Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
Tim Bray <tbray@textuality.com> Tue, 16 September 2014 15:47 UTC
Return-Path: <tbray@textuality.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 877321A0B7B for <secdir@ietfa.amsl.com>; Tue, 16 Sep 2014 08:47:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JOjSHwUA5X09 for <secdir@ietfa.amsl.com>; Tue, 16 Sep 2014 08:47:54 -0700 (PDT)
Received: from mail-vc0-f173.google.com (mail-vc0-f173.google.com [209.85.220.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 297631A0B06 for <secdir@ietf.org>; Tue, 16 Sep 2014 08:47:54 -0700 (PDT)
Received: by mail-vc0-f173.google.com with SMTP id le20so35138vcb.32 for <secdir@ietf.org>; Tue, 16 Sep 2014 08:47:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=evPn7b9Wxh4eUG4x4s7bgbkHiBwU/vlVzDrMF6u4ahc=; b=Da6VEZrUCDnp6A0TOLZLlViXV2DZ8sOuySL0CwLgcBX7CvLPk3bcctuVRVH2+mrrIH NEqqFrEjfXGst4OI95AgJ9oxJG0QNR/fOJXGJtEOeJsqsXBd4acj9kwE73/6985sRSge Mzwmzk9nrKUazkSh9/yRhQEPa1NufLkC2hjHDZL6IQAo2zhncZmh+HHE6YIArYsFcvLz vA5zjKDn6zkAa1axztEPrFJcRiK5YoQL+VPb1BK5jSPQwi0neaEnKCDrUtmEKXUm6Ii9 x/HU0OkhFuv4fZQeJB/FQ5TwicCTdxD3udQCRuNswsw1SgxjeuLyWrRKhqHJ2KYE5JWx Qvrg==
X-Gm-Message-State: ALoCoQkTi1dF9YVgg0LQWhGyET2hASeJlzYwXiMPZ2Pw/a1nN7P8dPbfG/y6Y2ASzxJAGR9TjxZX
X-Received: by 10.220.2.133 with SMTP id 5mr21383448vcj.48.1410882473188; Tue, 16 Sep 2014 08:47:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.214.4 with HTTP; Tue, 16 Sep 2014 08:47:32 -0700 (PDT)
X-Originating-IP: [24.84.235.32]
In-Reply-To: <54184DB4.2050708@bbn.com>
References: <CAHbuEH4Ccn2Z=8kEECzvgjmtshwsFoa-EH_NpkJPos7zirGeaQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AEC00DB@TK5EX14MBXC292.redmond.corp.microsoft.com> <5416FE10.3060608@bbn.com> <CAHBU6iu3GfsLCAint3z7risZUnVW4EK0WrGVW6Dv=gvppiHSxQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AECCCDD@TK5EX14MBXC292.redmond.corp.microsoft.com> <54173546.5000400@bbn.com> <CAHBU6ivb3BeEufcnJB+eSk8wgETMx+qzH3miE6Z1jtrQkXNR3w@mail.gmail.com> <54184DB4.2050708@bbn.com>
From: Tim Bray <tbray@textuality.com>
Date: Tue, 16 Sep 2014 08:47:32 -0700
Message-ID: <CAHBU6ivBgYjMGAXu6g8rAhb=WJt5t2KFUnRKzD89qUOOJSGgJQ@mail.gmail.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="001a11c3dbe4a2b6ec050330ac20"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/CNyxeh3HkaiB6OLxS1LE8-e0RFw
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-jose-json-web-key.all@tools.ietf.org" <draft-ietf-jose-json-web-key.all@tools.ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2014 15:47:56 -0000
On Tue, Sep 16, 2014 at 7:48 AM, Stephen Kent <kent@bbn.com> wrote: Thanks for the clarifying comments. I am still a bit puzzled, though. I > thought JWK was > a proposal to establish JSON formats for key transport. Are you saying > that the formats we are > about to standardize have been in use in JSON for a while and that's why > parsers are not > prepared to reject dupe keys? Or is this a lower layer, JS issue re > partsing? > I’m not clear on the history, but I have heard that dupe keys are sometimes generated by software that’s producing output on a streaming basis, that can’t afford to keep track of every key it’s already generated. It is also my impression that for essentially all software that receives and parses JSON, dupe keys are useless and perhaps damaging, since JSON objects are invariably stuffed into hash-table-flavored things that don’t support dupe keys. It’s just that in the JOSE context, there is (justified) concern that there are attack vectors based on the use of dupe keys. Everyone agrees (I think) that it would be desirable for such messages to be rejected. It’s just that current production software doesn’t make this easy. > > Steve > -- - Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray)
- [secdir] JWK member names, was: [jose] SECDIR rev… Kathleen Moriarty
- Re: [secdir] JWK member names, was: [jose] SECDIR… Mike Jones
- Re: [secdir] [jose] JWK member names, was: SECDIR… Mike Jones
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tim Bray
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tim Bray
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tim Bray
- Re: [secdir] JWK member names, was: [jose] SECDIR… Stephen Kent
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tim Bray
- Re: [secdir] JWK member names, was: [jose] SECDIR… Mike Jones
- Re: [secdir] [jose] JWK member names, was: SECDIR… Mike Jones
- Re: [secdir] JWK member names, was: [jose] SECDIR… Stephen Kent
- Re: [secdir] [jose] JWK member names, was: SECDIR… Stephen Kent
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tim Bray
- Re: [secdir] [jose] JWK member names, was: SECDIR… John Bradley
- Re: [secdir] [jose] JWK member names, was: SECDIR… Mike Jones
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tim Bray
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tim Bray
- Re: [secdir] [jose] JWK member names, was: SECDIR… John Bradley
- Re: [secdir] [jose] JWK member names, was: SECDIR… Jim Schaad
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tero Kivinen
- Re: [secdir] [jose] JWK member names, was: SECDIR… Stephen Kent
- Re: [secdir] [jose] JWK member names, was: SECDIR… Stephen Kent
- Re: [secdir] [jose] JWK member names, was: SECDIR… John Bradley
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tim Bray
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tim Bray
- Re: [secdir] [jose] JWK member names, was: SECDIR… Mike Jones
- Re: [secdir] [jose] JWK member names, was: SECDIR… Stephen Kent
- Re: [secdir] [jose] JWK member names, was: SECDIR… John Bradley
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tim Bray
- Re: [secdir] [jose] JWK member names, was: SECDIR… Stephen Kent
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tim Bray
- Re: [secdir] [jose] JWK member names, was: SECDIR… Richard Barnes
- Re: [secdir] [jose] JWK member names, was: SECDIR… Stephen Kent
- Re: [secdir] [jose] JWK member names, was: SECDIR… Tero Kivinen
- Re: [secdir] [jose] JWK member names, was: SECDIR… Richard Barnes
- Re: [secdir] [jose] JWK member names, was: SECDIR… Mike Jones
- Re: [secdir] [jose] JWK member names, was: SECDIR… Kathleen Moriarty