IETF Logo Mail Archive

Re: [Acme] Specify which JWS serialization is used

Logan Widick <logan.widick@gmail.com> Thu, 04 January 2018 15:21 UTC

Return-Path: <logan.widick@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34C47126B72 for <acme@ietfa.amsl.com>; Thu, 4 Jan 2018 07:21:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFSI1H3ruPYL for <acme@ietfa.amsl.com>; Thu, 4 Jan 2018 07:21:54 -0800 (PST)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D6381267BB for <acme@ietf.org>; Thu, 4 Jan 2018 07:21:54 -0800 (PST)
Received: by mail-it0-x22b.google.com with SMTP id d137so2744770itc.2 for <acme@ietf.org>; Thu, 04 Jan 2018 07:21:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dPeipDs4ADkym0evyImAOPL8JBsXz2g/lca3snY8OYM=; b=TeeLyQLEq8gdhnZatTg2HG9UNrAAgxUZcCVtVDUjUPqHW0r1jDryJG4TSrgaR+IwEf vuKHmkgHKtkUoqtroRNgu5g6ff2e3HiZNDF6nkLS/qdyV+7WHlhiucuL8Ybw8yoqfRDT afQQ8SJJP395hODa2JRhVA/LZMc7OJyLIerjUm8O21CUKeuZmRdSjWS8tdnyzs1cmU+S Y3qUbb0KoWyOFHYLCJbICb+ZRI02HJ9VOsWWIFcFHuB6mr7jLnJup2Kl3HBpLzDDjD3K mHOOP7Eq4fSBXkVbh4xvr71rjPWiwaJ+iAQ5NCBjLRl9t8BPp6xE2gCs1SmBpgiWC1W4 tQ4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dPeipDs4ADkym0evyImAOPL8JBsXz2g/lca3snY8OYM=; b=JdQTzFHvaOMQY09GsoIHr9AfGKvILW2UbqJSp7J3pStRffCBeDtRPYGxZazH4jwQu/ Vrxyv0mX2U3C0oxLzv8zywtJfb2MgZ3q74AmiADishEPy2xuWHlZovc3+i9vyIFtYEYn 9ediK3PbErUXKXapEqB98mYr+5b3PlVURpz3nX0Ft66m47hdRWj8HfsFP6mk5CM98PNc EcsB1IHOffUDEFTOHaH4Dzpu3cD5buYbT0ne28t0f6dGjwUHH6EHXqQt3lV43sVeqfak 4Q65LkUx2IAJFFT4AsjcQyOKkZJnmr4AwdksQlCBQtjcTzNlwhH/07U3sSryQXkkWnEs gz5Q==
X-Gm-Message-State: AKGB3mKJrKB/c58YH0I32L59CDKvrGXgvIMhEfaICfvUaAk0paHSC4kD gwLWhibKKuNJY0UtQL75q775C1FHUamoYGTxywU=
X-Google-Smtp-Source: ACJfBotAZR2OFG07E1mfPFbEXP6noRfAvpEWcAR+q8fFkyrdiQaMtsjZcxGQjrUp2IRH8XYA6t8ldGG+FQM/+wQUMq8=
X-Received: by 10.36.214.132 with SMTP id o126mr6027307itg.80.1515079313070; Thu, 04 Jan 2018 07:21:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.152.59 with HTTP; Thu, 4 Jan 2018 07:21:52 -0800 (PST)
Received: by 10.2.152.59 with HTTP; Thu, 4 Jan 2018 07:21:52 -0800 (PST)
In-Reply-To: <f430f156-3dca-eca2-2398-956c2fd29bc6@gmail.com>
References: <20180103230734.GM21695@carrot.tutnicht.de> <20180103234718.GA1340@bacardi.hollandpark.frase.id.au> <CAMmAzEKj33xOVhUK+i2UrHpvTBj=hz89DRyaFvTqAig4f66K-Q@mail.gmail.com> <CAMmAzEKSv1pbKC80JLpRQxTrGApc7KVu6A7cqDp-Tmrcq4vvLg@mail.gmail.com> <20180104110204.GP21695@carrot.tutnicht.de> <CAMmAzEKJhMaUBtCWSNZyGv-f+-edZ-WTq3=WFD_b1bXfvua89A@mail.gmail.com> <f430f156-3dca-eca2-2398-956c2fd29bc6@gmail.com>
From: Logan Widick <logan.widick@gmail.com>
Date: Thu, 04 Jan 2018 09:21:52 -0600
Message-ID: <CAMmAzE+JRdjyS7NMaMjexC2XmFf3xjm9N+5ogLP9zQjs_BGkzw@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Jörn Heissler <acme-specs@joern.heissler.de>, Fraser Tweedale <frase@frase.id.au>, ACME WG <acme@ietf.org>
Content-Type: multipart/alternative; boundary="001a1145e2be431f620561f4e4cf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/XySg4Is2UrAx3GkgCLxgVnAYB20>
Subject: Re: [Acme] Specify which JWS serialization is used
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2018 15:21:57 -0000

