This resolution is incorporated in the -37 drafts.
-- Mike
-----Original Message-----
From: jose [mailto:[email protected]] On Behalf Of Mike Jones
Sent: Wednesday, November 19, 2014 1:49 PM
To: Pete Resnick
Cc: [email protected]; Jim Schaad; Kathleen Moriarty; The IESG;
[email protected]; [email protected]
Subject: Re: [jose] Pete Resnick's Discuss on
draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
Below I'm responding only to the remaining issue about "rejecting JWSs".
Pete, please let me know if the proposed language works for you.
> >>>>> 5.2:
> >>>>>
> >>>>> Strike the last sentence of the second paragraph. There's no
> >>>>> requirement here. If none of them validate, I can do what I want
> >>>>> with the JWS. I needn't "reject" it. I might just mark it as "invalid".
> >>>>>
> >>>>> [Get rid of all talk of "rejecting" throughout this document.
> >>>>> Again, I will note that the signatures are not valid, but
> >>>>> rejecting is a local implementation detail.]
> >>>>>
> >>>> As discussed during the telechat and on subsequent threads, the
> >>>> terms "accept" and "reject" are commonly used in this way, for
> >>>> instance, in RFC 5820. As Kathleen wrote after the call, "For
> >>>> the
> "reject"
> >>>> language, Pete said on the call that he would go through each one
> >>>> to see where it might be application specific and will suggest changes.
> >>>> Thanks in advance, Pete.".
> >>>>
>
> So I've gone through all of the "reject"s in the document, and I think
> I see a way to allay my concern without significantly changing the
> language: Instead of saying "reject the JWS" as it does in most
> places, I believe it would be much clearer if it simply said "reject
> the signature" as it does in 4.1.6. Then you're clearly not saying
> "rejecting the data", as I'm afraid certain sorts of applications
> developers will interpret it. In some instances, you'll need to say
> something like "reject the signature of a JWS with foobar", but I don't think
> that significantly changes the intended meaning.
It turns out that way back in draft -15, in response to issue #35
(http://trac.tools.ietf.org/wg/jose/trac/ticket/35), we'd already changed
statements about "rejecting the JWS" in contexts of signature failures to
statements about the JWS Signature being invalid. So those uses of "reject
the JWS" that remained were actually about rejecting the whole thing - not
about rejecting the signature. I'm revisiting that history because your
suggested language about "reject the signature" doesn't actually convey the
correct meaning in the remaining contexts.
But I understand and agree with your intent - which is to say that
implementations will determine that some JWSs are invalid, rather than the
"rejection" being some kind of cataclysmic failure. To achieve this intent,
I've instead changed the language "reject the JWS" to "consider the JWS to be
invalid" in my current editor's draft. Let me know if that works for you.
I've made the parallel changes in the JWE draft as well.
Thanks again,
-- Mike
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
