Re: [CFRG] OCB does not have an OID specified, that is a general problem

Neil Madden <> Fri, 11 June 2021 10:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 28CF93A318E for <>; Fri, 11 Jun 2021 03:00:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4dIjyDPfOep1 for <>; Fri, 11 Jun 2021 03:00:36 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 716183A3190 for <>; Fri, 11 Jun 2021 03:00:36 -0700 (PDT)
Received: by with SMTP id f2so5383290wri.11 for <>; Fri, 11 Jun 2021 03:00:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=eE7oiFUE7xcvGteYSqwU90D+M2RNdg06Kzavtt29Azw=; b=vFK+7knlaLH8339tDnI1ndViyIZd8ckvqIy6B0+T5Oii/CDc9QYysAdRgnGhyWzxQ0 sMokv9/QGMetJSJaSCBwXuPxjA/AWz8D2oigK1S7eXOEsqG2kAOD3gMyWW+Chu87u6aB J0SHD9hfdd+/XBcpuLxGqzfA1wMA/0+KlP2JCECw/57uOTUx/epajPh3a6vrvbbd2v4U kBuLQHaw3WweFrVL57iQwsZM1IX28lEFEmJ5LL22XK5qkkfts1nqWCMRRNsOtJEahHOm yw44vTWX67CRwC9QpvrM7HoCfH9QYSmb49Tc+lu9As8RCgMBX6fyp9/Bjjo+v/0yAbes hvmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=eE7oiFUE7xcvGteYSqwU90D+M2RNdg06Kzavtt29Azw=; b=WdxQkTULg83v59Is5F7z6LZTS/WtgeXwB1g19edtaa8ca80NqijFlJthnzFcT4Ug/O mE3Hi4dipKz50+nmhQUI4gkdXrKD+8mT9GsDnWP/yF4mb7KHpC1KGPyFyKMYNX255rPi 9mnjweEPcK07iQ6UjQKOg/1C02Air8NZTWLIJRlP+LoDUesm6xtNu/1m+L+Ftnbyr4Xr dWqfDhxnpiqHwh8dTDYR6wyGD4tWR+rm5DEJBvKrtqS4Gc59oqEMOFT6e/A2gq6WqBbd x0QHCbwkQtuuzlWjVqdKaw3xwwBNcSkoWnykdQgYuX0Tug0EIkJIUZpTLbWOdGMv+mNY HFqA==
X-Gm-Message-State: AOAM531EORa5Qwb1gbvSj8dRXQE2OQDaIwYK42pNy8/o/HiodupRhyA2 IbZUBDGlrLTeBXdfVhcXjzo=
X-Google-Smtp-Source: ABdhPJzgsrM5aploQIct1gM1H1AhSGuzpTfdyymJRcrhR7M3HGaLD6PQbyY4JYun5b+qr2mMwPm7JA==
X-Received: by 2002:adf:d1ec:: with SMTP id g12mr3160057wrd.204.1623405633913; Fri, 11 Jun 2021 03:00:33 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id d131sm12071557wmd.4.2021. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 11 Jun 2021 03:00:33 -0700 (PDT)
From: Neil Madden <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_30012651-999A-4060-BCB3-B96A43BD1347"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Fri, 11 Jun 2021 11:00:31 +0100
In-Reply-To: <>
To: Phillip Hallam-Baker <>
References: <> <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [CFRG] OCB does not have an OID specified, that is a general problem
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Jun 2021 10:00:42 -0000

On 8 Jun 2021, at 17:36, Phillip Hallam-Baker <> wrote:
> […]
> On Tue, Jun 8, 2021 at 3:53 AM Neil Madden < <>> wrote:
> On 8 Jun 2021, at 01:58, Phillip Hallam-Baker < <>> wrote:
>> On Mon, Jun 7, 2021 at 10:02 AM Neil Madden < <>> wrote:
>> Unless there is a compelling reason to do so, I’d prefer that registering algorithm identifiers for JOSE be a manual (and rare) step. JOSE provides no way for consumers to advertise which Encryption Methods they support (“enc” - which is what OCB would be), so adding new options here can only harm interoperability.
>> (This is in contrast to key agreement algorithms - “alg” - as these can be advertised in the JSON Web Key metadata).
>> I don't agree. JOSE has no algorithm negotiation mechanism because it is a format, not a protocol. After we went through the whole recommended/required algorithm thing on JOSE, it suddenly occurred to me that this was precisely none of JOSE's business. It is for the protocols and services built using XML Signature, JOSE, CMS etc. to decide what algorithms to require and/or recommend. 
> Doesn’t this contradict your desire to have a single IANA algorithm registry? If individual application protocols are to state which algorithms to use then they need a registry each to state this. 
> Not at all. My point is that the purpose of a registry is limited to assigning a signifier to one or more signified. It is not for IANA to specify that RSA is required or not, that is a WG decision.

And yet that is exactly what is recorded in the IANA JOSE registry. I appreciate that you’d like things to be different, but that’s not the reality today. A WG established the IANA registry and set up the procedures by which alterations to it are made, as described in RFC 7518 that established the registry (p34):

   The implementation requirements of an algorithm may be changed over
   time as the cryptographic landscape evolves, for instance, to change
   the status of an algorithm to Deprecated or to change the status of
   an algorithm from Optional to Recommended+ or Required.

