IETF Logo Mail Archive

Re: [COSE] Iotdir telechat review of draft-ietf-cose-cwt-claims-in-headers-07

Michael Jones <michael_b_jones@hotmail.com> Thu, 09 November 2023 11:53 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3331AC14CE5D; Thu, 9 Nov 2023 03:53:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.232
X-Spam-Level:
X-Spam-Status: No, score=-1.232 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WKPx7fU4-2VL; Thu, 9 Nov 2023 03:53:11 -0800 (PST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11olkn2082.outbound.protection.outlook.com [40.92.19.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65DDAC14CF1A; Thu, 9 Nov 2023 03:53:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jsOnYz846QroRwp2gbV3LDyKQeHHMO7Mj5k0aRwZSYFTcALxffAmmIPazviQzgjT4q0YayWV/oVJQw8NYXJRIGy/oLrQOBD990ZdFvULVMTIMuXhWreEbN+u3eQRiwO/UTY7p2nA2EwqPlVLXojMBkPVaELpqtyOnRsp4Typ+uon4RTZ0MmM4O/PBCbNvsuFDH9Zjl3FUSKkapLAjn9v6jBotEdmudQiN5r5GSKpzumxx/GcFDMD6rwKnCnfSJvON1aPhBRwEoLJp0chsFI3PEW4CXSOMDLLghDaIovoSItEfoVDfTWKBHp3Ijp9QUJvl7izKuZMv7d39aMZoiJFww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5BCmvt9y29EwTwFFX3+28ygs3DKvanf6ThgnMhJH80E=; b=ZT28lFwcid1c2/9T3YBrfDiTxE5N0loaCJ/PQiYIb4bUKxvDGbCOWFDjY1QWfvzTeAt5cwGdsK8OacslEW1WDwKbbtcDp2rXlwX6nKuYeM7SuIk9WUx2hjG7yfEDRl1tl9o8nP7rV23vX+A22OTqgmimIzvokoTb/slOXp3b9E2nhSJfJ+yBAJ6NzO54i2kAcyUT68VV5AzrZ4lcd129Nl9XinSFg21vTX6eXL8T0lQRieeA7I4mIfwrdNDmFzXRTQ+LVVyOW0A/SwU7CU4pP8D3Q9zqQPlMQQmL6kYJ3pJN9EfRCkuMeZ8FqUJdWHdqrc5UqijAvZO2DzT1aso4Yg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5BCmvt9y29EwTwFFX3+28ygs3DKvanf6ThgnMhJH80E=; b=qRys4UkWDazCPz4BIvruK5ZceNK/tx+mx6sW90bSxsdMVcMtEoTpqHJCvDPtGw7HPw1vK3edb4IAaJBG1p5Mx9/LdYtlXh5n153U1XIh+9d9npTb8BQLzdk80eok+VlQ/fYHyxptqOo1km35fKHQnrcyul7XUrW/0YeqAYSv4H6t90Vt+Kku73bPbP1wX9cza/p5lCwDX2SG/osA7n6nXI2Kha/ffnGAUrvWbbmjM5QoOLAG9m0xLgtYoQp6ttA2vI6ruKbIDHHZI7vIvqluXzYpV3LM7eM6OshoM6sPR/QD+nwyvNlbFxgTYY3SqSpcY5EI1xfQk0hpoVBgdgysEw==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by LV3PR02MB9960.namprd02.prod.outlook.com (2603:10b6:408:19e::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.29; Thu, 9 Nov 2023 11:53:00 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::38a6:2b20:d72f:21cb]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::38a6:2b20:d72f:21cb%6]) with mapi id 15.20.6977.018; Thu, 9 Nov 2023 11:52:59 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Carsten Bormann <cabo@tzi.org>
CC: Orie Steele <orie@transmute.industries>, "iot-directorate@ietf.org" <iot-directorate@ietf.org>, "cose@ietf.org" <cose@ietf.org>, "draft-ietf-cose-cwt-claims-in-headers.all@ietf.org" <draft-ietf-cose-cwt-claims-in-headers.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: [COSE] Iotdir telechat review of draft-ietf-cose-cwt-claims-in-headers-07
Thread-Index: AQHaC96y9s/wG644GUC3P8mal/m8J7BltuqAgAADroCAAMsrgIAAkYWAgAAPhQCAACCuAIAADTKAgAAGZeCACpLOUA==
Date: Thu, 09 Nov 2023 11:52:58 +0000
Message-ID: <SJ0PR02MB743938825614A940E371AD56B7AFA@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <169874540507.32382.14218122514486056121@ietfa.amsl.com> <83A3D56E-FDEA-46A3-ADB7-A5CA5130A1EB@island-resort.com> <82b9cb37-fb97-467b-b0d3-4752bf2f1076@gmx.net> <F3247BCE-E30B-4EA7-9652-AAE5CBB4637C@island-resort.com> <CAN8C-_LjTncbC6wz7+48A-z01AMyAexGXOvDsg5gL5qVoPoX7w@mail.gmail.com> <f350f06f-3819-4bfc-8c8b-687ab8dd908e@gmx.net> <2651c7c7-1062-f07c-0f9b-ef1650a8f026@sit.fraunhofer.de> <3B903BA4-68CA-4FB1-882A-9202B3E0C0A5@island-resort.com> <SJ0PR02MB7439A57B8667ED07A934A4B4B7A6A@SJ0PR02MB7439.namprd02.prod.outlook.com>
