IETF Logo Mail Archive

[COSE] Well...Re: Why you shouldn't have your crypto designed by a CEO

Anders Rundgren <anders.rundgren.net@gmail.com> Mon, 10 January 2022 05:05 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 260493A0954 for <cose@ietfa.amsl.com>; Sun, 9 Jan 2022 21:05:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wN70cLeF2wza for <cose@ietfa.amsl.com>; Sun, 9 Jan 2022 21:05:33 -0800 (PST)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 267E93A094C for <cose@ietf.org>; Sun, 9 Jan 2022 21:05:33 -0800 (PST)
Received: by mail-wr1-x435.google.com with SMTP id l25so13574897wrb.13 for <cose@ietf.org>; Sun, 09 Jan 2022 21:05:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:from:subject:to:references :content-language:in-reply-to:content-transfer-encoding; bh=wuwa3ChybNEQDeNa4GxuLkdk7Zg0L82E1rF/kHhhmHk=; b=ARpysU+v/ZhLb+rrm1+QQqgdwBYY8ivZtsjRQPaQyznlNCKB5K+otYJyPX9Jf9On8c nQ8xFYU/BqRQviSilWF3YKJHaFLX6PObBIjgqssmvsDUtcI7JPsdCXh2Cs/bh7jQTPAu vD4q1ba59m3Q2jz7Q+lj8qXeCz1hyd5MKbfI/atURTeWCtFf7oYMIOHR0SbpYEMfWIO+ +hljnTA2fvuFUZtloyF2TmdxTkOtPMkY9CyW4J4zJO7eiUpOtpHm+PTBs/qu8qLR9yx5 2X6hOI/fFnjGnZNlo7phBkLcq9FFWU78/rPHCL2InkYd/myuoJBLh3dr6ZvbOSvTi0ZY PaDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:from :subject:to:references:content-language:in-reply-to :content-transfer-encoding; bh=wuwa3ChybNEQDeNa4GxuLkdk7Zg0L82E1rF/kHhhmHk=; b=RnxWNauaADj15KEYkuSOLS+9YW+529+6lxZBN++XKSTDCRfjpZHm5MRezTNQeNiSnx DfUaK609Mbe+BCGZUQJHo5x7WTI2FAWBJxBXKUXDOCfZkkmJzg0DVOplwFr3bunomlFV WTqkS+cKfN7D1U/RslZXZJr94yK0FGsBgLUL2hx1w+x+CsaiLSlQ9ve55C7O+jH78XZM +W/mcs9471ZWBoBXq73lPrHF7kzHdK2IMrb8tOmzgqj6I08Au+ksqD5l0hApXRzE+Od/ NUuSkjKYSKL+9ViIVl+TV3/U6XHFGgbRqlzpuEmC3LMoL7CCvSAbJKXCzIcj2cCmz1SA dszA==
X-Gm-Message-State: AOAM533Dt4YI3gif9xGKOcZ+JL/ugwnROaplugpbvSlCNods+swbYSv+ zKXp4KVvIBithYEAJ6zNtP+gJwQ2eco=
X-Google-Smtp-Source: ABdhPJy7kPeoN5/guzObO1GPrelgjcOGe8PucXasUORX6K0t1v2QGSdbKeH7mvbAi6mGc3DvGg2ICg==
X-Received: by 2002:adf:f789:: with SMTP id q9mr911314wrp.200.1641791129770; Sun, 09 Jan 2022 21:05:29 -0800 (PST)
Received: from [192.168.1.67] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id l6sm7524647wry.18.2022.01.09.21.05.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 09 Jan 2022 21:05:28 -0800 (PST)
Message-ID: <7256e650-4351-6d0e-9ba8-48d310e405f7@gmail.com>
Date: Mon, 10 Jan 2022 06:05:27 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: Carsten Bormann <cabo@tzi.org>, cose <cose@ietf.org>
References: <DC93BD3D-E0F6-464E-8E66-B341205DBC80@tzi.org>
Content-Language: en-US
In-Reply-To: <DC93BD3D-E0F6-464E-8E66-B341205DBC80@tzi.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/7dnVW7t28NZO02jbDe6_5LNBpjk>
Subject: [COSE] Well...Re: Why you shouldn't have your crypto designed by a CEO
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jan 2022 05:05:38 -0000

Hi Carsten,

Although I'm a huge fan of standardization, it doesn't always work that great in practice.

