Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens
David Adrian <davadria@umich.edu> Mon, 23 April 2018 13:44 UTC
Return-Path: <davadria@umich.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82985129C5D for <cfrg@ietfa.amsl.com>; Mon, 23 Apr 2018 06:44:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TGgWhenwbE12 for <cfrg@ietfa.amsl.com>; Mon, 23 Apr 2018 06:44:14 -0700 (PDT)
Received: from mail-ot0-x22a.google.com (mail-ot0-x22a.google.com [IPv6:2607:f8b0:4003:c0f::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2155127333 for <cfrg@ietf.org>; Mon, 23 Apr 2018 06:44:14 -0700 (PDT)
Received: by mail-ot0-x22a.google.com with SMTP id h8-v6so13511977otb.2 for <cfrg@ietf.org>; Mon, 23 Apr 2018 06:44:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ceE6vfT6h8FMeWrj2liL2WePu5Hwis2HWubm8DzP21k=; b=KYISa3s/S0GrWp7czvCmq6tokpFSDClFp0/VAAbjz6wbtvNQ/cUQhO/ekpK5QzDdsg 4vchN23uQxATNOF3Aw98W3XNXBYEsbXbVLYf3vAINh4sbe/lfo/yfk5JRDtBH5WTwJlH Fxp6x23wRGDUxHryl2UcX3vUrZGTox33GiooJPih6dMD2GBd+lZMZ+JnKsCTXuPSlCc/ F5S1cvM5mzuWq3Gbd7sfqLRFmkoAz8JH6KroiJF/1UvirlkQ8GUKEn6HczDO38Iq6LtD 9m4Ji8RKbOwWBkkT0Z2NCJNKTRac8DGlu9QEwQOWvbD2UtQt/tWwpkx2aZaweF7xaEtO 7QAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ceE6vfT6h8FMeWrj2liL2WePu5Hwis2HWubm8DzP21k=; b=JP52gnKdGZ5/INUlwyVZYNp22HXEcJkNqGofjrKu50ysDe+M7RDswvcA5qv+XX1w37 hP4gX6066vuO/KiWHwLO33U3cZOn4EhnkCIXis3RmkgPixVxpZ/MVh/mUurYgq2ymC/n 7o74i2MeNrEl1tLUnNKboKjbmv116tG9zJ1lohS34aYlll42F46xqeej8HNMPwEZWzwV I4GfkoZN5YyaRvEJPyyYmvB95pdUSotR342WlVtyghD9q5pAHwi4ihpj9jxQHRfDYUAL Sfnu2mA+SbYF26W8TNz6kK6qv/lNIu8/wnhYBhhZRyYINWFIKtAYve09WOqgIKg2iF5Z 2UzQ==
X-Gm-Message-State: ALQs6tCLSBVbfqWJ7qRsHqKaDPWtkYbij7vMRgyAna304gvX3xZE7Jbu IjBTENOShnk+T3R7VlubArwvH4zs
X-Google-Smtp-Source: AIpwx4/FalPzfzGrDZkB0T/VbFJXGqP3pd0u46cAflsdDtLol1gONscm5BYMSxzYC0fiXkMFiwQ2Sw==
X-Received: by 2002:a9d:1691:: with SMTP id c17-v6mr14705319ote.115.1524491053984; Mon, 23 Apr 2018 06:44:13 -0700 (PDT)
Received: from mail-oi0-f44.google.com (mail-oi0-f44.google.com. [209.85.218.44]) by smtp.gmail.com with ESMTPSA id q81-v6sm6870179oih.6.2018.04.23.06.44.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Apr 2018 06:44:12 -0700 (PDT)
Received: by mail-oi0-f44.google.com with SMTP id 188-v6so14295427oih.8; Mon, 23 Apr 2018 06:44:11 -0700 (PDT)
X-Received: by 2002:aca:f257:: with SMTP id q84-v6mr12668100oih.240.1524491051769; Mon, 23 Apr 2018 06:44:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAKws9z15m6WY+-mz5D01vxB4s-TE7nQN56=ssYt=vz3z4gAj6A@mail.gmail.com> <DBC2F048-C949-4362-8FD0-A43A54767B03@gmail.com> <CAKws9z277JLfv7Pb9wSkJ7zYR8FzoAfiXuFS6Vq0x32-3bWx7Q@mail.gmail.com> <DB58CEFE-ED93-4C1C-9212-B622DFCCFFB9@gmail.com> <A6784DBB-C147-40B7-8A5C-E96F431020F6@tzi.org> <SN6PR00MB0301F595CF57BF58D4BAA4D2F5B40@SN6PR00MB0301.namprd00.prod.outlook.com>
In-Reply-To: <SN6PR00MB0301F595CF57BF58D4BAA4D2F5B40@SN6PR00MB0301.namprd00.prod.outlook.com>
From: David Adrian <davadria@umich.edu>
Date: Mon, 23 Apr 2018 13:44:00 +0000
X-Gmail-Original-Message-ID: <CACf5n78R3Fur_eunfiQnM9+enbV5vrXs8aW1sfmU6HhV6_3WVA@mail.gmail.com>
Message-ID: <CACf5n78R3Fur_eunfiQnM9+enbV5vrXs8aW1sfmU6HhV6_3WVA@mail.gmail.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Cc: Carsten Bormann <cabo@tzi.org>, Neil Madden <neil.e.madden@gmail.com>, "cfrg@ietf.org" <cfrg@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009aa637056a843b4b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/AouyObhTyLQY5ABiN7TM-ZhhUpY>
Subject: Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2018 13:44:17 -0000
