OK with me. > On Nov 19, 2014, at 4:49 PM, Mike Jones <[email protected]> wrote: > > Below I'm responding only to the remaining issue about "rejecting JWSs". > Pete, please let me know if the proposed language works for you. > >>>>>>> 5.2: >>>>>>> >>>>>>> Strike the last sentence of the second paragraph. There's no >>>>>>> requirement here. If none of them validate, I can do what I want >>>>>>> with the JWS. I needn't "reject" it. I might just mark it as "invalid". >>>>>>> >>>>>>> [Get rid of all talk of "rejecting" throughout this document. >>>>>>> Again, I will note that the signatures are not valid, but >>>>>>> rejecting is a local implementation detail.] >>>>>>> >>>>>> As discussed during the telechat and on subsequent threads, the >>>>>> terms "accept" and "reject" are commonly used in this way, for >>>>>> instance, in RFC 5820. As Kathleen wrote after the call, "For the >> "reject" >>>>>> language, Pete said on the call that he would go through each one >>>>>> to see where it might be application specific and will suggest changes. >>>>>> Thanks in advance, Pete.". >>>>>> >> >> So I've gone through all of the "reject"s in the document, and I think I see >> a >> way to allay my concern without significantly changing the >> language: Instead of saying "reject the JWS" as it does in most places, I >> believe it would be much clearer if it simply said "reject the signature" as >> it >> does in 4.1.6. Then you're clearly not saying "rejecting the data", as I'm >> afraid >> certain sorts of applications developers will interpret it. In some >> instances, >> you'll need to say something like "reject the signature of a JWS with >> foobar", >> but I don't think that significantly changes the intended meaning. > > It turns out that way back in draft -15, in response to issue #35 > (http://trac.tools.ietf.org/wg/jose/trac/ticket/35), we'd already changed > statements about "rejecting the JWS" in contexts of signature failures to > statements about the JWS Signature being invalid. So those uses of "reject > the JWS" that remained were actually about rejecting the whole thing - not > about rejecting the signature. I'm revisiting that history because your > suggested language about "reject the signature" doesn't actually convey the > correct meaning in the remaining contexts. > > But I understand and agree with your intent - which is to say that > implementations will determine that some JWSs are invalid, rather than the > "rejection" being some kind of cataclysmic failure. To achieve this intent, > I've instead changed the language "reject the JWS" to "consider the JWS to be > invalid" in my current editor's draft. Let me know if that works for you. > > I've made the parallel changes in the JWE draft as well. > > Thanks again, > -- Mike > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
