Re: [Ace] AD review of draft-ietf-ace-cwt-proof-of-possession-06

Ludwig Seitz <> Mon, 26 August 2019 06:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1EDB61200A4; Sun, 25 Aug 2019 23:40:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FOLs_MfYAgcF; Sun, 25 Aug 2019 23:40:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A2A661200D7; Sun, 25 Aug 2019 23:39:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=lYVKgEslSbUP/B1Y2wqkrfz/6fIs1R30RSY2J8z6OsGAgIlGvSNQdqCS0bDO+gMUMB0Hr2pu1iDKkdWjaDCJ/ZrRUmfWe1L4XwZRv+b7aFaLVhtKOJKmtYh53UWohvb4QxJSWnHrtOZriUFADf3Uud6/ENCfzzhKtlbTy3CuuNwcpauMOr2+8cbmmpeoCCfJiwvt9soLf4yryW+iTUmjNmT8HRTKPF6aq6yEaxGuEWZ4N42M3kxoLdmsyDOnAP61x5HDIyPWZeuHU5LmM26tRq2L6LF1mHnXwQVIsZWE1Q5NOzWOyQZ9tO55+EgroT/PWd1rGx7q2gm4PCJnW/d3qw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i5nNWjgDpf+mKEq0nzgfkKuRQNnteSpHLRDe/rWnn7A=; b=SUUr6ZWMNpe87IScVzUNb+F/QFBGDbOHoXNuJetWmB08gFQlZ5PnMci5GFCYgonKox+US0LhfSLt3b0Rr5ozjBQx3STu3bD4LVdWPrX2z/IMFZvDHtuT114FMCuOyv9OLGCWf7rSFt2t19b8L9s2wvkcSoPxe+u61rfmJR00VQBfd1oPawmSyNg3jqzgz5+UMjNLq4vfvZQuJ7lrRwD2jxV7xcqW/NY/Z219PXa4clgSFfEdfuSD1V/XEZPy/koETN1PYLXM4UyZBNxQljZOd45E6vUXdZEsCxBA8RG41c5ri10pZ7floa7cjhfOxq4frqFBiIfRqxVo3hIYh8Dfsw==
ARC-Authentication-Results: i=1; 1; spf=pass (sender ip is; dmarc=pass (p=none sp=none pct=100) action=none; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2-RISEcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i5nNWjgDpf+mKEq0nzgfkKuRQNnteSpHLRDe/rWnn7A=; b=ewDwxHxKEHO0LzDALbtSqcPF8/5sf5crxFHW4KfvYrVSOE7pqnhKQLtEOUmQltiPi63EzkT4CT5VApPVZ7k2T77UxT7aTblcjn1wxAbYdeNwthf4F7hroxiDTpTHscJ+kGQZBPXM+vCRRTedFfmd6SNQBfzTQQr5uBpNYEf+D14=
Received: from HE1P189CA0014.EURP189.PROD.OUTLOOK.COM (2603:10a6:7:53::27) by AM5P18901MB0209.EURP189.PROD.OUTLOOK.COM (2603:10a6:203:6f::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2199.21; Mon, 26 Aug 2019 06:39:56 +0000
Received: from (2a01:111:f400:7e1e::209) by (2603:10a6:7:53::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2199.14 via Frontend Transport; Mon, 26 Aug 2019 06:39:55 +0000
Authentication-Results: spf=pass (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=pass action=none;
Received-SPF: Pass ( domain of designates as permitted sender); client-ip=;;
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2199.13 via Frontend Transport; Mon, 26 Aug 2019 06:39:55 +0000
Received: from [] ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Mon, 26 Aug 2019 08:39:55 +0200
To: Benjamin Kaduk <>
CC: <>, <>
References: <> <> <>
From: Ludwig Seitz <>
Message-ID: <>
Date: Mon, 26 Aug 2019 08:39:54 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms060608030101070009020000"
X-Originating-IP: []
X-ClientProxiedBy: ( To (
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(376002)(396003)(39850400004)(2980300002)(189003)(199004)(58126008)(16586007)(2906002)(81156014)(81166006)(40036005)(66574012)(54906003)(6306002)(229853002)(7736002)(36756003)(16576012)(22746008)(106002)(5660300002)(235185007)(31696002)(356004)(305945005)(26005)(16526019)(186003)(70586007)(22756006)(76176011)(53546011)(386003)(11346002)(5024004)(476003)(2616005)(44832011)(486006)(33964004)(65806001)(65956001)(14444005)(126002)(446003)(6116002)(2171002)(6246003)(966005)(336012)(70206006)(31686004)(3846002)(86362001)(6916009)(568964002)(4326008)(8676002)(8936002)(478600001)(71190400001)(53936002)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5P18901MB0209;; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 9cf06a50-5e6c-469f-225a-08d729f0353d
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(4709080)(1401327)(2017052603328)(7193020); SRVR:AM5P18901MB0209;
X-MS-TrafficTypeDiagnostic: AM5P18901MB0209:
X-Microsoft-Antispam-PRVS: <AM5P18901MB0209614A2AD3E7C8A4591F3482A10@AM5P18901MB0209.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 01415BB535
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: xVNlCBdHO4wX1OUofNy2BfGJNnwQIsk264kZvIBSO9O8RmVaBslldXqo6cHBrXxbtm1QtcPrSDd1tXqqRwePQ7SDyAY3VgX2+FgCFaNnnJN+lzWHF2jxWX6QuPPEm0PvT8QG0bOPLjW/tw36fbEf7mYtGiTwD9z343zCzkzRZOnZhtX+JfNNuMAFbeZ3rntc1reEdXVV/ar7EgZ3lkCoswQl+yvzmei8Gwej+APcdWF0qsRx1/IUJzbqCk1YInftVekg05nneFnR+lz2LZFWkBxi+H7dO9qqasigv/jSP9gNQcjZS106QiWU9IF/IAb4AQASaAwGBPfpXfckUgFS05gzwguD2ryn4XqTzw90rOEbFG71Gmvh8NCAZDWeHTOxrN2LQPDsL3Uf0EofWAtmXo4HqChxZJsx+nHhI6RwbUY=
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Aug 2019 06:39:55.7412 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9cf06a50-5e6c-469f-225a-08d729f0353d
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[]; Helo=[]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P18901MB0209
Archived-At: <>
Subject: Re: [Ace] AD review of draft-ietf-ace-cwt-proof-of-possession-06
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Aug 2019 06:40:04 -0000

