Re: [secdir] [jose] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)

Richard Barnes <rlb@ipv.sx> Wed, 17 September 2014 03:38 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 473271A0177 for <secdir@ietfa.amsl.com>; Tue, 16 Sep 2014 20:38:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 83sei0YzzbMH for <secdir@ietfa.amsl.com>; Tue, 16 Sep 2014 20:38:50 -0700 (PDT)
Received: from mail-lb0-f179.google.com (mail-lb0-f179.google.com [209.85.217.179]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3D3A1A0185 for <secdir@ietf.org>; Tue, 16 Sep 2014 20:38:48 -0700 (PDT)
Received: by mail-lb0-f179.google.com with SMTP id p9so1022685lbv.10 for <secdir@ietf.org>; Tue, 16 Sep 2014 20:38:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=DPHX2BGn0TUyqAt5krsIbK0YYCgT/dPWCTkpNVXGnpc=; b=PErDjSGD57TchAdGNhA2ni+K28ZNyaD7C0+ZIun4ISrqJfw+j6S987xOM6JH9t8Z0Q zDoL3mBMHMRVsgMXsu9A4cvrJ3o7hwQrPRG9E/NM2yY6W2+S+C/1dIu+/Uh3vEPinWjS m2B1dtOZ+As82Jt8Rk29Q1eurgd4w7X+eiY15q7bnbfBZYlR67o/iHbSbcwz7fAkeK5I wP4X7ipGIKH9VqlofXZiX+zrfNQXEX2DMOGdldm+Vp8/IY3TNqDaRlzjge19ctlEPCfq Ejc97IXjezceVxpMrFI3sLFGD9EliwIhT8tp71IFXNHzTFh42nAGNTb65VVr3y5krohX iNTQ==
X-Gm-Message-State: ALoCoQlWRNZ+9oomdMxTs60zYJ/leZ2GSkQ+l9EM6c3PhRJc9kYtONrcioYJkmecG1m31KO8yKYJ
MIME-Version: 1.0
X-Received: by 10.112.4.33 with SMTP id h1mr37966335lbh.67.1410925126700; Tue, 16 Sep 2014 20:38:46 -0700 (PDT)
Received: by 10.25.159.84 with HTTP; Tue, 16 Sep 2014 20:38:46 -0700 (PDT)
In-Reply-To: <CA+k3eCTpBi7Xh87JFkApYvJ1Bd8Kk6VfY0QH67UAVShjFx9G5A@mail.gmail.com>
References: <CA+k3eCTpBi7Xh87JFkApYvJ1Bd8Kk6VfY0QH67UAVShjFx9G5A@mail.gmail.com>
Date: Tue, 16 Sep 2014 23:38:46 -0400
Message-ID: <CAL02cgQvPX+znWqJmL+OroCwJbV1TvWBKCOEJbjEWPvJZmHp7g@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary=bcaec52be6a7fb63df05033a9afc
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/cQslVgtlwiETLU5NSrIxi39wVZc
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-oauth-json-web-token.all@tools.ietf.org" <draft-ietf-oauth-json-web-token.all@tools.ietf.org>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [secdir] [jose] alternative term to "plaintext" for the "none" alg (was Re: [OAUTH-WG] Review of: draft-ietf-oauth-json-web-token)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Sep 2014 03:38:52 -0000

I will re-iterate here my strong preference that an "unsecured" or
"plaintext" JWS object be syntactically distinct from a real JWS object.
E.g. by having two dot-separated components instead of three.

Beyond that, seems like just shuffling deck chairs.

On Mon, Sep 8, 2014 at 12:10 PM, Brian Campbell <bcampbell@pingidentity.com>
wrote:

> cc'ing JOSE on a minor JWT review comment that might impact JWS/JWA.
>
> I agree that "plaintext” is not the most intuitive wording choice and that
> "unsecured" might better convey what's going on with the "none" JWS
> algorithm.
>
> Mike mentioned that, if this change is made in JWT, there are parallel
> changes in JWS. But note that there are also such changes in JWA (more than
> in JWS actually).
>
> On Fri, Sep 5, 2014 at 6:28 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
>>  -----Original Message-----
>> From: Warren Kumari [mailto:warren@kumari.net]
>> Sent: Monday, September 01, 2014 3:40 PM
>> To: secdir@ietf.org; draft-ietf-oauth-json-web-token.all@tools.ietf.org
>> Subject: Review of: draft-ietf-oauth-json-web-token
>>
>> I'm a little confused by something in the Terminology section (Section 2):
>>
>> Plaintext JWT
>>
>> A JWT whose Claims are not integrity protected or encrypted.
>>
>> The term plaintext to me means something like "is readable without
>> decrypting / much decoding" (something like, if you cat the file to a
>> terminal, you will see the information). Integrity protecting a string
>> doesn't make it not easily readable. If this document / JOSE uses
>> "plaintext" differently (and a quick skim didn't find anything about
>>
>> this) it might be good to clarify. Section 6 *does* discuss plaintext
>> JWTs, but doesn't really clarify the (IMO) unusual meaning of the term
>> "plaintext" here.
>>
>>
>>
>> I’ve discussed this with the other document editors and we agree with you
>> that “plaintext” is not the most intuitive wording choice in this context.
>> Possible alternative terms are “Unsecured JWT” or “Unsigned JWT”.  I think
>> that “Unsecured JWT” is probably the preferred term, since JWTs that are
>> JWEs are also unsigned, but they are secured.  Working group – are you OK
>> with this possible terminology change?  (Note that the parallel change
>> “Plaintext JWS” -> “Unsecured JWS” would also be made in the JWS spec.)
>>
>>
>>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>