In-Reply-To: <SJ0PR02MB7439A57B8667ED07A934A4B4B7A6A@SJ0PR02MB7439.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [5ZdSfVyOQol0MAKjKN1LUM9abxJim7075Agyc4Ap5B/YUIeavVxbjyqQwrKd0Spf]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|LV3PR02MB9960:EE_
x-ms-office365-filtering-correlation-id: 4dd9dd05-9d50-496a-7191-08dbe11a6b3e
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /J+zyRvEQkMjiDvHbIK5GrojANUSI8d0/uFFP/fMAVHt3J/PFKNCvdaMaW3Z10Kp+LfzP1C8iU0NrB11a4TMO3Zl2gwhSMjcDwAcTo8C5bbtGkNLJqTrK596EqtZIxE+dX1PxqeL6nb9BojZeja+CDR5shCFmB6xpZmyQSjGkhGvV4cmwsHoPqOqY/W6bunmMby32hJiW67ZH3HN701p2Gd+EziFLlLsiZn1beJUk8ctrOlNetMLqajbHwIe9KYYuRH++1WHnaSNrYMwoU0VJQqMaDP0jjnsflAysftUaZpQ13HHhFQFDkz0EikBSaRXsEgWrSl90mwkSS6uKVmU63m1n9/WX/cTbOE42O1vY+bcKunf01P9/cjA6dW7nmEaHSR5aGuAgbxOm5W5eGB7mRDnxasGAiiOTZUTwK1h3Qmwh5Uwl7STHwnb5O/WL5X0MUEl7zZJNPcb6v1Bk/U6ee2jFdk6Jpnew1/LTsfJqlvPPLqQbctBgNIyexCQvmKK33NcONiiwkB+UaMOIOZQWlDBh+N1ozX0iT1DYaN+Oe4gygsnkfdoYur/whTW27zMwQEPdBDJ/KKdC/Z+DccVgCnrf26ldXKwPoFUe1xT/OiDWoK4/I601vbZun+9oYWdesj1CgM3VUMlK633ur9IYXrAQ4mBkgQ5tIKnn9q/hQ8=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JkESXPBuflujOL3VcUqyDqVUw1gen9bpm2oZjg9uEIQWxIgIX/AXWF73NEpj9umo9mSETBfB51DW+YpDHaEHx6N7CihYYkmBlE+IsoVU6CmoDoN8/V3hilR68XZ/QHxckjHmWT3LbJafqbbttyyZQeX7GMXD5CJ6fwNIRIBquJdJWN1jm9Zi8UQwjOOo9l40OMeyIpElbT0AIRvwiQEydUds8bPw/d35ZNSEzMtNp+DI3ZBrfdWzM7LkqREK8Gw73tu8o686s4BIKNPx/59RGLoFaEV74Az7yFyat4oSwlDFvZyV/24HkesvmWOjwUPDpRV6aChHf4MQXhTKE9nHGpLEl9tULOSmm8lsWZwbU8dqZRukHjDGcSwgxyAQgH1ADfBOrkvpxMjGrUCBNwX8pLhKHHZKca37IWhxJg3G1HSE28RzAyMEIOs79ETnf5L8O39iYOXDJoYzUiBUyCRse3XHCO8JNszUykXIlo87uv5sEjTny5iRj0DQelf3tTDX0wSCJT1cTqDay7luzotVc7nuCT6ySJzTs/1CkpEhqdvawFUB0L2PbBItOq1Yi+3XJnMEUBeQQOVNYJW3td925qeRtC1Naz7u1SpB2R8AV62RJTPdLHlc/uef+FFLJZ9WA+bmL065OTZHxAfoic/jN7uNSWi3vjjZB6rpVkKP47RBl2oKmqgmIiiHLFTPpnKoMhVsihaylH9Klmgk6YeodLz0qs77YPE+TuAa2L4Fc9tcsfChX7dLsfLw0HMI7fya2nQ+HYOLLE0l1ILjw9OECIjxY/kdrrTOcSzKrV+eVYXec0yMi0WY0ZN42n2FaWRiRCyG5usEiFlOOaWPLtvvZZkCVpo5MdSTIyo9UszBvMr0Cirg3s4vQGNgDLdMCdNhaZDxIkoTx79W8ioBJ76Sr4ONS19q9D43bDqueYlc5JcAo3Y1C8LlRthtBzWhLXbZKxIezVzXwADKV/LZsR84Y97RoOcTqOgPPOcsqnC0u/GggIHd5AgezZWKvyTgrhNJqJUCAEmsX8Tszm3YDvvswcMl/UQWOEApv6FuPNb11EJG4vAvqRkKL61PChX3+oKe8vBhW564I8r2TIvQ9hzSnbcG1wqdKttvGnqHIH6qdJdBGG3V1qsyjVfYSr7y0nnIXzLGaH1QMqfWO2jC4qGOb3iKUODoJHDJInMifXn/f2NHbpK5V2qzoz9vWdFod1NkI4fHk/xiBx2pDzIsZrCmGA0mX9Vta43NgoGmZF7Q8dodhbHdLtNO9JCapM2KoxEAN+0ugPa9kmK5kkgAA2F5xw==
Content-Type: multipart/alternative; boundary="_000_SJ0PR02MB743938825614A940E371AD56B7AFASJ0PR02MB7439namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-99c3d.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 4dd9dd05-9d50-496a-7191-08dbe11a6b3e
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2023 11:52:58.7153 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV3PR02MB9960
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/mPMWKiPTSPYbI666vQdMKJLiBsY>
Subject: Re: [COSE] Iotdir telechat review of draft-ietf-cose-cwt-claims-in-headers-07
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 11:53:16 -0000

