RE: Bug 20611 - specify JWK encoding as UTF-8 from Mike Jones on 2014-02-23 (public-webcrypto@w3.org from February 2014)

From: Mike Jones <Michael.Jones@microsoft.com>
Date: Sun, 23 Feb 2014 23:41:34 +0000
To: Jim Schaad <ietf@augustcellars.com>, 'Mark Watson' <watsonm@netflix.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <4E1F6AAD24975D4BA5B16804296739438B1BA582@TK5EX14MBXC288.redmond.corp.microsoft.>

I believe that step three currently reads:
Let result be the result of translating json into an internal object using the grammar specified in Section 15.12 of ECMA 262.

I would add this sentence to the end of step three:
Implementations MAY reject any input that contains duplicate member names.

Then it's in sync with JOSE, in which producers can't produce values with duplicate member names and count on them being accepted, but consumers can use unmodified standard parsers, including those with ECMA 262 duplicate member name handling.

                                                            -- Mike

From: Jim Schaad [mailto:ietf@augustcellars.com]
Sent: Sunday, February 23, 2014 1:32 PM
To: Mike Jones; 'Mark Watson'; public-webcrypto@w3.org
Subject: RE: Bug 20611 - specify JWK encoding as UTF-8



From: Mike Jones [mailto:Michael.Jones@microsoft.com]
Sent: Friday, February 21, 2014 1:02 PM
To: Jim Schaad; 'Mark Watson'; public-webcrypto@w3.org<mailto:public-webcrypto@w3.org>
Subject: RE: Bug 20611 - specify JWK encoding as UTF-8

Actually, JOSE's stance is more nuanced than that, as implementations are allowed to reject input with duplicate keys.  The language used is:

The Header Parameter names within the JWS Header MUST be unique; recipients MUST either reject JWSs with duplicate Header Parameter names or use a JSON parser that returns only the lexically last duplicate member name, as specified in Section 15.12 (The JSON Object) of ECMAScript 5.1

I encourage WebCrypto to likewise allow implementations to reject input with duplicate member names in all cases.

[JLS] I want to be clear - are you proposing that step 3 of "parse a JWK" be modified to include "If duplicate member names are found during parsing, terminate this algorithm with an error."

                                                                -- Mike

From: Jim Schaad [mailto:ietf@augustcellars.com]
Sent: Thursday, February 20, 2014 5:55 PM
To: 'Mark Watson'; public-webcrypto@w3.org<mailto:public-webcrypto@w3.org>
Subject: Bug 20611 - specify JWK encoding as UTF-8


I have no problems with this text.



There is an interesting question if one wishes to stay with the ECMA 262 reference or change to the ECMS 404 document as the reference to be used for JSON grammar.



The major difference being that there are a set of parsing rules in 262 while 404 is strictly what the string looks like.



I am totally agnostic about making this change.   JOSE decided that it was going to use the 262 parsing rules which state that in the event of duplicate elements it uses the last one rather than throwing an error as being an invalid structure.  To my mind this is a big security hole, but I could never convince them that it needed to be closed.



Jim







http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf

Received on Sunday, 23 February 2014 23:42:36 UTC