keep the changes to additional text that would scope the processing rules more precisely for the JWT/JWS/JWE cases (point 7 in the processing steps references JWS and JWE separately, so thought I would propose text that does something similar to that). The idea of additional text is that a reader who is familiar may find it easier to process the delta.

However, if we want to change the text, I like your second option:

"Verify the resulting JOSE Header according to RFC7515 or RFC7516."

I don’t think we should delete the bullet completely.

Cheers

Pieter

I prefer this over the current text, which might be incorrectly construed to provide counter guidance to the “crit” protected header parameter.

-DW