Tim, To clarify.
Are you recommending that: That receivers MUST reject JOSE objects with duplicate keys. This would require compliant implementations to write there own parsers (perhaps not a good idea), or wait for I-JSON parsers (perhaps sometime soonish) Or that JOSE require producers not to send dup keys, and receivers SHOULD reject them if possible based on the parser. For JWE and JWS the header is integrity protected so we are talking about duplicate keys inserted by a bad producer rather than an attacker modifying the message after signing.. The concern is if something at the application layer is tricked into inserting a parameter with a duplicate name or one that otherwise changes the message verification. I suspect the important issue is taking care that when producing a JWE/JWS you are not accepting arbitrary elements for the header without verifying that they are not JOSE parameters. John B. On Sep 15, 2014, at 3:54 PM, Tim Bray <[email protected]> wrote: > When I talk about existing software I’m referring to generic JSON parsers > such as are included in the basic library set of every programming language > now, and which are unfortunately idiosyncratic and inconsistent in their > handling of dupe keys, but in almost no cases actually inform the calling > software whether or not dupe keys were encountered. > > On Mon, Sep 15, 2014 at 11:51 AM, Stephen Kent <[email protected]> wrote: > OK, I'm a bit confused. > > I thought the JOSE specs were intended to create standards for transport of > keys, and for sigs, > MACs, and encryption of JSON objects. > > What is the existing software to which you and Tim refer, when referring to > keys (vs. > JSON parsing in general)? > > Steve > > > > > -- > - Tim Bray (If you’d like to send me a private message, see > https://keybase.io/timbray) > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
