IETF Logo Mail Archive

[COSE] Off-topic: WebCrypto JWK algorithm registrations

Neil Madden <neil.madden@forgerock.com> Fri, 20 September 2019 15:51 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05F25120878 for <cose@ietfa.amsl.com>; Fri, 20 Sep 2019 08:51:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bWJwMxxcvgTW for <cose@ietfa.amsl.com>; Fri, 20 Sep 2019 08:51:53 -0700 (PDT)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E45D3120019 for <cose@ietf.org>; Fri, 20 Sep 2019 08:51:52 -0700 (PDT)
Received: by mail-wm1-x32e.google.com with SMTP id b24so2737952wmj.5 for <cose@ietf.org>; Fri, 20 Sep 2019 08:51:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ZBb4NSifdHHMXs1q5G+8L/mi0wJELVgbroKoyNPBh3M=; b=KTDpfsytnbDoakMed+DMcru7pnSe2vCQWXzmTX6at6HiyK4ggBRYNf6l44D3/OGsdG /OjVd2VdprkUaPH4MMmneXQaJCTTNeUiq18vZa5UhulozPM9SfqhuHU1JTVInHzk4fGO urBHGmKOLGhIwKhVeX1yDi9W+Lv8FySknqJCU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ZBb4NSifdHHMXs1q5G+8L/mi0wJELVgbroKoyNPBh3M=; b=MpwgxK0ossWeBz8VDfr06eGC4K2byAURRbEUhwS83E0Uf1YszDS7JKYMQAqj2d3/MB +WuD/hAZZ9OhBgNMsAkq/r6WHXEsZdNMOPlDjxP7ICRw6PVk40NAuBWXx/jHoLAyMja5 IKKjlWwCePa4EDw6BUJpCRkdB3Gdsu4TLFNkUInX2H+Eh+om7qZt4OskHjf5RRvaWgaJ ndG+++el8aC5wSwO2i7IXtJhkZqgm5G1OC3ws4/+w44slD6J8zXKmDUW1y/pUPEucoKh vRNCyQLepxG/BLtwZHr2kt0SRdazhb5+xyAOSp/Dl1pQBqcjo8oTjIOfh0HOIGfmCFrK eO7Q==
X-Gm-Message-State: APjAAAUyluP12pq3+c44MilEOjYXqDECP+WrsdGvKbnLnbGFprWgiA1b yQwipoC0xrTWq2Lh8HBjJAM8GQ==
X-Google-Smtp-Source: APXvYqz4awuahO2fMNt0IEaZm/HEWGvPJm+63R43j+Yghivd+Ty+C7iYxngjuX6NvHHjQx0qY+O43w==
X-Received: by 2002:a1c:c14a:: with SMTP id r71mr4162507wmf.46.1568994711121; Fri, 20 Sep 2019 08:51:51 -0700 (PDT)
Received: from [192.168.1.64] (253.58.93.209.dyn.plus.net. [209.93.58.253]) by smtp.gmail.com with ESMTPSA id t13sm4413021wra.70.2019.09.20.08.51.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 20 Sep 2019 08:51:50 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <8F10A42F-B687-494B-9586-C0A05115936E@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_64172CD8-50B5-414D-AE4D-AD10B119B4FC"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 20 Sep 2019 16:51:49 +0100
In-Reply-To: <013c01d56fc8$56cb8b20$0462a160$@augustcellars.com>
Cc: ivaylo petrov <ivaylo@ackl.io>, jose@ietf.org, cose@ietf.org
To: Jim Schaad <ietf@augustcellars.com>
References: <CAJFkdRzEF0wh9-H4dDNQeUHVd_VD8KKv1jOJ7BWs+bKN2e6gBQ@mail.gmail.com> <CAJFkdRy6Bs77gFGG0QGMC1fe_niQC6Of7_2Z8+jjYzpWkuMDBQ@mail.gmail.com> <465EE321-1595-4453-8D4E-E3A6A457C86E@forgerock.com> <012001d56fc0$1fb30e90$5f192bb0$@augustcellars.com> <F6FF776D-FFF9-4330-8A6B-81F783D990C2@forgerock.com> <013c01d56fc8$56cb8b20$0462a160$@augustcellars.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Mol5HkJLzBHdYNAnc1SwFAD8LIA>
Subject: [COSE] Off-topic: WebCrypto JWK algorithm registrations
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2019 15:51:55 -0000

> 
> Ouch, I hadn't seen this. The WebCrypto group really did a number on the registry. Thankfully most of them (including RS1) are only registered for JWK usage and marked as Prohibited. (What does it even mean for things like "A128CBC" to be registered as a JWK "alg" value?)
>  
> [JLS] One can have a JWK which contains a symmetric key so in that case an “alg” value of “A128CBC” makes sense.  Only use this key with this algorithm.  

OK, off-topic but this reveals an ambiguity in the JWK spec. Section 4.4 of RFC 7517 describing the JWK "alg" parameter just says that the values should be registered in the "JSON Web Signature and Encryption Algorithms" registry, but as this registry contains both JWE Algorithms ("alg" in JWE) and Content Encryption Methods ("enc"), it is ambiguous which is allowed. I have always assumed that only JWE/JWS "alg" values where allowed in a JWK "alg" claim, but I guess the wording would also allow you to put an "enc" value in there. I presume that's what the WebCrypto spec is intending with these registrations, rather than registering "A128CBC" etc as key-wrapping algorithms?

-- Neil

v2.23.0 | Report a Bug | By Email