On Mon, Sep 15, 2014 at 12:18 PM, John Bradley <[email protected]> wrote:
> Are you recommending that: > That receivers MUST reject JOSE objects with duplicate keys. > > This would require compliant implementations to write there own parsers > (perhaps not a good idea), or wait for I-JSON parsers (perhaps sometime > soonish) > Agree, sigh. > Or that JOSE require producers not to send dup keys, and receivers SHOULD > reject them if possible based on the parser. > Yeah… MUST NOT send malformed JSON (I argue that an economical way to do that would be to reference I-JSON if the schedule works). As for the receiver, I like SHOULD reject, but I’m wondering if we can get away with that given that a high proportion of receiving software will have no way to detect the error. > For JWE and JWS the header is integrity protected so we are talking about > duplicate keys inserted by a bad producer rather than an attacker modifying > the message after signing.. > Whatever. If you get a busted message, something is wrong somewhere upstream. > I suspect the important issue is taking care that when producing a JWE/JWS > you are not accepting arbitrary elements for the header without verifying > that they are not JOSE parameters. > Hm, for ID Tokens, didn’t we do exactly the opposite, and end up with a Must-Ignore policy? > > John B. > > > On Sep 15, 2014, at 3:54 PM, Tim Bray <[email protected]> wrote: > > When I talk about existing software I’m referring to generic JSON parsers > such as are included in the basic library set of every programming language > now, and which are unfortunately idiosyncratic and inconsistent in their > handling of dupe keys, but in almost no cases actually inform the calling > software whether or not dupe keys were encountered. > > On Mon, Sep 15, 2014 at 11:51 AM, Stephen Kent <[email protected]> wrote: > >> OK, I'm a bit confused. >> >> I thought the JOSE specs were intended to create standards for transport >> of keys, and for sigs, >> MACs, and encryption of JSON objects. >> >> What is the existing software to which you and Tim refer, when referring >> to keys (vs. >> JSON parsing in general)? >> >> Steve >> >> > > > -- > - Tim Bray (If you’d like to send me a private message, see > https://keybase.io/timbray) > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > > -- - Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray)
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
