Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

Tim Bray <tbray@textuality.com> Mon, 15 September 2014 16:48 UTC

Return-Path: <tbray@textuality.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F3E81A8727 for <secdir@ietfa.amsl.com>; Mon, 15 Sep 2014 09:48:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nISgTbcVJ2qb for <secdir@ietfa.amsl.com>; Mon, 15 Sep 2014 09:48:04 -0700 (PDT)
Received: from mail-vc0-f174.google.com (mail-vc0-f174.google.com [209.85.220.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F22D1A8725 for <secdir@ietf.org>; Mon, 15 Sep 2014 09:13:34 -0700 (PDT)
Received: by mail-vc0-f174.google.com with SMTP id hy10so3657366vcb.33 for <secdir@ietf.org>; Mon, 15 Sep 2014 09:13:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=apONAkUtMrdm/3ZShR+XOgbqwCqx9VqOdn1V7ixJBGU=; b=IfdqQBbWNGZwvG1oyFxpCzHajSfulb6QxlZpNWmOlKT01HfYuDip6QzZvmcOEAWwrZ m0jV96n5kS8Vs5EBjlh+a7GrBDvtOsc7SXFoG62c4HCcAUdtQ21z1FIlJblhQdySw9kc /lQmlKxPAhR5vBhzl3+js9+0ZwWnbcrnfjzpqvFiIf4vaNaZT6dSnH+D7A71SGuW8iAL jsJ9o4Hj2mXkzB9M934zFXCLQmoykF2CqbB7lDPonVF7g8kmQQP8Of6JALRRYVVVLDis odBz4HdojKqOnhrIWqOIlljbENDZE6/S49gaqqcxbOB6Sh5IzcOuSKN83yyLrOH4NRE/ UZCQ==
X-Gm-Message-State: ALoCoQnhZSXJxXP5Fk/yWlyWREy78q432OG/N499lSHF/JxOCy+dgP2gOb1sQo6bdA9SPD+Aiv3U
X-Received: by 10.52.183.136 with SMTP id em8mr1829418vdc.76.1410797613274; Mon, 15 Sep 2014 09:13:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.214.4 with HTTP; Mon, 15 Sep 2014 09:13:13 -0700 (PDT)
X-Originating-IP: [24.84.235.32]
In-Reply-To: <5416FE10.3060608@bbn.com>
References: <CAHbuEH4Ccn2Z=8kEECzvgjmtshwsFoa-EH_NpkJPos7zirGeaQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AEC00DB@TK5EX14MBXC292.redmond.corp.microsoft.com> <5416FE10.3060608@bbn.com>
From: Tim Bray <tbray@textuality.com>
Date: Mon, 15 Sep 2014 09:13:13 -0700
Message-ID: <CAHBU6iu3GfsLCAint3z7risZUnVW4EK0WrGVW6Dv=gvppiHSxQ@mail.gmail.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary=bcaec5489e4396f24905031ceac1
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/YkX1UWCh4rCmuQLgQaeDVRvkL3Q
X-Mailman-Approved-At: Mon, 15 Sep 2014 09:51:11 -0700
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-jose-json-web-key.all@tools.ietf.org" <draft-ietf-jose-json-web-key.all@tools.ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Sep 2014 16:48:08 -0000

On Mon, Sep 15, 2014 at 7:56 AM, Stephen Kent <kent@bbn.com> wrote:


> Also, in a reply to Tim, I think you argued that people have already
> implemented JOSE and so
> we ought not make any changes at this late stage. If that's what you said,
> I disagree emphatically.
> The IETF always warns implementers that specs may change until an RFC is
> published, and thus
> one implements a pre-RFC spec at risk.
>

​No; In theory I would entirely support requiring receivers of malformed
messages to reject them.

In practice, it’s problematic to say that the format is JSON, and then to
require any particular policy concerning duplicate keys, because existing
software generally doesn’t handle them in a consistent manner, and in
particular may not even inform receiving software that dupes existed.




>
> Steve
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>


-- 
- Tim Bray (If you’d like to send me a private message, see
https://keybase.io/timbray)