FYI, I did not change the language about duplicate member names in the JOSE -32
and JWT -26 drafts at this time because it seems that there remains substantial
working group support for the current semantics, including by Tim Bray (the
JSON spec editor) and Richard Barnes. I did not yet add an I-JSON reference to
impose a requirement on producers because it seemed imprudent to take a
normative dependency on an unfinished specification. However, if I-JSON does
finish before these specs are RFCs, we could easily do that when it finishes,
if the working group, etc. concurs with that action.
My focus for this round of edits was to resolve all the review comments for
which the proposed resolutions appeared to be uncontroversial. I understand
that the working group and others may continue discussing this issue.
-- Mike
From: Stephen Kent [mailto:[email protected]]
Sent: Wednesday, September 17, 2014 10:58 AM
To: Tim Bray
Cc: John Bradley; Mike Jones; [email protected];
Kathleen Moriarty; [email protected]; [email protected]; [email protected]
Subject: Re: [jose] JWK member names, was: SECDIR review of
draft-ietf-jose-json-web-key-31
Tim,
The chance of the JOSE working group moving the vast world of deployed JSON
infrastructure round to 0.00. Thus putting a MUST reject in here would
essentially say you can't use well-debugged production software, and would be a
really bad idea.
So, JSON is not easily changed, but adopting I-JSON will easier. OK, I'll take
your word on that.
On the other hand, if JOSE specified that producers' messages MUST conform to
I-JSON, and a couple other WGs climbed on that bandwagon, and the word started
to get around, I wouldn't be surprised if a few of the popular JSON
implementations added an I-JSON mode. That would be a good thing and lessen
the attack surface of all JSON-based protocols (which these days, is a whole
lot of them).
I am comfortable with mandating I-JSON if you believe that will be a more
effective way to
encourage change.
Steve
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