> If we have to invent a new standard each time an existing standard is implemented with a security flaw, we have a lot of work to do. You fundamentally cannot fix a standard with unusable to the point of broken negotiation by extending the negotiation. If you don't want PASETO to be a new standard, call it JOSEv3. On Fri, Apr 20, 2018 at 11:18 AM Mike Jones <Michael.Jones= 40microsoft.com@dmarc.ietf.org> wrote: > The JWT Best Current Practices (BCP) draft catalogs the different > implementation mistakes that have been documented and describes how not > make them. The timing of this discussion is good because the draft is > currently in working group last call - through Monday, April 30th. Have a > look at https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-01. If you > believe that additional content is needed, please send your reviews to > oauth@ietf.org. > > Also, see Neil Madden's draft > https://tools.ietf.org/html/draft-madden-jose-siv-mode-02 on > misuse-resistant cryptography for JOSE. I've encouraged him to take it > forward. Please provide feedback on that as well. > > -- Mike > > -----Original Message----- > From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Carsten Bormann > Sent: Friday, April 20, 2018 4:03 AM > To: Neil Madden <neil.e.madden@gmail.com> > Cc: cfrg@ietf.org; jose@ietf.org > Subject: Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Agnotic SEcurity > TOkens > > On Apr 20, 2018, at 12:49, Neil Madden <neil.e.madden@gmail.com> wrote: > > > > insecure implementations of old standards don’t go away because you > introduce a new standard > > Exactly. > > If we have to invent a new standard each time an existing standard is > implemented with a security flaw, we have a lot of work to do. > > Insecure implementations exist even of standards such as TLS. Usually the > strategy is to fix the implementations. (It is also a good idea to > envision what implementers will mess up when creating a new standard. But > there are limits to that approach.) > > One of the objectives in the definition of COSE was to avoid some of the > pitfalls of JOSE. > There is also work ongoing to document the security considerations of JOSE > better, e.g., draft-ietf-oauth-jwt-bcp. > > I’d like to focus the energy that appears to be visible here on agreeing > good SIV constructions and getting them registered with COSE. > > Grüße, Carsten > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > -- David Adrian https://dadrian.io
- Re: [Cfrg] RFC Draft: PASETO - Platform-Agnotic S… Salz, Rich
- [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcur… Scott Arciszewski
- Re: [Cfrg] RFC Draft: PASETO - Platform-Agnotic S… Neil Madden
- Re: [Cfrg] RFC Draft: PASETO - Platform-Agnotic S… Neil Madden
- Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Ag… Carsten Bormann
- Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Ag… Vladimir Dzhuvinov
- Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Ag… Mike Jones
- Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Ag… David Adrian
- Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Ag… Neil Madden
- Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Ag… Mike Jones
- Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Ag… Neil Madden
- Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Ag… Scott Arciszewski
- Re: [Cfrg] RFC Draft: PASETO - Platform-Agnotic S… Scott Arciszewski
- Re: [Cfrg] RFC Draft: PASETO - Platform-Agnotic S… Salz, Rich
- Re: [Cfrg] RFC Draft: PASETO - Platform-Agnotic S… Scott Arciszewski
- Re: [Cfrg] RFC Draft: PASETO - Platform-Agnotic S… Salz, Rich