[jose] [critical header parameter]

Thu, 26 Feb 2015 09:29:19 -0800 

dear community,

In terms of "critical header" some things are unclear.
I understand, that
 1. critical header parameter must not be empty,
 2. critical header parameter must not contains double entries,
 3. critical header parameter must be integrity protected,
 4. critical header must not include Header Parameter names defined by jws or 
jwa,
 5. the values that refer to the critical header list must either be in the 
protected header or in the unprotected header,
 6. critical header parameter must be understood and supported by THE 
RECIPIENT. (cf. section 4.1.11. of jws)

but in Appendix E. Negative Test Case for „crit“ Header Parameter is not clear, 
why any IMPLEMENTATION must reject
the jws. The implementation is not in the position to decide whether critical 
header parameter is understood by THE RECIPIENT or not.
It's possible that a particular recipient understands exactly this entry 
("http://example.invalid/UNDEFINED <http://example.invalid/UNDEFINED>").

I would like to suggest change following text:
   The
   following JWS must be rejected by all implementations, because it
   uses an extension Header Parameter name
   "http://example.invalid/UNDEFINED <http://example.invalid/UNDEFINED>" that 
they do not understand.  Any
   other similar input, in which the use of the value
   "http://example.invalid/UNDEFINED <http://example.invalid/UNDEFINED>" is 
substituted for any other
   Header Parameter name not understood by the implementation, must also
   be rejected.
to:
   The
   following JWS must be rejected by all THE RECIPIENTS, when they do not 
understand
      the extension Header Parameter name
   "http://example.invalid/UNDEFINED <http://example.invalid/UNDEFINED>".  Any
   other similar input, in which the use of the value
   "http://example.invalid/UNDEFINED <http://example.invalid/UNDEFINED>" is 
substituted for any other
   Header Parameter name not understood by the implementation, must also
   be rejected.

Cheers
Daniel

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to