Allow me to quote RFC 2119, which defines the requirements terminology for IETF documents: " 1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification. "
By that definition, a system that implements JWE is absolutely required to throw out an object that contains an unknown header. That requirement applies to any system that implements JWE -- JUST JWE, not some overall system that uses JWE. (And likewise JWS.) So yes, the current language applies very specifically to a JOSE library, not to a more general system. If you want to do that, write a BCP on "Guidelines for Usage of JOSE". --Richard On Fri, Feb 8, 2013 at 6:19 PM, Mike Jones <[email protected]>wrote: > I think you’re missing the point of the second poll question. It’s > there to clarify that the requirement to validate the headers is one placed > on the system as a whole – not solely on particular pieces of an > implementation. Indeed, it’s my understanding that IETF specs almost > universally place requirements only on the protocol behaviors – not on how > implementations must be factored. In other words, it’s normal for IETF > specs to place constraints on the behavior of the system as a whole. The > text in the second poll question would just reinforce that this is so in > this particular case.**** > > ** ** > > Hope everyone has a good weekend!**** > > ** ** > > -- Mike*** > * > > ** ** > > *From:* [email protected] [mailto:[email protected]] *On Behalf > Of *Richard Barnes > *Sent:* Friday, February 08, 2013 3:12 PM > *To:* [email protected] > *Subject:* [jose] Header criticality -- hidden consensus?**** > > ** ** > > We're 24 votes into the header criticality poll, so I thought I would go > ahead and take a look at how the results are shaping up. My initial > tabulation is below. The result on the FIRST POLL (the main one) is as > follows:**** > > ** ** > > No: 10**** > > Yes: 14**** > > ** ** > > What I find striking, however, is that every single person that voted > "Yes" on the FIRST POLL also voted "Yes" on the SECOND POLL. So nobody who > thinks that all headers should be critical thinks that a JOSE library > should actually be required to enforce this constraint. And that means > that enforcing that all headers are supported cannot be a MUST according to > RFC 2119.**** > > ** ** > > So I wonder if there's consensus to remove the following text from JWE and > JWS:**** > > -----BEGIN-JWE-----**** > > 4. The resulting JWE Header MUST be validated to only include**** > > parameters and values whose syntax and semantics are both**** > > understood and supported.**** > > -----END-JWE-----**** > > -----BEGIN-JWS-----**** > > 4. The resulting JWS Header MUST be validated to only include**** > > parameters and values whose syntax and semantics are both**** > > understood and supported.**** > > -----END-JWS-----**** > > ** ** > > Otherewise, a JOSE library conforming to these specifications would be > REQUIRED (a synonym to MUST in 2119) to reject a JWE/JWS that contains an > unknown header, contradicting all those "Yes" votes on the SECOND POLL.*** > * > > ** ** > > --Richard**** > > ** ** > > ** ** > > ** ** > > -----BEGIN-Tabulation-----**** > > 1 2 3 Name: **** > > N - - Bradley **** > > N - - Ito **** > > N N A Yee **** > > N N B Barnes **** > > N N B Rescorla **** > > N N C Manger **** > > N N C Octman **** > > N Y A Fletcher **** > > N Y A Miller **** > > N Y A Sakimura **** > > Y Y - D'Agostino **** > > Y Y A Biering **** > > Y Y A Brault **** > > Y Y A Hedberg **** > > Y Y A Jay **** > > Y Y A Jones **** > > Y Y A Marais **** > > Y Y A Nadalin **** > > Y Y A Nara **** > > Y Y A Nennker **** > > Y Y A Solberg **** > > Y Y B Hardt **** > > Y Y B Medeiros **** > > Y Y C Matake **** > > Y Y C Mishra **** > > -----END-Tabulation-----**** >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
