Below I'm responding only to the remaining issue about "rejecting JWSs". Pete, please let me know if the proposed language works for you.
> >>>>> 5.2: > >>>>> > >>>>> Strike the last sentence of the second paragraph. There's no > >>>>> requirement here. If none of them validate, I can do what I want > >>>>> with the JWS. I needn't "reject" it. I might just mark it as "invalid". > >>>>> > >>>>> [Get rid of all talk of "rejecting" throughout this document. > >>>>> Again, I will note that the signatures are not valid, but > >>>>> rejecting is a local implementation detail.] > >>>>> > >>>> As discussed during the telechat and on subsequent threads, the > >>>> terms "accept" and "reject" are commonly used in this way, for > >>>> instance, in RFC 5820. As Kathleen wrote after the call, "For the > "reject" > >>>> language, Pete said on the call that he would go through each one > >>>> to see where it might be application specific and will suggest changes. > >>>> Thanks in advance, Pete.". > >>>> > > So I've gone through all of the "reject"s in the document, and I think I see a > way to allay my concern without significantly changing the > language: Instead of saying "reject the JWS" as it does in most places, I > believe it would be much clearer if it simply said "reject the signature" as > it > does in 4.1.6. Then you're clearly not saying "rejecting the data", as I'm > afraid > certain sorts of applications developers will interpret it. In some instances, > you'll need to say something like "reject the signature of a JWS with foobar", > but I don't think that significantly changes the intended meaning. It turns out that way back in draft -15, in response to issue #35 (http://trac.tools.ietf.org/wg/jose/trac/ticket/35), we'd already changed statements about "rejecting the JWS" in contexts of signature failures to statements about the JWS Signature being invalid. So those uses of "reject the JWS" that remained were actually about rejecting the whole thing - not about rejecting the signature. I'm revisiting that history because your suggested language about "reject the signature" doesn't actually convey the correct meaning in the remaining contexts. But I understand and agree with your intent - which is to say that implementations will determine that some JWSs are invalid, rather than the "rejection" being some kind of cataclysmic failure. To achieve this intent, I've instead changed the language "reject the JWS" to "consider the JWS to be invalid" in my current editor's draft. Let me know if that works for you. I've made the parallel changes in the JWE draft as well. Thanks again, -- Mike _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
