We're 24 votes into the header criticality poll, so I thought I would go
ahead and take a look at how the results are shaping up. My initial
tabulation is below. The result on the FIRST POLL (the main one) is as
follows:
No: 10
Yes: 14
What I find striking, however, is that every single person that voted "Yes"
on the FIRST POLL also voted "Yes" on the SECOND POLL. So nobody who
thinks that all headers should be critical thinks that a JOSE library
should actually be required to enforce this constraint. And that means
that enforcing that all headers are supported cannot be a MUST according to
RFC 2119.
So I wonder if there's consensus to remove the following text from JWE and
JWS:
-----BEGIN-JWE-----
4. The resulting JWE Header MUST be validated to only include
parameters and values whose syntax and semantics are both
understood and supported.
-----END-JWE-----
-----BEGIN-JWS-----
4. The resulting JWS Header MUST be validated to only include
parameters and values whose syntax and semantics are both
understood and supported.
-----END-JWS-----
Otherewise, a JOSE library conforming to these specifications would be
REQUIRED (a synonym to MUST in 2119) to reject a JWE/JWS that contains an
unknown header, contradicting all those "Yes" votes on the SECOND POLL.
--Richard
-----BEGIN-Tabulation-----
1 2 3 Name:
N - - Bradley
N - - Ito
N N A Yee
N N B Barnes
N N B Rescorla
N N C Manger
N N C Octman
N Y A Fletcher
N Y A Miller
N Y A Sakimura
Y Y - D'Agostino
Y Y A Biering
Y Y A Brault
Y Y A Hedberg
Y Y A Jay
Y Y A Jones
Y Y A Marais
Y Y A Nadalin
Y Y A Nara
Y Y A Nennker
Y Y A Solberg
Y Y B Hardt
Y Y B Medeiros
Y Y C Matake
Y Y C Mishra
-----END-Tabulation-----
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
