-
assigned issue to
Michael Jones
- edited description
JWS signature validation vs. verification
Issue #666
resolved
I noticed inconsistent use of JWS "signature validation" and "signature verification".
My understanding has been that "validation" is the correct term to use here. http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-05 also uses "validation".
I found the following sections with the term "signature verification":
- Messages 5.1.2. Signed Request Object.
- Messages 5.1.1. Encrypted Request Object.
- Messages 5.2. ID Token Verification
- Standard 5.5. Self-Issued Identity ID Token Verification, point 3.
Comments (6)
-
-
reporter
An RFC that may be of help: Internet Security Glossary, Version 2 (RFC 4949):
http://tools.ietf.org/html/rfc4949
$ validate vs. verify
""" The word "valid" derives from a Latin word that means "strong". Thus, to validate means to check that a construct is sound. For example, a certificate user validates a public-key certificate to establish trust in the binding that the certificate asserts between an identity and a key. This can include checking various aspects of the certificate's construction, such as verifying the digital signature on the certificate by performing calculations, verifying that the current time is within the certificate's validity period, and validating a certification path involving additional certificates.
The word "verify" derives from a Latin word that means "true". Thus, to verify means to check the truth of an assertion by examining evidence or performing tests. For example, to verify an identity, an authentication process examines identification information that is presented or generated. To validate a certificate, a certificate user verifies the digital signature on the certificate by performing calculations, verifies that the current time is within the certificate's validity period, and may need to validate a certification path involving additional certificates."""
-
- changed status to resolved
Fixed
#666- JWS signature validation vs. verification.→ <<cset f3d3d3b99b0a>>
-
RFC4949 guideline, though informational so non-normative, is as follows:
$ validate vs. verify Usage: To ensure consistency and align with ordinary English usage, IDOCs SHOULD comply with the following two rules: - Rule 1: Use "validate" when referring to a process intended to establish the soundness or correctness of a construct (e.g., "certificate validation"). (See: validate.) - Rule 2: Use "verify" when referring to a process intended to test or prove the truth or accuracy of a fact or value (e.g., "authenticate"). (See: verify.)In contrast, Oxford English Dictionalry (OED) definitions are:
verification, n.
- The action of demonstrating or proving to be true or legitimate by means of evidence or testimony; formal assertion of truth. Now rare.
- Demonstration of truth or correctness by facts or circumstances.
- a. The action of establishing or testing the truth or correctness of a fact, theory, statement, etc., by means of special investigation or comparison of data. b. The action of verifying or testing the accuracy of an instrument, or the quality of goods. Also attrib.
validation, n.
a. The action of validating or making valid.
validate, v.
To render or declare legally valid; to confirm the validity of (an act, contract, deed, etc.); to legalize.
Validation is declarative. You can actually declare something valid if you have an authority on it.
In the specification context, the authority comes from the act of verifying conformance to certain requirements: typically, series of verification.
In the specification context, it is probably wise to define these words. i.e.,
validation process intended to establish the soundness or correctness of a construct
verification process intended to test or prove the truth or accuracy of a fact or value
-
- changed status to open
Add the verification and validation definition to Messages as follows:
validation process intended to establish the soundness or correctness of a construct
verification process intended to test or prove the truth or accuracy of a fact or value
-
- changed status to resolved
Fixed
#666- Said that we're using the terms "validate" and "verify" as defined by RFC 4949.→ <<cset d89701469455>>
- Log in to comment
It's not clear there's an actual distinction in the way the terms are used. We'l review the use of the terms.