To the best of my knowledge, the ACME signature solution was not fully
addressed years ago.

As far as I know, the only requirements for signatures discussed and
explicitly specified in the text of the ACME draft are:
Use JWS signatures (not JCS signatures) over HTTPS
Don't use the "none" algorithm
Use certain fields in the protected header as specified in the text
Use JSON objects specified in the text as the payloads
Don't use MAC keys/algorithms (with the exception of the value of the
externalAccountBinding field which is a JWS with a MAC signature).

(Related issues: If compact serialization is allowed, does the
externalAccountBinding change from an object to a string to indicate
compact serialization? What if this field is using an unsupported
serialization?)

Some things appear to be implied by the examples in the draft but don't
appear to be explicitly specified in the text of the draft (at least not
the current one), such as:
Use JSON serialization (most likely flattened but JWS implementations may
not give programmers control over this)
Don't use unprotected headers
Don't use the unencoded payload option
Don't use multiple signatures (except perhaps in previous drafts that I
think had multi-signature key changes instead of the nested key changes in
the current draft).

Implied in the examples but not explicitly specified in the text may hinder
interoperability.

I think ACME is in a last call.

Logan

On Jan 4, 2018 8:19 AM, "Anders Rundgren" <anders.rundgren.net@gmail.com>
wrote:

> I thought the ACME signature solution was addressed years ago.  Isn't ACME
> in last call?
>
> F.Y.I.
> https://cyberphone.github.io/doc/security/jose-jcs.html#Sample_Signature
>
> Anders
>
> On 2018-01-04 15:03, Logan Widick wrote:
>
>> What do you think of the following:
>>
>> Content type application/jose+json: MUST be supported. If used, the JWS
>> will need to be in the Flattened or General serialization. Flattened MUST
>> be supported; General MAY be supported.
>>
>> Content type application/jose: MAY be supported. If used, the JWS MUST
>> use the Compact serialization. Or should this content type not be allowed?
>>
>> JWS Unprotected Header: Not currently used in ACME. Should this be banned
>> in ACME?
>>
>> Multiple signatures: MAY be supported. Should messages signed by both MAC
>> keys and private keys be allowed? What about Key IDs not issued by the CA?
>> Or are multiple signatures more trouble than they're worth to the point of
>> banning them entirely?
>>
>> Multiple signatures on messages that need to be signed by account key: At
>> least one signature MUST be from the account key
>>
>> Multiple signatures on revokeCert: Should this be allowed?
>>
>> Multiple signatures on externalAccountBinding field of newAccount: Should
>> it be possible to bind to multiple pre-existing accounts? Or should this
>> not be allowed?
>>
>> Multiple signatures on newAccount: Not allowed?
>>
>> Multiple signatures on keyChange: Not allowed for outer or inner JWS?
>>
>> JWS Unencoded Payload Option (RFC 7797): Not allowed?
>>
>> Conversion guide between the different JWS serialization formats: Is it
>> completely safe to assume that any and all programmers given the JWS RFC,
>> pre-existing JWS implementations with sufficient documentation, and
>> pre-existing JSON libraries with sufficient documentation could figure out
>> how to convert the serialization formats as needed? Or is the conversion
>> guide necessary? If the guide is necessary, then include a reference to a
>> separate new or pre-existing conversion guide. If the guide is necessary,
>> and there is no pre-existing conversion guide, how should the new
>> conversion guide be published? Should the new conversion guide be
>> ACME-specific, or more general (possibly with coverage of JWE as well as
>> JWS features not utilized in ACME)?
>>
>> Sincerely,
>> Logan Widick
>>
>> On Jan 4, 2018 5:02 AM, "Jörn Heissler" <acme-specs@joern.heissler.de
>> <mailto:acme-specs@joern.heissler.de>> wrote:
>>
>>     On Thu, Jan 04, 2018 at 09:47:19 +1000, Fraser Tweedale wrote:
>>      > I am the author of a JOSE library, and have had to deal with
>>      > interoperability issues arising from the multiple serialisations
>> and
>>      > underspecified applications/protocols.  Please heed my advice.
>>      >
>>      > Where there is a choice of JSON serialisation (i.e. exactly one
>>      > signature), JOSE does not require or recommend a particular
>>      > serialisation be used.  Not does the specification require or
>>      > recommend that there be a mechanism for telling a library what JSON
>>      > serialisation to use.  The outcome of this is that there are:
>>      >
>>      > - implementations that unconditionally produce the General JSON
>>      >   serialisation
>>      >
>>      > - implementations that unconditionally produce the Flattened JSON
>>      >   serialisation (and do not support multiple signatures at all)
>>      >
>>      > - implementations that produce the Flattened serialisation when
>>      >   there is a single signature, and the General JSON serialisation
>>      >   otherwise
>>      >
>>      > Therefore for interoperability and to avoid situations where a
>>      > conforming JOSE library cannot be used for ACME, I suggest that
>> ACME
>>      > adopt the following regime:
>>      >
>>      > - Conforming ACME implementations MUST process JWS objects using
>> the
>>      >   Flattened JWS JSON Serialization and SHOULD process JWS objects
>>      >   using the General JWS JSON Serialization.
>>      >
>>      > - Conforming ACME implementations MAY refuse to process JWS objects
>>      >   with multiple signatures.  If an implementation accepts
>>      >   multiple-signature JWS objects, it MUST validate at least one
>>      >   signature using the account's public key.
>>
>>     This would work for me. I'm currently writing a new client (We need
>> more
>>     ACME clients!) and I'd prefer to stick to a single hard coded
>>     serialization format which works with every conforming CA. Adding
>>     flexibility (Use "flat" for this CA, use "general" for that CA, etc.)
>>     would be troublesome.
>>
>>     But I'm worried about client implementations that use the next best
>> JOSE
>>     library which "unconditionally produces the General JSON
>> serialisation".
>>     Most CAs would support it ("SHOULD"). But some might decide not to:
>>     "Yeah, we SHOULD support this. But our JOSE library only understands
>>     the flat format and everyone but YOU does use the flat format".
>>     Then who's to blame, the client or the CA?
>>
>>     Should this be changed to "MUST" or to "MAY"?
>>     I.e. "flat" MUST be supported, "general" MUST/MAY be supported,
>>     "compact" MAY be supported but needs a "application/jose" content
>> type.
>>
>>
>>     On Wed, Jan 03, 2018 at 19:51:53 -0600, Logan Widick wrote:
>>      >    Here is a pull
>>      >    request: [1]https://github.com/ietf-wg-acme/acme/pull/382 <
>> https://github.com/ietf-wg-acme/acme/pull/382>
>>      >    Let me know what you think.
>>
>>      > +Conforming ACME implementations MUST NOT process JWS objects using
>>      > +the Compact JWS Serialization.
>>
>>     I think "compact" should be acceptable ("MAY process") iff the client
>> sends
>>     a "Content-Type: application/jose" header.
>>
>>      >    As for using JOSE implementations that lack support for the JSON
>>      >    serialization formats (and only support the compact one), is
>> there an
>>      >    RFC, Internet-Draft, or similar document with an explanation of
>> the
>>      >    conversion process already prepared (that can simply be thrown
>> into the
>>      >    ACME draft's references section)? Or would it be necessary to
>> include
>>      >    an appendix in the ACME draft with an outline of the conversion
>>      >    process? The conversion process looks fairly straightforward.
>> However,
>>      >    it would be nice if there was a document or part of a document
>> that
>>      >    could be easily referenced.
>>
>>     Your conversion guide sounds good. But personally I'd move this to a
>>     separate document (like you were looking for) because it would be
>> useful
>>     in non-ACME related applications too.
>>
>>     Cheers,
>>     Jörn
>>
>>
>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>>
>>
>

v2.23.0 | Report a Bug | By Email