I created https://github.com/tplooker/draft-ietf-cose-cwt-claims-in-headers/pull/13 to describe the non-CBOR payload use case in response to Hannes’ IotDir review.  It also says that profiles define the semantics of the claims used, in response to further feedback from Carsten.

Reviews requested!

                                                       -- Mike

From: Michael Jones <michael_b_jones@hotmail.com>
Sent: Thursday, November 2, 2023 7:25 PM
To: lgl island-resort.com <lgl@island-resort.com>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>; Orie Steele <orie@transmute.industries>; iot-directorate@ietf.org; cose@ietf.org; draft-ietf-cose-cwt-claims-in-headers.all@ietf.org; last-call@ietf.org
Subject: RE: [COSE] Iotdir telechat review of draft-ietf-cose-cwt-claims-in-headers-07

Thanks, Lawrence.  I agree with your assessment.

In my reply to this thread yesterday, I wrote:
I’d be glad to beef up the description of those motivating use cases in the draft.  I believe that would go a long way in the direction that you suggested: “At a minimum I expect the use cases to be better explained. Under what circumstances is it a good idea to even consider this approach as a developer?”  Do you agree with that direction?

Do people agree with describing these use cases?  If so, I’ll work with Tobias to produce an updated draft that we can publish shortly – once the submission window reopens.  It will further improve the specification.