A recent example is W3C's effort, "marrying" WebAuthn with payments, called Secure Payment Confirmation (SPC). In turns out that the WebAuthn folks(≈IETF) have quite limited experience of the application area, leading to a design having pretty horrible User-, Deployment-, and Privacy-characteristics.

It doesn’t take a degree in computing to realize that this standardization activity have set their own “standards”: https://github.com/w3ctag/design-reviews/issues/675#issuecomment-964273692

In fact, "industry-standard" [*] features such as Authorization and Encryption/Tokenization were never considered.

How did this happen? Well, since this effort was initiated by Google (rather than by a CEO from some obscure company), questioning it becomes awkward and could also negatively affect other W3C and IETF work, typically carried out by the very same lot.

However, it doesn’t stop there.  If this project had considered evolving on-line payments by for example defining on open standard along the lines of Apple Pay, the tensions would have reached an unmanageable level since a successful launch would most likely spell the end of both Apple Pay and Google Pay.  Note that this is an internal (self-inflicted) problem; the “market” certainly doesn’t care 😊

That Google also have close to a monopoly on browser technology makes the situation even more complex.  In practical terms it is impossible for ANYBODY creating an alternative since there is no way getting it to the market.

Cheers,
Anders

*] EMV: currently powering 10 billion crypto-enabled payment cards.  EMV is also the foundation of Apple Pay.

On 2022-01-07 16:03, Carsten Bormann wrote:
> In the IETF we focus on making building blocks, which are then used to create products and deployments.
> 
> Personally, I generally focus on creating quality building blocks and try to ignore whether those ultimately lead to design wins or not.
> 
> But I can’t help seeing a whole little industry creep up that is interested in creating alternative building blocks that appear to be of interest to the creators so they can attain control over them and perform rent seeking from that control.
> 
> This is, of course, an old game in standardization, but it is reaching new heights in the area of standards for signing things.
> 
> Under the guise of writing tutorials about this subject field, IETF building blocks are disparaged and the “new” wares are peddled instead.  Within the bubbles created by this, it may seem the IETF standards are done with and the “alternatives” can be presented as the way to go.
> 
> Marketing is a necessary component of technology development, but it should not be built out of hatchet jobs and, er, alternative facts.
> 
> For those looking for an example, try exhibit [1].  After a brief tutorial (which is always welcome), various approaches are discussed.  JOSE (with JWS and JWT) is correctly presented as the “elephant in the room”, but then immediately disqualified because of the single misfeature that JOSE stores the algorithm identifier with the signature.  The author mentions RFC 8725, but either hasn’t read it or doesn’t want to mention that this immediately deflates his only(!) argument against JOSE.
> 
> Note that exhibit [1] is from August 2021, but doesn’t even mention COSE.  Probably because COSE is a convincing successor to JOSE in the space he is targeting, with implementations out there that have taken lessons from early JOSE implementations.
> Instead, the piece presents [2] as evidence that “PASETO is progressing toward an IETF standard”, but then quickly deflects any potential response that it isn’t, by saying "it is important to note that [IETF] acceptance does not really matter from a security perspective" ([2] itself says the same thing in other words as well).  Of course, he later argues against crypto agility, “any of the SHA-2 functions are fine. Pick one and use it everywhere, don’t try to design in agility at the protocol level”.
> 
> I’m going to spare you from further analysis of this pamphlet and will only add [3] as a link offering a probably explanation why this piece was written.
> 
> I’m wondering whether we (the set of individuals interested in this, certainly not the WG as an IETF construct) need do to more in offering factual material to the channels that are being used for this “marketing”.
> 
> Grüße, Carsten
> 
> [1]: https://dlorenc.medium.com/signature-formats-9b7b2a127473
> [2]: https://github.com/paseto-standard/paseto-rfc
> [3]: https://chainguard.dev/posts/2021-10-07-introducing-chainguard
> 
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose

v2.29.0 | Report a Bug | By Email | System Status