From: Kathleen Moriarty [mailto:[email protected]] Sent: Thursday, October 02, 2014 8:34 AM To: Richard Barnes Cc: Pete Resnick; Ted Lemon; John Bradley; [email protected]; The IESG; [email protected] Subject: Re: Pete Resnick's Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
On Thu, Oct 2, 2014 at 11:29 AM, Richard Barnes <[email protected]<mailto:[email protected]>> wrote: On Thu, Oct 2, 2014 at 11:25 AM, Pete Resnick <[email protected]<mailto:[email protected]>> wrote: On 10/2/14 10:18 AM, Ted Lemon wrote: On Oct 2, 2014, at 11:05 AM, Pete Resnick<[email protected]<mailto:[email protected]>> wrote: If I use a instant messaging protocol that uses JWS as a payload format for signed instant messages, and in my client, when I receive a message with a broken signature, I display the message to the user but put a big red box around the message with a flashing title in the margin in 7 point Helvetica that says, "Invalid Signature", will I have violated the JWS spec? This isn't as part of "error processing and display"; I'm displaying the text of the message to the user, but I'm marking it as invalid. That seems like the wrong thing to do, unless you like to get a lot of nicely highlighted spam in your instant messaging client. Very much depends on the environment and the purpose. Which is an implementation decision. "MUST reject" is, in fact, not right. Look, the signature verification process has two outcomes: 1. This is a valid signed object 2. This is not a valid signed object The common names for these are "accept" and "reject". No further semantics apply. I agree with Richard here. If we go down the path of changing the language, then we'll have to explore qualifiers to make sure we are not introducing security risks as well. +1 from me. We can explore adding language saying that “reject” does not imply that error processing can’t occur, but I don’t see a compelling case for changing the accept/reject language throughout. -- Mike --Richard pr -- Pete Resnick<http://www.qualcomm.com/~presnick/> Qualcomm Technologies, Inc. - +1 (858)651-4478<tel:%2B1%20%28858%29651-4478> -- Best regards, Kathleen
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
