[secdir] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)

Brian Campbell <bcampbell@pingidentity.com> Mon, 08 September 2014 16:10 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id A0E741A88A9 for <secdir@ietfa.amsl.com>; Mon, 8 Sep 2014 09:10:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.679
X-Spam-Status: No, score=-1.679 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id NQBqdzyIDzvb for <secdir@ietfa.amsl.com>; Mon, 8 Sep 2014 09:10:53 -0700 (PDT)
Received: from na6sys009bog011.obsmtp.com (na6sys009bog011.obsmtp.com []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B2A11A8898 for <secdir@ietf.org>; Mon, 8 Sep 2014 09:10:52 -0700 (PDT)
Received: from mail-ie0-f180.google.com ([]) (using TLSv1) by na6sys009bob011.postini.com ([]) with SMTP ID DSNKVA3VCmTloa80NgfVgvlI0VnVZtjycCg9@postini.com; Mon, 08 Sep 2014 09:10:52 PDT
Received: by mail-ie0-f180.google.com with SMTP id rd18so1125580iec.11 for <secdir@ietf.org>; Mon, 08 Sep 2014 09:10:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=uuv/49iVYSChMtiBCB0n6CimZAflL9W7lSDBtbzd4+I=; b=GjQPo1UyaSH6POzue2hLJk6GBDQIX/7Wn/n12K2fnheqFEmpbpDzS5z5wZI0YiY/OQ 76oI5yHkZiFvKEGoh792BmeSA/evQntB6JQ7fGFzmrlw03z9tLkZyVFI7GKi3LCoR8WP JlUBtDPHNLC8RHac6xc2vm/4+d9Rkhxb9s7xVhJHJz+9SUXd5Hxb67ir6nsPXYqbXRFW LgOLfX5ZsUfZ2qLkqxfMphaGwrZqQa8hvocwik+VrltiSOglfzo7RRJpwHdGMho7Y0Eq KN1XaFfhu8QXdjN7LA0PtZfYl24uITCHYZZ5xjZLflFhum/6eTxv8PCH2t+xKrZorUxC 1Hmg==
X-Gm-Message-State: ALoCoQm90yfg65QnytfY4Xl1z15ZJbJD+yC8KU2BKUQB04jgrHPIarcKCE9In4hq+J4xBLlQeBRKnWHmtRsKEwuVGMIsFdL8Nj99/rftrmsTmUZgA+YDltoYLrpz6FKQ60Af21wgPkZ8dlO9SrqX9ciereRzMb/9Ag==
X-Received: by with SMTP id 8mr9009671ics.57.1410192650265; Mon, 08 Sep 2014 09:10:50 -0700 (PDT)
X-Received: by with SMTP id 8mr9009655ics.57.1410192650158; Mon, 08 Sep 2014 09:10:50 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 8 Sep 2014 09:10:19 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 08 Sep 2014 10:10:19 -0600
Message-ID: <CA+k3eCTpBi7Xh87JFkApYvJ1Bd8Kk6VfY0QH67UAVShjFx9G5A@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a1134476cfa619c0502900fd8"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/QF5vtOr3znbgIGiiFj7m8PkawwE
X-Mailman-Approved-At: Mon, 08 Sep 2014 09:12:12 -0700
Cc: "draft-ietf-oauth-json-web-token.all@tools.ietf.org" <draft-ietf-oauth-json-web-token.all@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "jose@ietf.org" <jose@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: [secdir] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 16:10:57 -0000

cc'ing JOSE on a minor JWT review comment that might impact JWS/JWA.

I agree that "plaintext” is not the most intuitive wording choice and that
"unsecured" might better convey what's going on with the "none" JWS

Mike mentioned that, if this change is made in JWT, there are parallel
changes in JWS. But note that there are also such changes in JWA (more than
in JWS actually).

On Fri, Sep 5, 2014 at 6:28 PM, Mike Jones <Michael.Jones@microsoft.com>

>  -----Original Message-----
> From: Warren Kumari [mailto:warren@kumari.net]
> Sent: Monday, September 01, 2014 3:40 PM
> To: secdir@ietf.org; draft-ietf-oauth-json-web-token.all@tools.ietf.org
> Subject: Review of: draft-ietf-oauth-json-web-token
> I'm a little confused by something in the Terminology section (Section 2):
> Plaintext JWT
> A JWT whose Claims are not integrity protected or encrypted.
> The term plaintext to me means something like "is readable without
> decrypting / much decoding" (something like, if you cat the file to a
> terminal, you will see the information). Integrity protecting a string
> doesn't make it not easily readable. If this document / JOSE uses
> "plaintext" differently (and a quick skim didn't find anything about
> this) it might be good to clarify. Section 6 *does* discuss plaintext
> JWTs, but doesn't really clarify the (IMO) unusual meaning of the term
> "plaintext" here.
> I’ve discussed this with the other document editors and we agree with you
> that “plaintext” is not the most intuitive wording choice in this context.
> Possible alternative terms are “Unsecured JWT” or “Unsigned JWT”.  I think
> that “Unsecured JWT” is probably the preferred term, since JWTs that are
> JWEs are also unsigned, but they are secured.  Working group – are you OK
> with this possible terminology change?  (Note that the parallel change
> “Plaintext JWS” -> “Unsecured JWS” would also be made in the JWS spec.)