IETF Logo Mail Archive

Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

Mike Jones <Michael.Jones@microsoft.com> Tue, 23 September 2014 23:41 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 654DC1A6F1E; Tue, 23 Sep 2014 16:41:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A84FPztYK_WO; Tue, 23 Sep 2014 16:41:23 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0129.outbound.protection.outlook.com [65.55.169.129]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47D761A6F21; Tue, 23 Sep 2014 16:41:23 -0700 (PDT)
Received: from CO2PR03CA0038.namprd03.prod.outlook.com (10.141.194.165) by DM2PR0301MB1215.namprd03.prod.outlook.com (25.160.219.16) with Microsoft SMTP Server (TLS) id 15.0.1034.13; Tue, 23 Sep 2014 23:41:29 +0000
Received: from BN1BFFO11FD035.protection.gbl (2a01:111:f400:7c10::1:133) by CO2PR03CA0038.outlook.office365.com (2a01:111:e400:1414::37) with Microsoft SMTP Server (TLS) id 15.0.1034.13 via Frontend Transport; Tue, 23 Sep 2014 23:41:21 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD035.mail.protection.outlook.com (10.58.144.98) with Microsoft SMTP Server (TLS) id 15.0.1029.15 via Frontend Transport; Tue, 23 Sep 2014 23:41:20 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.23]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0195.002; Tue, 23 Sep 2014 23:40:39 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Kent <kent@bbn.com>, Tim Bray <tbray@textuality.com>
Thread-Topic: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
Thread-Index: AQHP0QAJrqBafxnciEq+15U92qOPJ5wCX4gggAAqrwCAAAC8AIAAFg3wgAE4uwCAACJUsIAANZwAgAABiQCAATZJgIAAIVYAgAAVBICACcudQA==
Date: Tue, 23 Sep 2014 23:40:39 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BA6F3CF@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAHbuEH4Ccn2Z=8kEECzvgjmtshwsFoa-EH_NpkJPos7zirGeaQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AEC00DB@TK5EX14MBXC292.redmond.corp.microsoft.com> <5416FE10.3060608@bbn.com> <CAHBU6iu3GfsLCAint3z7risZUnVW4EK0WrGVW6Dv=gvppiHSxQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AECCCDD@TK5EX14MBXC292.redmond.corp.microsoft.com> <54173546.5000400@bbn.com> <CAHBU6ivb3BeEufcnJB+eSk8wgETMx+qzH3miE6Z1jtrQkXNR3w@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AECE40B@TK5EX14MBXC292.redmond.corp.microsoft.com> <54184EBA.3010109@bbn.com> <4E1F6AAD24975D4BA5B16804296739439AED1727@TK5EX14MBXC292.redmond.corp.microsoft.com> <5418987E.1060307@bbn.com> <CFD36394-E707-4D51-9689-DD8B1FD320D5@ve7jtb.com> <54199E11.1000809@bbn.com> <CAHBU6ivJ+mQZetWDDkRjP1nB+XOCLyXatq4k9bv4y7onAgu=ug@mail.gmail.com> <5419CBA9.8020807@bbn.com>
In-Reply-To: <5419CBA9.8020807@bbn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.78]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439BA6F3CFTK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(199003)(377454003)(189002)(69234005)(104016003)(90102001)(74662003)(15202345003)(31966008)(21056001)(33656002)(19625215002)(86362001)(10300001)(120916001)(64706001)(20776003)(230783001)(107046002)(77982003)(55846006)(84326002)(6806004)(81542003)(46102003)(71186001)(2656002)(85806002)(97736003)(4396001)(86612001)(16236675004)(79102003)(80022003)(87936001)(106466001)(106116001)(85852003)(69596002)(68736004)(81342003)(92726001)(83072002)(84676001)(92566001)(66066001)(76482002)(76176999)(44976005)(19300405004)(15975445006)(19580395003)(95666004)(93886004)(77096002)(19580405001)(99396002)(85306004)(81156004)(83322001)(50986999)(512954002)(54356999)(74502003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB1215; H:mail.microsoft.com; FPR:; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB1215;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0343AC1D30
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/7MXlIVOuZRcTwVMUYtms7t-V16w
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-jose-json-web-key.all@tools.ietf.org" <draft-ietf-jose-json-web-key.all@tools.ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "jose@ietf.org" <jose@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>
Subject: Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Sep 2014 23:41:30 -0000

FYI, I did not change the language about duplicate member names in the JOSE -32 and JWT -26 drafts at this time because it seems that there remains substantial working group support for the current semantics, including by Tim Bray (the JSON spec editor) and Richard Barnes.  I did not yet add an I-JSON reference to impose a requirement on producers because it seemed imprudent to take a normative dependency on an unfinished specification.  However, if I-JSON does finish before these specs are RFCs, we could easily do that when it finishes, if the working group, etc. concurs with that action.

My focus for this round of edits was to resolve all the review comments for which the proposed resolutions appeared to be uncontroversial.  I understand that the working group and others may continue discussing this issue.

                                                                -- Mike

From: Stephen Kent [mailto:kent@bbn.com]
Sent: Wednesday, September 17, 2014 10:58 AM
To: Tim Bray
Cc: John Bradley; Mike Jones; draft-ietf-jose-json-web-key.all@tools.ietf.org; Kathleen Moriarty; jose-chairs@tools.ietf.org; jose@ietf.org; secdir@ietf.org
Subject: Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

Tim,

The chance  of the JOSE working group moving the vast world of deployed JSON infrastructure round to 0.00.   Thus putting a MUST reject in here would essentially say you can't use well-debugged production software, and would be a really bad idea.
So, JSON is not easily changed, but adopting I-JSON will easier. OK, I'll take your word on that.

On the other hand, if JOSE specified that producers' messages MUST conform to I-JSON, and a couple other WGs climbed on that bandwagon, and the word started to get around, I wouldn't be surprised if a few of the popular JSON implementations added an I-JSON mode.  That would be a good thing and lessen the attack surface of all JSON-based protocols (which these days, is a whole lot of them).

I am comfortable with mandating I-JSON if you believe that will be a more effective way to
encourage change.

Steve

v2.23.0 | Report a Bug | By Email