[OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)
Brian Campbell <bcampbell@pingidentity.com> Wed, 31 July 2024 13:49 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06E75C14F6EA for <oauth@ietfa.amsl.com>; Wed, 31 Jul 2024 06:49:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hwNUxgt756z3 for <oauth@ietfa.amsl.com>; Wed, 31 Jul 2024 06:49:32 -0700 (PDT)
Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1614C14F693 for <oauth@ietf.org>; Wed, 31 Jul 2024 06:49:32 -0700 (PDT)
Received: by mail-ua1-x92f.google.com with SMTP id a1e0cc1a2514c-83446a5601bso1656731241.0 for <oauth@ietf.org>; Wed, 31 Jul 2024 06:49:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1722433772; x=1723038572; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+uFrj0qMF5gvV0PMB6wh9+UAH0xGuO36th6Z5kXsw0o=; b=bxdaIEDXgc0Kfg6DqT6ovWeoGgWL1siwtW7gXPOI/9tC39q+Jgmp5wz9X1aNEXx8D2 3rdVp8MZiRVbNbM9DZPnMu6gsfbDDaHDpFplagj8rt+PaIu/HHOXfIrkU00Ic0FmwreF kT/Srz/LLqlzLB1BrR66NsXPBq0Nx6HY1n6NlECYWYpQhZXkAwywpSaiH4eYd9d3rz+9 emZ0SqS/8wRGtGyj2htgZTJl7nOMD1iujpmjEGnOtwzGK78W0Z59GxZbpWL+NteJ4+Mr I0YvYaze+eoFfXnZPs1KMQZAtoH36V2fGcavfsXdpf6dJzxIltDhQyhNuyTG5BAqO0tt VZJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722433772; x=1723038572; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+uFrj0qMF5gvV0PMB6wh9+UAH0xGuO36th6Z5kXsw0o=; b=KKywKb2yDzoDuozSRZ0vyS3ycO/08nXa2ExuwH9ojDJN+6vFWciH/o21hUaNF6hTYc 9as96h58SYdIaW9SmuFXBsvyIe/edkyMsKOVn5cdkzq+ax91g2YoKfsvrbA65okueecs L8CC631sGgUnMj6Dn4OT6vkVJRC3Nb9WUiU4NYpzp9RbTzh5SK0zZ7h09F6V9KHNzrGK UAIdomcXHDFX1n2d5VnHiKfQfZ+Acs8Q+qG8FPjtJBrf3O1TqAP1IBvh169GVand7rW9 qvazYSEvu2hDkVaaRDsVmY9q/fZVkuICxY8nB5tjYNfch6JlgWrMwMNJYO8Nt/XT2Mc9 48aQ==
X-Forwarded-Encrypted: i=1; AJvYcCVnJrb6m1Pg6JSbnFV7/U/RW/3fjLM8j/Y+emo4dk42r1JO+8ce8lTmcIbxr+XbizgPMpL7ypX1PK1A8O2dYg==
X-Gm-Message-State: AOJu0YwMNXcoRJ4n6zwBgWRdQJmlRp5D+1TB0MZHDNS8ay+w9NZVdm3d ipz2mIRiBqFAg7nPUL2LQcBKOmUB8SXFvfPWYeHzOcXcbFAE6H5yMpzZhN6wV6TTW7ovGc9RfRJ evzl/30aM3ix8ZZ9cRVd4WthC9SabLv4BPiLdMVJnuYoEYEETK/+ijzgxU8/om6xXa8slo3iU1W F04y77vW15Dg==
X-Google-Smtp-Source: AGHT+IE8ms7iEcgK5JGhtu9Hv9AUAeir6eBOjuTALDHEaotuUQRWpPL3c3meg+TaK7kxitYcrsppzAUgHXYd2bKIx3I=
X-Received: by 2002:a05:6102:358d:b0:48f:c062:75ae with SMTP id ada2fe7eead31-493fa819b11mr17262295137.8.1722433771668; Wed, 31 Jul 2024 06:49:31 -0700 (PDT)
MIME-Version: 1.0
References: <20240731132617.0FE6C3B873@rfcpa.rfc-editor.org>
In-Reply-To: <20240731132617.0FE6C3B873@rfcpa.rfc-editor.org>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 31 Jul 2024 07:49:05 -0600
Message-ID: <CA+k3eCSU45mnmRQxdNhf-cJ6FEfxon9d64bO0jJ4u3G99bEvqA@mail.gmail.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: multipart/alternative; boundary="0000000000001c2acc061e8b5d8a"
Message-ID-Hash: HCXW26OXWR5ORYHPXPWTKZI6WQET63P7
X-Message-ID-Hash: HCXW26OXWR5ORYHPXPWTKZI6WQET63P7
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: mbj@microsoft.com, n-sakimura@nri.co.jp, paul.wouters@aiven.io, prkasselman@gmail.com, oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rIuZRY9jvtydml0w8x8BZg6q2PA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
