RE: Bug 20611 - specify JWK encoding as UTF-8

 

 

From: Mike Jones [mailto:Michael.Jones@microsoft.com] 
Sent: Friday, February 21, 2014 1:02 PM
To: Jim Schaad; 'Mark Watson'; public-webcrypto@w3.org
Subject: RE: Bug 20611 - specify JWK encoding as UTF-8

 

Actually, JOSE's stance is more nuanced than that, as implementations are
allowed to reject input with duplicate keys.  The language used is:

 

The Header Parameter names within the JWS Header MUST be unique; recipients
MUST either reject JWSs with duplicate Header Parameter names or use a JSON
parser that returns only the lexically last duplicate member name, as
specified in Section 15.12 (The JSON Object) of ECMAScript 5.1

 

I encourage WebCrypto to likewise allow implementations to reject input with
duplicate member names in all cases.

 

[JLS] I want to be clear - are you proposing that step 3 of "parse a JWK" be
modified to include "If duplicate member names are found during parsing,
terminate this algorithm with an error."

 

                                                                -- Mike

 

From: Jim Schaad [mailto:ietf@augustcellars.com] 
Sent: Thursday, February 20, 2014 5:55 PM
To: 'Mark Watson'; public-webcrypto@w3.org
Subject: Bug 20611 - specify JWK encoding as UTF-8

 

I have no problems with this text.

 

There is an interesting question if one wishes to stay with the ECMA 262
reference or change to the ECMS 404 document as the reference to be used for
JSON grammar.  

 

The major difference being that there are a set of parsing rules in 262
while 404 is strictly what the string looks like.

 

I am totally agnostic about making this change.   JOSE decided that it was
going to use the 262 parsing rules which state that in the event of
duplicate elements it uses the last one rather than throwing an error as
being an invalid structure.  To my mind this is a big security hole, but I
could never convince them that it needed to be closed.

 

Jim

 

 

 

http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf