FIRST POLL : Yes
- cause JOSE headers are security artifacts; when present, they must not
be ignored by a processor of JOSE objects
SECOND POLL: Yes
- the language here is a bit confusing, i think the distinction sought
here is between a deployment instance versus a static component
(library). If I understand the intent here,
the suggestion is that a deployment instance of a JOSE processor should
treat JOSE-defined headers as critical.
THIRD POLL: C
- high-level list of ignorable headers (vs. adding annotation to each
header)
Folks,
I am wrestling with how to help drive consensus on the topic of
criticality of headers. For background, please review the current
specification text, the minutes to the Atlanta meeting (IETF85), and
the mailing list (especially the discussion in December with (Subj:
Whether implementations must understand all JOSE header fields)). We
need to come to closure on this issue in order to progress the
specifications.
As a tool to gather further information on determining a way forward,
the following polls have been created. Please respond before 11
February 2013.
Thanks,
Karen
*******************
FIRST POLL: Should all header fields be critical for implementations
to understand?
YES – All header fields must continue to be understood by
implementations or the input must be rejected.
NO – A means of listing that specific header fields may be safely
ignored should be defined.
********************
SECOND POLL: Should the result of the first poll be "YES", should text
like the following be added? “Implementation Note: The requirement to
understand all header fields is a requirement on the system as a whole
– not on any particular level of library software. For instance, a
JOSE library could process the headers that it understands and then
leave the processing of the rest of them up to the application. For
those headers that the JOSE library didn’t understand, the
responsibility for fulfilling the ‘MUST understand’ requirement for
the remaining headers would then fall to the application.”
YES – Add the text clarifying that the “MUST understand” requirement
is a requirement on the system as a whole – not specifically on JOSE
libraries.
NO – Don’t add the clarifying text.
************************
THIRD POLL: Should the result of the first poll be "NO", which syntax
would you prefer for designating the header fields that may be ignored
if not understood?
A – Define a header field that explicitly lists the fields that may be
safely ignored if not understood.
B – Introduce a second header, where implementations must understand
all fields in the first but they may ignore not-understood fields in
the second.
C - Other??? (Please specify in detail.)
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
