Re: [secdir] [jose] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)
Richard Barnes <rlb@ipv.sx> Wed, 17 September 2014 03:38 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 473271A0177 for <secdir@ietfa.amsl.com>; Tue, 16 Sep 2014 20:38:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 83sei0YzzbMH for <secdir@ietfa.amsl.com>; Tue, 16 Sep 2014 20:38:50 -0700 (PDT)
Received: from mail-lb0-f179.google.com (mail-lb0-f179.google.com [209.85.217.179]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3D3A1A0185 for <secdir@ietf.org>; Tue, 16 Sep 2014 20:38:48 -0700 (PDT)
Received: by mail-lb0-f179.google.com with SMTP id p9so1022685lbv.10 for <secdir@ietf.org>; Tue, 16 Sep 2014 20:38:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=DPHX2BGn0TUyqAt5krsIbK0YYCgT/dPWCTkpNVXGnpc=; b=PErDjSGD57TchAdGNhA2ni+K28ZNyaD7C0+ZIun4ISrqJfw+j6S987xOM6JH9t8Z0Q zDoL3mBMHMRVsgMXsu9A4cvrJ3o7hwQrPRG9E/NM2yY6W2+S+C/1dIu+/Uh3vEPinWjS m2B1dtOZ+As82Jt8Rk29Q1eurgd4w7X+eiY15q7bnbfBZYlR67o/iHbSbcwz7fAkeK5I wP4X7ipGIKH9VqlofXZiX+zrfNQXEX2DMOGdldm+Vp8/IY3TNqDaRlzjge19ctlEPCfq Ejc97IXjezceVxpMrFI3sLFGD9EliwIhT8tp71IFXNHzTFh42nAGNTb65VVr3y5krohX iNTQ==
X-Gm-Message-State: ALoCoQlWRNZ+9oomdMxTs60zYJ/leZ2GSkQ+l9EM6c3PhRJc9kYtONrcioYJkmecG1m31KO8yKYJ
MIME-Version: 1.0
X-Received: by 10.112.4.33 with SMTP id h1mr37966335lbh.67.1410925126700; Tue, 16 Sep 2014 20:38:46 -0700 (PDT)
Received: by 10.25.159.84 with HTTP; Tue, 16 Sep 2014 20:38:46 -0700 (PDT)
In-Reply-To: <CA+k3eCTpBi7Xh87JFkApYvJ1Bd8Kk6VfY0QH67UAVShjFx9G5A@mail.gmail.com>
References: <CA+k3eCTpBi7Xh87JFkApYvJ1Bd8Kk6VfY0QH67UAVShjFx9G5A@mail.gmail.com>
Date: Tue, 16 Sep 2014 23:38:46 -0400
Message-ID: <CAL02cgQvPX+znWqJmL+OroCwJbV1TvWBKCOEJbjEWPvJZmHp7g@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="bcaec52be6a7fb63df05033a9afc"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/cQslVgtlwiETLU5NSrIxi39wVZc
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-oauth-json-web-token.all@tools.ietf.org" <draft-ietf-oauth-json-web-token.all@tools.ietf.org>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [secdir] [jose] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Sep 2014 03:38:52 -0000
I will re-iterate here my strong preference that an "unsecured" or "plaintext" JWS object be syntactically distinct from a real JWS object. E.g. by having two dot-separated components instead of three. Beyond that, seems like just shuffling deck chairs. On Mon, Sep 8, 2014 at 12:10 PM, Brian Campbell <bcampbell@pingidentity.com> wrote: > cc'ing JOSE on a minor JWT review comment that might impact JWS/JWA. > > I agree that "plaintext” is not the most intuitive wording choice and that > "unsecured" might better convey what's going on with the "none" JWS > algorithm. > > Mike mentioned that, if this change is made in JWT, there are parallel > changes in JWS. But note that there are also such changes in JWA (more than > in JWS actually). > > On Fri, Sep 5, 2014 at 6:28 PM, Mike Jones <Michael.Jones@microsoft.com> > wrote: > >> -----Original Message----- >> From: Warren Kumari [mailto:warren@kumari.net] >> Sent: Monday, September 01, 2014 3:40 PM >> To: secdir@ietf.org; draft-ietf-oauth-json-web-token.all@tools.ietf.org >> Subject: Review of: draft-ietf-oauth-json-web-token >> >> I'm a little confused by something in the Terminology section (Section 2): >> >> Plaintext JWT >> >> A JWT whose Claims are not integrity protected or encrypted. >> >> The term plaintext to me means something like "is readable without >> decrypting / much decoding" (something like, if you cat the file to a >> terminal, you will see the information). Integrity protecting a string >> doesn't make it not easily readable. If this document / JOSE uses >> "plaintext" differently (and a quick skim didn't find anything about >> >> this) it might be good to clarify. Section 6 *does* discuss plaintext >> JWTs, but doesn't really clarify the (IMO) unusual meaning of the term >> "plaintext" here. >> >> >> >> I’ve discussed this with the other document editors and we agree with you >> that “plaintext” is not the most intuitive wording choice in this context. >> Possible alternative terms are “Unsecured JWT” or “Unsigned JWT”. I think >> that “Unsecured JWT” is probably the preferred term, since JWTs that are >> JWEs are also unsigned, but they are secured. Working group – are you OK >> with this possible terminology change? (Note that the parallel change >> “Plaintext JWS” -> “Unsecured JWS” would also be made in the JWS spec.) >> >> >> > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [secdir] alternative term to "plaintext" for the … Brian Campbell
- Re: [secdir] [jose] alternative term to "plaintex… Richard Barnes
- Re: [secdir] alternative term to "plaintext" for … Warren Kumari
- Re: [secdir] alternative term to "plaintext" for … Mike Jones
- Re: [secdir] alternative term to "plaintext" for … Warren Kumari
- Re: [secdir] alternative term to "plaintext" for … Mike Jones
- Re: [secdir] alternative term to "plaintext" for … Mike Jones