- From: Mike Jones <Michael.Jones@microsoft.com>
- Date: Fri, 21 Feb 2014 21:02:05 +0000
- To: Jim Schaad <ietf@augustcellars.com>, 'Mark Watson' <watsonm@netflix.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
- Message-ID: <4E1F6AAD24975D4BA5B16804296739438B1B2F64@TK5EX14MBXC288.redmond.corp.microsoft.>
Actually, JOSE's stance is more nuanced than that, as implementations are allowed to reject input with duplicate keys. The language used is: The Header Parameter names within the JWS Header MUST be unique; recipients MUST either reject JWSs with duplicate Header Parameter names or use a JSON parser that returns only the lexically last duplicate member name, as specified in Section 15.12 (The JSON Object) of ECMAScript 5.1 I encourage WebCrypto to likewise allow implementations to reject input with duplicate member names in all cases. -- Mike From: Jim Schaad [mailto:ietf@augustcellars.com] Sent: Thursday, February 20, 2014 5:55 PM To: 'Mark Watson'; public-webcrypto@w3.org Subject: Bug 20611 - specify JWK encoding as UTF-8 I have no problems with this text. There is an interesting question if one wishes to stay with the ECMA 262 reference or change to the ECMS 404 document as the reference to be used for JSON grammar. The major difference being that there are a set of parsing rules in 262 while 404 is strictly what the string looks like. I am totally agnostic about making this change. JOSE decided that it was going to use the 262 parsing rules which state that in the event of duplicate elements it uses the last one rather than throwing an error as being an invalid structure. To my mind this is a big security hole, but I could never convince them that it needed to be closed. Jim http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf
Received on Friday, 21 February 2014 21:03:19 UTC