Re: [Ace] Secdir last call review of draft-ietf-ace-cwt-proof-of-possession-08

Mike Jones <> Wed, 16 October 2019 20:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0FA9A120122; Wed, 16 Oct 2019 13:21:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ht6VAtQPmpT3; Wed, 16 Oct 2019 13:21:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 163DC12008B; Wed, 16 Oct 2019 13:21:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=N/63RD9PCAwqUYdVNOptetaKpdwbuoxjGw/6W/JR6qsOFZboIo/++FcBIZXCZo4BmcTU5GgcIoysPdUUJjSE4ZWWeaU4kNfWDShgtXm1wNRicnGxLJaR8rTUGhP+QBDog9G+xV+UT5JL2NxGbaM44G6niW9a9053el9vQ4p0YNOqIeijhhE2pjL+IYTrtWHBHRKlOeloGnrQE4HsnxDGvEOMJgChuNY5nUSJmqOwqtalG9/VQZZ9Y1smJrt0LQz929QGxuwifPsT4HGfLviWCftM5r1xU5bRRodXkLoKmz4Q9YjIvV6ZLJ5qG3JHkafq+jIcAe6rt1T8AzJ0EuuN+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fl1M/dG6eRogy5EUVDGHn2fro4NROIpc0VTWJ426QOg=; b=B8IjtI00GlyxxRpjI546sNVW2tjXw8UsWjWA0nXAB+H1B4T2gg5IpNNzyLs04rcfG4+4MInfJb+XnhDh+OM2rejjZZVkSL1NqGTzM6lml7SreuFySB4iNoRF/tFh/E/9UPVoSQDjduPW01vy1NUMJ3tWSDW7oYdlz2DSZylZfO6I67TcZGzJ9HVszJ3HNPFqn11FmTIM+reqaVHII7ogRo43m54+oIRROa+yQcpvGI/QXbZSklVgpwH60TEoUi51QQlXRT72rzhJDCli6c1g0Ob7YixuY3EYn1dA88yoUUJlshMoFUsc5CaT2l8raIkRKZxeysjhSi2vPnU+N5MCkQ==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fl1M/dG6eRogy5EUVDGHn2fro4NROIpc0VTWJ426QOg=; b=gs8Sks0KFMfcD4OQeUsbuA9S1WdeEvU/u3kBnyovKeURIriFv/ccXnCuvtBtlMnZJ7uQ90PtfwJWhW6unv2nmlLiCYzc+w/eVEag9wbbiAYIJAqptQeN+QRpOp0oegMPY0PBLxitUI+lFXDaf5x295Y65s0lylvi+skcPUL6hVI=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2403.0; Wed, 16 Oct 2019 20:21:03 +0000
Received: from ([fe80::9196:77fa:83c0:9418]) by ([fe80::9196:77fa:83c0:9418%7]) with mapi id 15.20.2405.000; Wed, 16 Oct 2019 20:21:03 +0000
From: Mike Jones <>
To: Yoav Nir <>, "" <>
CC: "" <>, "" <>, "" <>
Thread-Topic: Secdir last call review of draft-ietf-ace-cwt-proof-of-possession-08
Thread-Index: AQHVfHcUHTxGfXrAZEKn6Qqm5R9W5adduhGQ
Date: Wed, 16 Oct 2019 20:21:03 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=5f10aac0-f5c3-403a-912c-000003962139; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-10-16T19:40:01Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is );
x-originating-ip: [2001:4898:80e8:f:98d9:5a0a:3425:3ebe]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7276c913-113a-4919-4045-08d752765e02
x-ms-office365-filtering-ht: Tenant
x-ms-traffictypediagnostic: DM6PR00MB0459:
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0192E812EC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(136003)(396003)(376002)(366004)(346002)(39860400002)(189003)(199004)(13464003)(2501003)(14444005)(52536014)(76116006)(66574012)(54896002)(8990500004)(66946007)(66476007)(66556008)(64756008)(66446008)(4326008)(10090500001)(9686003)(71190400001)(6436002)(71200400001)(55016002)(6306002)(256004)(316002)(10290500003)(2906002)(33656002)(486006)(7736002)(186003)(478600001)(99286004)(110136005)(46003)(81166006)(76176011)(446003)(6506007)(74316002)(54906003)(53546011)(81156014)(790700001)(7696005)(25786009)(6246003)(8936002)(476003)(22452003)(6116002)(14454004)(102836004)(8676002)(229853002)(5660300002)(11346002)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR00MB0459;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ULlkuBz3t+fk0O9QfDrTA/BblOv+A3zrvDDn22nRo5k/XpKuLh0lY7aj7DTjCi2aQo22hsCrSCiR0bk3HQvx5z79JT0v5Av48P/5sTwcfUizdYFTQMuhqoUiOB9TrdNOI+mjEvphMLSXoBCHgD+0fkD8kUxdW4jzLm4QHKtOC91FCkk0kNrBBJvcuXs9m6qfayP96AbypIIfdAppXj3wHz1i6TUREuNyZgMuh0Hkvnaq5r8Px9vg3Nvm3RaWjLj03OUV94rj5OxqsUgo5uUUoK4NCX/NXnBJFgtaNOnP93k0SfSPpxqNH2FCP8fqoWITzgmMPG6pMjZBJWkmJI3qaj+sZbRozFYNGkiUmeKdMOgSOZ/34mOzVPSwjN4gRvNnGknP4JnIm0XPaISvjEO/tYKRDZTuiy01hzeOESJ/uEQ=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB05695230578007608306AFBCF5920DM6PR00MB0569namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7276c913-113a-4919-4045-08d752765e02
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Oct 2019 20:21:03.2119 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZpkapY9CfMi2RapJOpZZ71eRrxCrQu/yES9IutBz6cSZEnixdlqvqZVAPXGI0jGx/lFjnTFaA2P6GXGp5aJWLA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0459
Archived-At: <>
Subject: Re: [Ace] Secdir last call review of draft-ietf-ace-cwt-proof-of-possession-08
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Oct 2019 20:21:08 -0000