                                                       Best wishes,
                                                       -- Mike

From: lgl island-resort.com <lgl@island-resort.com<mailto:lgl@island-resort.com>>
Sent: Thursday, November 2, 2023 10:59 AM
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de<mailto:henk.birkholz@sit.fraunhofer.de>>
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>>; Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>; iot-directorate@ietf.org<mailto:iot-directorate@ietf.org>; cose@ietf.org<mailto:cose@ietf.org>; draft-ietf-cose-cwt-claims-in-headers.all@ietf.org<mailto:draft-ietf-cose-cwt-claims-in-headers.all@ietf.org>; last-call@ietf.org<mailto:last-call@ietf.org>
Subject: Re: [COSE] Iotdir telechat review of draft-ietf-cose-cwt-claims-in-headers-07

Call it what you want, but there’s three choices here:

1) Publish without warnings (which might be OK because there’s no warnings about COSE, JOSE and CMS protected headers).

2) Publish with warnings (and add errata for COSE and JOSE?)

3) Do not publish because of the security problems

Seems like Hannes wants 3). I wouldn’t go that far.

I’m fine with 1), but probably in the minority on such these days.

LL




On Nov 2, 2023, at 10:11 AM, Henk Birkholz <henk.birkholz@sit.fraunhofer.de<mailto:henk.birkholz@sit.fraunhofer.de>> wrote:

Hi Hannes,

if your "stack of parsing things" encounters an unprotected CWT claims set within a a well-defined COSE header parameter value, then interprets that unprotected CWT claims set like ti is a well-defined CWT, then somehow acquires semantics for that "CWT" that it found inside a COSE envelope, then interprets them, and then acts as if it were the contents of a stand-alone CWT with some semantics.... No -  I would not call that paranoia. But admittedly, I would not know what to call that.

Viele Grüße,

Henk

On 02.11.23 16:14, Hannes Tschofenig wrote:
Hi Orie,
just yesterday I learned about new OAuth security incident, see
https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts
In this attack, from my understanding, the problem was that access token verification was not done properly.
Am I really too paranoid?
Ciao
Hannes
Am 02.11.2023 um 15:18 schrieb Orie Steele:
Everything is a security issue if you are paranoid enough.

Could a developer decide not to verify after decoding a header? Absolutely.

W3C Verifiable Credentials secured with "Data Integrity Proofs" show you unverified data by default.

Should future protocols give guidance to minimize the processing of untrusted data? Yes ( and I would argue without exception ).

Do we need to declare protocols unsafe, that do "heavy processing" of untrusted data up front, to discover keys, or other hints that aid with verification?

I don't think so, but I have spoken to engineers / standards people from other communities and some of them think the answer to this question should be "yes".

Pointing out that lots of people do this / W3C / OAUTH / OIDC does it, etc... does not counter their argument.

If anything, knowing that a weakness exists, and is widely deployed, encourages us to consider it a ripe target for attackers.

We should expect damage from attacks on code that processes untrusted data to be higher than attacks that succeed after verification / decryption.

I don't think JOSE / COSE experts should dismiss perceived weaknesses... and it's my understanding that this is a common perceived weakness of JOSE and COSE.

That being said, it's not something this particular document should be addressing in any substantial way.

It's a preexisting condition, one that's severity is disputed.

We've got examples of this principle being violated in different ways.

What W3C Verifiable Credentials do is several orders of magnitude worse than what OIDC does.
... it depends on what kind of processing ... any processing of untrusted data, creates a slippery slope.

We are talking about general guidance here... It applies to all COSE and JOSE, not just this draft.

Therefore, these concerns should be handled independently, for example in guidance or BCP documents.

All this to say, I agree with Laurence.

OS



On Thu, Nov 2, 2023 at 12:38 AM lgl island-resort.com<http://island-resort.com/> <http://island-resort.com<http://island-resort.com/>> <lgl@island-resort.com<mailto:lgl@island-resort.com>> wrote:

   Hi Hannes,

   On Nov 1, 2023, at 10:30 AM, Hannes Tschofenig
   <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>> wrote:

   You also agree with me that information in the protected header
   is often processed without prior security verification.
   I’m not sure we’re thinking the same here.

   I think there is no problem that calims-in-headers might be
   processed without verification.

   I think that because we process protected headers/parameters in
   CMS, COSE and JOSE without verification.

   If it’s not a security issue for CMS, COSE and JOSE, it’s not a
   security issue for claims-in-headers. CMS in particular goes back
   decades.
   LL



--


ORIE STEELEChief Technology Officerwww.transmute.industries

<https://transmute.industries<https://transmute.industries/>>


_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email