Does making 'crit' not required open one up to the possibility of an attack along the following lines:
1. Create a JWS with a b64=true header 2. Sign it using the b64=false construction 3. Send it to a validator that does not understand the b64 header. 4. Claim that the validator should have failed validation and not performed the signed command Jim From: jose [mailto:[email protected]] On Behalf Of Mike Jones Sent: Wednesday, October 21, 2015 2:16 PM To: Manger, James <[email protected]>; [email protected] Subject: Re: [jose] JWS Unencoded Payload Option spec addressing WGLC comments As I see it, explicitly updating JWS isn't necessary, since JWS established the JSON Web Signature and Encryption Header Parameters Registry to allow for additional Header Parameters to be defined, and so implementers are expected to refer to the registry and gracefully handle the possibility of extensions registered there. The JWS Unencoded Payload Option specification registers such an extension. As to whether "crit" is required, "crit" is only necessary if an explicit directive is required that the validation must fail if the header parameter is not understood. However, in this case, if "b64" is not understood and simply ignored, the validation will fail without needing to use "crit", since the signature validation will fail. Thus, the use of "crit" is unnecessary for "b64". -- Mike From: Manger, James [mailto:[email protected]] Sent: Tuesday, October 13, 2015 7:55 PM To: Mike Jones <[email protected] <mailto:[email protected]> >; [email protected] <mailto:[email protected]> Subject: RE: JWS Unencoded Payload Option spec addressing WGLC comments Shouldn't draft-ietf-jose-jws-signing-input-options update RFC 7515 "JWS"? That seems quite important as draft-ietf-jose-jws-signing-input-options changes the meaning of valid JWS messages (new "b64" field that cannot be ignored, but is not listed in "crit"), and allows a bunch of previously invalid chars in JWS Compact Serializations (invalidating the JWS definition of Compact Serialization as a "URL-safe string"). -- James Manger From: jose [mailto:[email protected]] On Behalf Of Mike Jones Sent: Wednesday, 14 October 2015 10:49 AM To: [email protected] <mailto:[email protected]> Subject: [jose] JWS Unencoded Payload Option spec addressing WGLC comments Draft -03 of the JWS Unencoded Payload Option specification addresses the working group last call comments received. Thanks to Jim Schaad, Vladimir Dzhuvinov, John Bradley, and Nat Sakimura for the useful comments. Changes were: * Allowed the ASCII space character and all printable ASCII characters other than period ('.') in non-detached unencoded payloads using the JWS Compact Serialization. * Updated the abstract to say that that the spec updates RFC 7519. * Removed unused references. * Changed the change controller to IESG. The specification is available at: * https://tools.ietf.org/html/draft-ietf-jose-jws-signing-input-options-03 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf .org%2fhtml%2fdraft-ietf-jose-jws-signing-input-options-03&data=01%7c01%7cMi chael.Jones%40microsoft.com%7c67566ac2856449dd329b08d2d442d2c8%7c72f988bf86f 141af91ab2d7cd011db47%7c1&sdata=cwfExLlgEK11IEBTdvKI63EI6xNBi1JTV0KVipTf8JU% 3d> An HTML formatted version is also available at: * http://self-issued.info/docs/draft-ietf-jose-jws-signing-input-options-03.ht ml <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fself-issued .info%2fdocs%2fdraft-ietf-jose-jws-signing-input-options-03.html&data=01%7c0 1%7cMichael.Jones%40microsoft.com%7c67566ac2856449dd329b08d2d442d2c8%7c72f98 8bf86f141af91ab2d7cd011db47%7c1&sdata=5nAlXMo6uPDM600pp0Kf1JQliQ4maLZc5eCMKf zCdQ8%3d> -- Mike P.S. This note was also published at http://self-issued.info/?p=1465 <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fself-issued .info%2f%3fp%3d1465&data=01%7c01%7cMichael.Jones%40microsoft.com%7c67566ac28 56449dd329b08d2d442d2c8%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=L6oZmQ6 tOl1eW%2fmh9zyorKeY4ouQZTGMn4o9Zid5snk%3d> and as @selfissued <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftwitter.co m%2fselfissued&data=01%7c01%7cmichael.jones%40microsoft.com%7c3a69db7b8b6c4d 47da0f08d2937a3d82%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=ggurSMkRVW%2 bR8Nv93Mnbsf16CmVGqfjB9lW8SV5gAKM%3d> .
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