Hi Ben,

fixed more of your comments here: 
(waiting for Mike to double-check and merge them).

As for those that are still open, comments are inline.


On 13/08/2019 01:15, Benjamin Kaduk wrote:

>>>      The "COSE_Key" member MAY also be used for a COSE_Key representing a
>>>      symmetric key, provided that the CWT is encrypted so that the key is
>>>      not revealed to unintended parties.  The means of encrypting a CWT is
>>>      explained in [RFC8392].  If the CWT is not encrypted, the symmetric
>>>      key MUST be encrypted as described in Section 3.3.
>>> It's hard for me to escape the conclusion that this paragraph needs to
>>> be a dedicated section with a bit more discussion about how exactly this
>>> usage is performed and encoded.
>> This mirrors the corresponding procedure in RFC 7800. Would it be OK to
>> just refer to that document
>> ( or actually 3.3)?
> (Section 3.2, it seems -- JWT and CWT cover aysmmetric and symmetric in
> the opposite order.)
> Well, I still wouldn't like it.  But I don't think I have grounds to block
> the document from advancing if you just refer back to JWT.

Göran and I have discussed this, and we agree that it is indeed 
underspecified (e.g. which key is used to encrypt this "inner" 
COSE_Encrypt0 contained in the cnf element?). Additionally I can 
personally confirm that this is a headache to implement (and I haven't 
even touched a constrained implementation).

We see two alternatives here:

1.) Remove the possibility to have a separate encrypted cnf element. 
Instead mandate that the whole CWT should be encrypted if it contains a 
secret key.

+ make spec easier (to implement) and doesn't requires a long 
specification on how to handle this case

- breaks direct equivalence with RFC 7800

2.) Add some dedicated section that explains how the key for this inner 
encrypted cnf element is selected and communicated to the RS.

+ The draft remains functionally equivalent to RFC 7800

- Increased draft complexity at questionable gain
- Possible implementer headaches, especially on constrained devices

There is an issue about this here:

>>>      The following example CWT Claims Set of a CWT (using CBOR diagnostic
>>>      notation, with linebreaks for readability) illustrates the use of an
>>>      encrypted symmetric key as the "Encrypted_COSE_Key" member value:
>>>     {
>>>      /iss/ 1 : "coaps://",
>>>      /sub/ 2 : "24400320",
>>>      /aud/ 3: "s6BhdRkqt3",
>>>      /exp/ 4 : 1311281970,
>>>      /iat/ 5 : 1311280970,
>>>      /cnf/ 8 : {
>>>      /COSE_Encrypt0/ 2 : [
>>> Should this be "/Encrypted_COSE_Key/" and not "/COSE_Enrypt0/"?
>>> [I did not validate the COSE_Encrypt0 output]
>> COSE_Encrypt0 is a defined construct of COSE, while Encrypted_COSE_Key
>> is not. We'd have to define it or write an explanatory comment.
> Maybe I'm confused about how the diagnostic notation works, but the
> top-level CWT map key name ("claim") is "Encrypted_COSE_Key", as matches
> iss/sub/aud/etc. in the preceding notation.  If the rules are different for
> map keys whose corresponding values are themselves structured data types,
> then I should just unconfuse myself and we can move on with things...

Issue created here
Will fix.

>>>      o  A recipient can decide not to use a CWT based on a created Key ID
>>>         if it does not fit the recipient's requirements.
>>> I'm not sure I understand the semantics being described here.  Are we
>>> saying that the issuer might give a presenter a CWT, and by the time the
>>> presenter presents the CWT to the recipient, the recipient says "this is
>>> no good" and denies the transaction in question, forcing the presenter
>>> to go back to the issuer and try again?  (How do we know that the issuer
>>> would make any different choices the second time around?)
>> This risk always exists. In a constrained device world, the recipient
>> may already have cleared out the key referenced by the key ID, which
>> would force it to reject a CWT using this as proof-of-possession.
>> I'm not sure how to give good guidance in this case. The error message
>> delivered by the recipient rejecting the CWT might be helpful I suppose.
>> Do you think this merits some text?
> It's not entirely clear to me that we need to add more text here, but if we
> did, it would focus on what "decide not to use" means at a protocol level,
> and perhaps how the CWT might not "fit the recipient's requirements" (e.g.,
> the key id having fallen out of cache as you describe).

Issue created here:
Will fix.

>>>      from changing any elements conveyed within the CWT payload.  Special
>>>      care has to be applied when carrying symmetric keys inside the CWT
>>>      since those not only require integrity protection but also
>>>      confidentiality protection.
>>> Do we want to reiterate the common mechanisms for providing
>>> confidentiality protection here, or just leave the existing text earlier
>>> in the document to cover it?
>> Doesn't it say a few sentences before: "it is
>>      necessary to apply data origin authentication and integrity
>>      protection (via a keyed message digest or a digital signature)." ?
>> I would consider this to be enough.
> That doesn't cover the *confidentiality* protection, specifically.  (So it
> seems the answer to my original question is still unclear, at least to me.)

Issue created here:
Will fix.

>>> Section 6
>>>      ensure correct processing.  The recipient needs to be able to use
>>>      credentials to verify the authenticity, integrity, and potentially
>>>      the confidentiality of the CWT and its content.  This requires the
>>> Just from a rhetorical point of view, can you help me understand how
>>> credentials would be used to verify the confidentiality of a CWT?  It
>>> seems like this depends on either (or both of) how the CWT is
>>> transmitted or how it is prepared, and I am not sure how the recipient's
>>> credentials come into play.
>> This text is referring to the issuer's credentials (e.g. the
>> Authorization Server issuing the CWT), that the recipient needs to
>> verify the CWT. Do you want us to clarify this sentence?
> Note that I was specifically asking about "potentially the
> confidentiality"; I don't understand the intended workflow for verification
> of confidentiality (and thus which credentials are involved).  I don't
> really see how a credential held solely by the issuer could proide
> confidentiality protection when it needs to be understood by some other
> protocol participant.

Issue created here:
Will fix.

>>> Section 7
>>>      Criteria that should be applied by the Designated Experts include
>>>      determining whether the proposed registration duplicates existing
>>>      functionality, determining whether it is likely to be of general
>>>      applicability or whether it is useful only for a single application,
>>>      and evaluating the security properties of the item being registered
>>>      and whether the registration makes sense.
>>> I know we've been using (variations of) this text for a while, but it
>>> seems to me that it could be more clear than it currently is -- is
>>> duplication of functionality grounds for denial of registration?  What
>>> about general vs. specific applicability?  The latter seems more clearly
>>> applicable for determining which range from which to allocate, since
>>> that has impact on the encoding size.  Can the experts insist on updates
>>> to the security considerations text of a specification prior to granting
>>> approval, or are they limited to denying registration of values with
>>> poor security properties or insufficient documentation thereof?
>> I'm too unfamiliar with the designated expert system to provide a good
>> answer on this one. Can one of my co-authors chip in here?
Issue created here:
Will fix.

Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51