> -----Original Message----- > From: Mike Jones [mailto:[email protected]] > Sent: Monday, October 06, 2014 12:54 AM > To: Ted Lemon; The IESG > Cc: [email protected]; draft-ietf-jose-json-web- > [email protected]; [email protected] > Subject: RE: Ted Lemon's No Objection on draft-ietf-jose-json-web- > signature-33: (with COMMENT) > > Thanks for the review, Ted. I've added the working group to the thread so > they're aware of your comments. > > > -----Original Message----- > > From: Ted Lemon [mailto:[email protected]] > > Sent: Thursday, October 02, 2014 6:36 AM > > To: The IESG > > Cc: [email protected]; draft-ietf-jose-json-web- > > [email protected] > > Subject: Ted Lemon's No Objection on draft-ietf-jose-json-web-signature- > 33: > > (with COMMENT) > > > > Ted Lemon has entered the following ballot position for > > draft-ietf-jose-json-web-signature-33: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut > > this introductory paragraph, however.) > > > > > > Please refer to > > http://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-signature/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > This looks like an attack surface: > > > > The Header Parameter names within the JOSE > > Header MUST be unique; recipients MUST either reject JWSs with > > duplicate Header Parameter names or use a JSON parser that returns > > only the lexically last duplicate member name, as specified in > > Section 15.12 (The JSON Object) of ECMAScript 5.1 [ECMAScript]. > > > > Is this really safe? > > Quoting Kathleen's response on the thread so the working group will see it: > "I pointed to a thread on this in the ballot text, so thanks for weighing in. > This > has been a hot discussion in the WG and is unresolved as to how it should be > handled. This discussion seems to be happening on Pete's Abstain, so let's > see if we can keep it there for now and this as a placeholder. It comes down > to implementation issues and a decision as to how we should best handle it. > Thanks."
Jim says it is not safe, but he has been unable to convince anybody of this fact. > Thanks. A lot of smart and knowledgeable people have contributed to it. > Thanks for your contributions as well. > > -- Mike > _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
