Yes Yes No strong opinion -----Original Message----- From: Prateek Mishra [mailto:[email protected]] Sent: Friday, February 08, 2013 4:08 PM To: [email protected] Subject: Re: [jose] POLL(s): header criticality
FIRST POLL : Yes - cause JOSE headers are security artifacts; when present, they must not be ignored by a processor of JOSE objects SECOND POLL: Yes - the language here is a bit confusing, i think the distinction sought here is between a deployment instance versus a static component (library). If I understand the intent here, the suggestion is that a deployment instance of a JOSE processor should treat JOSE-defined headers as critical. THIRD POLL: C - high-level list of ignorable headers (vs. adding annotation to each header) > Folks, > > I am wrestling with how to help drive consensus on the topic of > criticality of headers. For background, please review the current > specification text, the minutes to the Atlanta meeting (IETF85), and > the mailing list (especially the discussion in December with (Subj: > Whether implementations must understand all JOSE header fields)). We > need to come to closure on this issue in order to progress the > specifications. > > As a tool to gather further information on determining a way forward, > the following polls have been created. Please respond before 11 > February 2013. > > Thanks, > Karen > > ******************* > FIRST POLL: Should all header fields be critical for implementations > to understand? > > YES - All header fields must continue to be understood by > implementations or the input must be rejected. > > NO - A means of listing that specific header fields may be safely > ignored should be defined. > > ******************** > SECOND POLL: Should the result of the first poll be "YES", should text > like the following be added? "Implementation Note: The requirement to > understand all header fields is a requirement on the system as a whole > - not on any particular level of library software. For instance, a > JOSE library could process the headers that it understands and then > leave the processing of the rest of them up to the application. For > those headers that the JOSE library didn't understand, the > responsibility for fulfilling the 'MUST understand' requirement for > the remaining headers would then fall to the application." > > YES - Add the text clarifying that the "MUST understand" requirement > is a requirement on the system as a whole - not specifically on JOSE > libraries. > > NO - Don't add the clarifying text. > > ************************ > THIRD POLL: Should the result of the first poll be "NO", which syntax > would you prefer for designating the header fields that may be ignored > if not understood? > > A - Define a header field that explicitly lists the fields that may be > safely ignored if not understood. > > B - Introduce a second header, where implementations must understand > all fields in the first but they may ignore not-understood fields in > the second. > > C - Other??? (Please specify in detail.) > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
