I think it is fine to leave this issue as open through the IESG review. The discussion and further explanation in this thread has been helpful, thank you. This could get handled in a number of ways, leave it as-is, address it with the I-JSON reference in this draft, or in an update to the published RFC. We'll see if there are strong opinions in the IESG. I tend to go for stricter options to prevent issues, but do recognize that there are some challenges with that option and would like to see the IESG opinions.
Thank you. On Tue, Sep 23, 2014 at 7:40 PM, Mike Jones <[email protected]> wrote: > FYI, I did not change the language about duplicate member names in the > JOSE -32 and JWT -26 drafts at this time because it seems that there > remains substantial working group support for the current semantics, > including by Tim Bray (the JSON spec editor) and Richard Barnes. I did not > yet add an I-JSON reference to impose a requirement on producers because it > seemed imprudent to take a normative dependency on an unfinished > specification. However, if I-JSON does finish before these specs are RFCs, > we could easily do that when it finishes, if the working group, etc. > concurs with that action. > > > > My focus for this round of edits was to resolve all the review comments > for which the proposed resolutions appeared to be uncontroversial. I > understand that the working group and others may continue discussing this > issue. > > > > -- Mike > > > > *From:* Stephen Kent [mailto:[email protected]] > *Sent:* Wednesday, September 17, 2014 10:58 AM > *To:* Tim Bray > *Cc:* John Bradley; Mike Jones; > [email protected]; Kathleen Moriarty; > [email protected]; [email protected]; [email protected] > *Subject:* Re: [jose] JWK member names, was: SECDIR review of > draft-ietf-jose-json-web-key-31 > > > > Tim, > > The chance of the JOSE working group moving the vast world of deployed > JSON infrastructure round to 0.00. Thus putting a MUST reject in here > would essentially say you can’t use well-debugged production software, and > would be a really bad idea. > > So, JSON is not easily changed, but adopting I-JSON will easier. OK, I'll > take your word on that. > > On the other hand, if JOSE specified that producers’ messages MUST > conform to I-JSON, and a couple other WGs climbed on that bandwagon, and > the word started to get around, I wouldn’t be surprised if a few of the > popular JSON implementations added an I-JSON mode. That would be a good > thing and lessen the attack surface of all JSON-based protocols (which > these days, is a whole lot of them). > > > I am comfortable with mandating I-JSON if you believe that will be a more > effective way to > encourage change. > > Steve > -- Best regards, Kathleen
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