That is a good catch of an inconsistency in JWT/RFC7519 that is deserving of errata. Note however that JWE/RFC7516 says that the "rules about handling Header Parameters that are not understood by the implementation are also the same [as JWS]"* so the correcting errata text should probably be more generally applicable to all JWTs. * see https://datatracker.ietf.org/doc/html/rfc7516#section-4 On Wed, Jul 31, 2024 at 7:27 AM RFC Errata System <rfc-editor@rfc-editor.org> wrote: > The following errata report has been submitted for RFC7519, > "JSON Web Token (JWT)". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid8060 > > -------------------------------------- > Type: Technical > Reported by: Pieter Kasselman <prkasselman@gmail.com> > > Section: 7.2 > > Original Text > ------------- > 5. Verify that the resulting JOSE Header includes only parameters > and values whose syntax and semantics are both understood and > supported or that are specified as being ignored when not > understood. > > Corrected Text > -------------- > 5. Verify that the resulting JOSE Header includes only parameters > and values whose syntax and semantics are both understood and > supported or that are specified as being ignored when not > understood. If the JWT is a JWS, the steps specified in > RFC7515 takes precedence when validating JOSE Header parameters. > > Notes > ----- > Validation step 5 in section 7.2 of RFC 7519 states that header parameters > should only be ignored if they are explicitly specified as needing to be > ignored. > > This is contrary to step 7 in section 7.2 which requires that the > processing rules of RFC 1515 be used if the JWT is a JWS (defined in RFC > 1515). RFC 7515 does not include any special provisions for only ignoring > header parameters if they are specified as being ignored, but instead > requires all header parameters to be ignored if they are not understood > (repeated below for convenience). > > "Unless listed as a critical Header Parameter, per > Section 4.1.11, all Header Parameters not defined by this > specification MUST be ignored when not understood." > > A discussion with the authors at IETF 120 confirmed that all header > parameters that are not understood must be ignored. > > The proposed errata aims to clarify that if the JWT is a JWS, the > processing rules of RFC 7151 should apply (including ignoring header > parameters that are not understood). This is consistent with point 7.2, > which requires that RFC 7515 [JWS] rules applies and avoids the impression > that a new requirement on when parameters are ignored is being introduced > in (i.e. the need to be explicitly defined as needing to be ignored). > > Instructions: > ------------- > This erratum is currently posted as "Reported". (If it is spam, it > will be removed shortly by the RFC Production Center.) Please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > will log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC7519 (draft-ietf-oauth-json-web-token-32) > -------------------------------------- > Title : JSON Web Token (JWT) > Publication Date : May 2015 > Author(s) : M. Jones, J. Bradley, N. Sakimura > Category : PROPOSED STANDARD > Source : Web Authorization Protocol > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] [Technical Errata Reported] RFC7519 (8… RFC Errata System
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Brian Campbell
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Brian Campbell
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Paul Wouters
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Brian Campbell
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… David Waite
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Brian Campbell
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Pieter Kasselman
- [OAUTH-WG] Re: [Technical Errata Reported] RFC751… Justin Richer