I'll second James' vote: 1. NO 2. NO 3. C -- one critical field; the definition of each value for this field implies what else you need to understand; if you want to add a new field that MUST be understood, just use a new value for the one critical field.
Cheers, Dirkjan On Thu, Feb 7, 2013 at 12:04 PM, Manger, James H <[email protected]> wrote: > 1. NO > > 2. NO > > 3. C -- one critical field; the definition of each value for this field > implies what else you need to understand; if you want to add a new field > that MUST be understood, just use a new value for the one critical field. > > > > > > I second Richard's comment about YES to 2. > > What would a JOSE library API look like if all fields MUST be understood by > “the system”? Does the “top” layer tell the library what it understands; > does the library return a list of unrecognized fields? > > > > -- > > James Manger > > > > From: [email protected] [mailto:[email protected]] On Behalf Of > Richard Barnes > Sent: Thursday, 7 February 2013 6:02 AM > To: [email protected]; [email protected] > > > Subject: Re: [jose] POLL(s): header criticality > > > > tl;dr: > > FIRST POLL: NO > SECOND POLL: NO > THIRD POLL: B > > Further notes: > > On SECOND POLL: Voting "Yes" on the SECOND POLL is equivalent to voting "NO" > on the FIRST POLL. If the requirement isn't placed on any particular > element of the system, then nobody will implement it, and there will be no > control. > > On THIRD POLL: I don't care all that much about the specific syntax, but I > have a strong preference that these non-critical fields be excluded from the > integrity check that is applied to the header. So I would prefer something > like what Dick suggested, but encoded as a separate element of a JW* object. > As Breno notes, this can be done in a backwards compatible way. (I voted > "B" because I understood "A" to imply something like Mike's earlier > proposal, which would have just had a list of field names.) > > In any case, I would encourage the chairs to focus on the first poll, and > view any results in the second and third as informative for further > discussion of wording or syntax. > > > > > > On Wed, Feb 6, 2013 at 1:47 PM, Nat Sakimura <[email protected]> wrote: > > FIRST POLL: NO > > SECOND POLL: YES > THIRD POLL: A > > > > 2013/2/4 Karen O'Donoghue <[email protected]> > > Folks, > > I am wrestling with how to help drive consensus on the topic of criticality > of headers. For background, please review the current specification text, > the minutes to the Atlanta meeting (IETF85), and the mailing list > (especially the discussion in December with (Subj: Whether implementations > must understand all JOSE header fields)). We need to come to closure on this > issue in order to progress the specifications. > > As a tool to gather further information on determining a way forward, the > following polls have been created. Please respond before 11 February 2013. > > Thanks, > Karen > > ******************* > FIRST POLL: Should all header fields be critical for implementations to > understand? > > YES – All header fields must continue to be understood by implementations or > the input must be rejected. > > NO – A means of listing that specific header fields may be safely ignored > should be defined. > > ******************** > SECOND POLL: Should the result of the first poll be "YES", should text like > the following be added? “Implementation Note: The requirement to understand > all header fields is a requirement on the system as a whole – not on any > particular level of library software. For instance, a JOSE library could > process the headers that it understands and then leave the processing of the > rest of them up to the application. For those headers that the JOSE library > didn’t understand, the responsibility for fulfilling the ‘MUST understand’ > requirement for the remaining headers would then fall to the application.” > > YES – Add the text clarifying that the “MUST understand” requirement is a > requirement on the system as a whole – not specifically on JOSE libraries. > > NO – Don’t add the clarifying text. > > ************************ > THIRD POLL: Should the result of the first poll be "NO", which syntax would > you prefer for designating the header fields that may be ignored if not > understood? > > A – Define a header field that explicitly lists the fields that may be > safely ignored if not understood. > > B – Introduce a second header, where implementations must understand all > fields in the first but they may ignore not-understood fields in the second. > > C - Other??? (Please specify in detail.) > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > > > > > > -- > Nat Sakimura (=nat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > > > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