Thanks a lot for your review, Yoav.  Replies are inline, prefixed by “Mike>”…

-----Original Message-----
From: Yoav Nir via Datatracker <>;
Sent: Sunday, October 6, 2019 11:52 AM
Subject: Secdir last call review of draft-ietf-ace-cwt-proof-of-possession-08

Reviewer: Yoav Nir

Review result: Has Nits

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.

Document editors and WG chairs should treat these comments just like any other last call comments.

I think the document shows that security aspects have been considered and handled well. However, the document has issues with clarity and readability:

For starters, the Abstract and Introduction are nearly identical. The Introduction could instead be used to explain the domain, who the "players" are and what they are trying to accomplish. Instead, section 2 introduces the terms Issuer, Presenter and Recipient with definitions that sound like the CA, the End Entity and the Relying Party from PKI, with a little OAuth terminology mixed in. There is no explanation about who this issuer is, and what the trust model is.

Mike> This document structure is intentionally parallel to RFC 7800.  In particular, the Terminology section is there specifically to introduce the players.  Yes, editorially, this could have been done in the Introduction, but this is the style typically used by OAuth, JOSE, COSE, and ACE specifications.  I’m reluctant to deviate from it in this particular specification unless there’s a compelling reason to do so.

Mike> Who the issuer is is discussed in the last paragraph of Section 3.  The trust model is described in the last paragraph of Section 4 (Security Considerations).

Mike> Therefore, unless there is a specific change that you want to suggest, I propose to leave the Introduction and Terminology sections as is.

The Security Considerations section also has some problems.  Quoting the second


   Applications utilizing proof of possession SHOULD also utilize

   audience restriction, as described in Section 3.1.3 of [CWT], as it

   provides additional protections.  Audience restriction can be used by

   recipients to reject messages intended for different recipients.

Why? Why is the aud claim needed with a cnf claim (but not in other cases)?

Neither this document nor RFC 8392 provides insight as to when aud is appropriate. That they allow recipients to reject messages not intended for them does not sound like a security feature.

Mike> Having an audience in a token is a security feature, as it prevents a legitimate token intended for one recipient from being replayed to gain access at a different recipient.  You’re right that this is useful/required in many situations even when “cnf” isn’t being used.  However, reviewers of drafts of what became RFC 7800 wanted this text added to remind people that audience restriction is often useful even when you have proof of possession, as it defends against different threats.

Mike> To make this clearer, I propose to add this parenthetical remark at the end of this paragraph: “(Of course, applications not using proof of possession can also benefit from using audience restriction to reject messages intended for different recipients.)”  If you’d prefer different wording, please let me know what it is.

Paragraph 3 says: "A recipient might not understand the "cnf" claim."   This

re-affirms that we need an explanation of who the parties to this protocol are.

We generally don't send messages to recipients that don't understand them. Is this a closed system with known entities, or is this a protocol where the parties contact random other parties on the Internet?

Mike> Per my response to the Genart review, we’re already proposing to delete this paragraph, as it’s not actionable.  Note that the requirement to ignore not-understood claims comes from Section 3 of RFC 8392 (which also was inherited from RFC 7519), and so is not unique to this specification.

Mike> The exact parties to the protocol are dependent upon the application, as discussed in the last paragraph of Section 4.  This specification is defining PoP key representations.  It’s intentionally leaving the messages conveying CWTs with “cnf” claims up to the applications using them.  Again, this is intentionally exactly parallel to RFC 7800.

I'd also lose some of the Introduction to Crypto in the second-to-last paragraph.

Mike> I agree that this is overly pedantic.  I propose to delete the parenthetical “e.g.” clause at the end, which will make it once again exactly parallel to the corresponding text in RFC 7800.  Let me know if you’d a specific further change to this paragraph.


                                                                -- Mike