>> JWK is a protocol built on top of JOSE, so it makes sense for that protocol to specify recommended algorithms.
> This is rather backwards: JWK is part of JOSE and indeed JOSE depends on JWK (see for example the “jwk” and “epk” headers). 
> Well yes and no, JWK also pops up in other contexts. OAUTH2 would have been a better example. 

OAuth2 doesn’t have any dependency on JOSE. I think you mean OIDC?

> JOSE doesn't even specify the serialization format, it is a component of a protocol, not a protocol.

Sorry, what? JOSE defines *two* serialization formats: <> 

>> But the recommendations made in the JOSE spec have absolutely no bearing on the Mesh which uses parts of JOSE because being written six years later, the state of the art has moved on. The Mesh does not support RSA at all and the elliptic curve algs are X448 and Ed448. The curve 25519 versions are not supported for profile signing, etc. etc.
>> I would expect the same to apply in the COSE world. Merely defining a code point for JOSE or CMS does not make a statement about the algorithm recommendation status.
> Well it does actually - see the “JOSE Implementation Requirements” field: <>
> And the reason for this is because the algorithms are implemented by JOSE libraries. Indeed, this is the whole point of JOSE, that applications don’t need to implement their own algorithms but can just use a preexisting library. 
> And merely assigning a code point does not change the recommendations for implementing algorithms in a 'JOSE Library'.

It absolutely does in this case.

> Since I wrote my own JOSE library in less than a week, I have a hard time believing that it is the JOSE part that is critical. And since I used the .NET crypto as base, the recommendations in the JOSE specs were not remotely relevant.

If you didn’t implement the Required algorithms, then you didn’t implement a standards-compliant JOSE library. Otherwise what do you think “JOSE Implementation Requirements: Required” means on an IANA JOSE algorithm registration?

>> All it does is specify the one canonical identifier every application will use. It is not at all important what that identifier is (provided it is not an absurd length) it is critical that everyone use the same identifier though.
> If different applications are going to specify different algorithms then this somewhat argues against your point: they _don’t_ need to use the same algorithm identifiers as other applications in that case. 
> There is no reason why the algorithm suite for the Mesh should be the same as that for SIP and plenty of reasons why it needs to be different. The Mesh uses threshold cryptography which only works with DH and ECDH algorithms for a start. Even if RSA was still viable from a security point of view, I couldn't use it. OCB was patent encumbered when JOSE was written, it is not today. The advantages of OCB over GSM are significant but not something that is worth losing backwards compatibility over.
> But I think we’re rather getting off the track here because as I mentioned in my first email, OCB would be standardised as an Encryption Method (“enc” header value). This introduces more complications. JOSE supports encrypting a message to multiple recipients, each of which can use a different key management algorithm (“alg”). But the content of the message has to be encrypted using a common symmetric Encryption Method that all the recipients understand. This is why introducing new Encryption Methods is problematic because as the number of options goes up, the chances of finding an algorithm that all recipients agree on reduces.  
> Since I have 0 users and 1 implementation, my scope for deciding algorithm choices is radically different from that of others.
> You keep conflating the concerns that apply to existing JOSE applications to the concerns that properly apply to JOSE.

I’m not conflating anything. Unlike yourself, I am the primary maintainer of a JOSE library that is in use in some of the largest organisations in the world handling many millions of operations every day. You keep making statements that are directly in contradiction with the JOSE RFCs.

> (The alternative is that we register as many new “enc” values as we like but they are all effectively ignored because everyone uses “A128CBC-HS256” as the only thing guaranteed to work everywhere. This is not the case currently because there are only a few “enc” options and so most libraries implement all of them). 
> OATH2 allows use of 128 bit AES and 256 bit SHA-2.

Again, I assume you mean OpenID Connect, as OAuth2 itself makes no recommendations about cryptography at all (other than requiring TLS). OIDC itself defers to JOSE for algorithms. So here you can see that the choice of algorithms in the IANA JOSE algorithms registry directly and immediately impacts a widely used protocol.

> The Mesh requires 256 bit AES and 512 bit SHA-2 or SHA-3. And that is exactly what you would expect. OAUTH2 is an attempt to define an authorization scheme that is conflated into an authentication mechanism that manages to squeeze itself into the legacy deployed base of Web Browsers. The Mesh is a Threshold PKI whose primary function is management of private keys. My problems have absolutely nothing in common with those of OAUTH2 which is why their algorithm choices have no bearing on mine any more than TLS is beholden to CMS or CMS to OpenPGP.
> In 2021, I think OCB has very few advantages over JOSE’s existing GCM Encryption Methods, so I think it is much more trouble than it’s worth to specify it for use there. If we’re going to expand the “enc” registry I’d rather it was for an algorithm with significant advantages over the existing alternatives, such as misuse resistance or better performance on low-end hardware. 
> This was discussed at some length on the cryptography list and the overwhelming feeling there was to go for OCB. That was not a decision taken lightly as it required me to write the implementation. GCM is a stream cipher and the uses in the Mesh clearly require a block cipher which means CBC and OCB are the only acceptable choices.

By your own admission the Mesh is doing something entirely non-standard with JOSE anyway, so you are also free to also adopt OCB as a non-standard algorithm. 

As somebody who is responsible for maintaining a JOSE library (and an OIDC implementation), I’d rather we were somewhat conservative in adopting new JOSE algorithms. I strongly disagree that there should be a presumption that any algorithm published by CFRG should immediately be considered for adoption by default in JOSE. There are cases where I think adoption would be sensible - e.g. I hope to see post-quantum algorithms for JOSE at some point - but OCB doesn’t reach the bar in my opinion. 

— Neil