Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf-cose-webauthn-algorithms-07: (with DISCUSS and COMMENT)
Mike Jones <Michael.Jones@microsoft.com> Thu, 11 June 2020 13:47 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C07E3A0860; Thu, 11 Jun 2020 06:47:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fAHU_QsUdAf6; Thu, 11 Jun 2020 06:47:01 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650136.outbound.protection.outlook.com [40.107.65.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43FA93A084B; Thu, 11 Jun 2020 06:47:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BS6wGliYeH/GA4uv89MD56XhZmiFVHop0E6/OfykXOZ/BflzIMrB/aHOyVs5ItqrMvFbNPzstkHQX+n86LMyI7L/++mXJWWwUblqDIKAgY5AhsSr6IHx4LhLEQcGPbRhMpdnQ/tNex0rwNTfmzUO1H+oBNPssXtzbD9pXJVizxo5yzWrqQPvX5TYwRVqKWnvjtbK7b6CuhdtDjiwQ+63/FtSEjiAb2GdsBDMA9naAuW80xhteIGAdwl841+LoJCd1CSIHuEKU52VCU83iscABOnO+2z2aCv96E3Cdb/P0DVJOUKcbN+7e3mT3CegeAjkZRwdDp4uSuxEFbuzjq/tEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0WI+M3gffXaf3fnWg0WBhPtTRDGMlGbJVvdjf5UDAzM=; b=HyyzJ0Z2p+QaTkbL9Yd77HSTUKxhBvDPXqGWuvVh5/g7td/MsFr5difskTbkeQ1Jd6WdKM/f2L/TXiSNdUl6cN1UU3zLtI/Zz3LbDGu9/lyUZzkS+zNppwBMb9WBfOX694BA5nHb5T0i5o2C60ZYxSEsz1Asb2yi6nMDSywiMkN5sjLxyW7uCCeBtLHXt9mdvT4d5n512bwEw+eGxM5mhuIMIHwHsae2SgMNuFbIFu19StL0IfafbKFxOjsQ8918zmo/0pGuotadWALH80Aw9mS7zzDgUXSBsxs7vufRXnlduzOpQ/65Pjb9JyCOACygkErfZQs/SskcRCz2PlvqSA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0WI+M3gffXaf3fnWg0WBhPtTRDGMlGbJVvdjf5UDAzM=; b=KjSuRJpFz6wHLOIvdSPpti9qaHqfA/PjxXiQfN8tqqA7x3rnZ/nUBpd641A4H+C50V7fG7tV8/OtAMmLsbH5xq33r9vsr4CG/yUT2uY/HS7Bf5YE5GqDy0VeT92CYMPLy6Mr0j4Zq/l1xbM7Pv/bNr9S3c0KsexGR/qCAG3+H9Y=
Received: from DM6PR00MB0684.namprd00.prod.outlook.com (2603:10b6:5:21c::8) by DM6PR00MB0715.namprd00.prod.outlook.com (2603:10b6:5:21c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3126.0; Thu, 11 Jun 2020 13:46:59 +0000
Received: from DM6PR00MB0684.namprd00.prod.outlook.com ([fe80::21bc:a480:7957:24c6]) by DM6PR00MB0684.namprd00.prod.outlook.com ([fe80::21bc:a480:7957:24c6%7]) with mapi id 15.20.3126.000; Thu, 11 Jun 2020 13:46:59 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: "draft-ietf-cose-webauthn-algorithms@ietf.org" <draft-ietf-cose-webauthn-algorithms@ietf.org>, "cose-chairs@ietf.org" <cose-chairs@ietf.org>, "cose@ietf.org" <cose@ietf.org>, Ivaylo Petrov <ivaylo@ackl.io>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-cose-webauthn-algorithms-07: (with DISCUSS and COMMENT)
Thread-Index: AdY/9sX256eDBIcnRX6tYZth4V/ozA==
Date: Thu, 11 Jun 2020 13:46:59 +0000
Message-ID: <DM6PR00MB06843A3C34DBFF71D48044FCF5800@DM6PR00MB0684.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=4c2bfec5-a739-4e1e-8006-0000b351dbcb; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-06-11T13:34:06Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 69e9a653-4d94-4b87-acfd-08d80e0de9f1
x-ms-traffictypediagnostic: DM6PR00MB0715:
x-microsoft-antispam-prvs: <DM6PR00MB07150E4E6D02EC334A23474FF5800@DM6PR00MB0715.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0431F981D8
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /LVW1oLcShLL4bKRE7zVizyrbFwATZKsrscK37ZhV7VcTCmwHlhmr5Nb+FUp0riJoGqUJSSP7w50Kqx5JHK24PDhtnd3N59uOg9n7uo/+n/k1qMiVGjbgUNE5IjQ175LC6iv0plKuqHKlnHw7APIOZpcCh54O2mhWY1m3KpKqOLmhpxU4qPXspUNcsy8/VKXmk+IQPZU1mHWyP0PCQ/2nL/RixKB75naXFxsYaBlMnOo4t1CIclC+bOvPliW6mHAilfaRrJTsQdG5F60RCCmMpPB0HQr7ICG4YTh8qfypqNdfcuXzrZ2jUmNcTWV/6P/6S4M8hy6qbveQqV2oES66OuAg+U/cfBN8+oXtJRniYi2QdFRcrpbDc6I245zys7H7sde1ORje3EYoZYwrBmZRg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR00MB0684.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(366004)(136003)(346002)(376002)(39860400002)(82960400001)(82950400001)(5660300002)(64756008)(66476007)(2906002)(66556008)(66446008)(52536014)(33656002)(86362001)(76116006)(66946007)(8990500004)(7696005)(71200400001)(478600001)(9686003)(316002)(55016002)(10290500003)(186003)(8936002)(8676002)(26005)(966005)(53546011)(6506007)(54906003)(83380400001)(4326008)(110136005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: lLF3gelLU5O7b9vByQQPHeyrYYRdCt4+otQ7a+r/wYBIGC1CyoLbs5TvUMD9d6gZBWJfUg8JK3Yh3i29UU8+jXK3Wj/zXkzZB5mojEa6OJL2of0cV8JFF+kPodJTMf3H+C89qqwvqashd3AcEKNRJVyHdtG2fJI4FY6ZQj580HuHh/wlOIQq1VdHqaD0aFupm0gZuauFwGXISKBzgH5+bp/XlkGLDf4r8ZqFCKO64Mkg2pDlytAdeyg8f26ZYoWIjr9nWudF1F3hRxXGzzxCrrpCi1zEOvpq8dz+Dyhn7Yedmai5aw1mgdMW/M1v4/wsav39SABSWllI5vQaeo4PY/xpEYFyH5/b+cqa599DyxpWucSGPjexovx/4/RuqRtLLZwmFmhuh72zLb0zAOxFo4GxfzUSqr9IfR5veOXZ/JeUQJtD4Ck8Fs5duinbeys2N6vVxC8m4Sm3NO1D2Uob+jVuyKfarafYK/vwagYQEpA=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 69e9a653-4d94-4b87-acfd-08d80e0de9f1
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jun 2020 13:46:59.4133 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: svzIO2n9bP2QIcdzr8yZ9OoInThrQ5fHUPLrX9/rOII1SapqfRKNxWP9nBf0roQSPf74fujWKlb/uMgZcYktAQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0715
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/KDuOEGCjAujawSbs4hgBVBB2wCI>
Subject: Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf-cose-webauthn-algorithms-07: (with DISCUSS and COMMENT)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2020 13:47:04 -0000
Thanks for your review, Ben. The one point that you may want to actually discuss during the telechat is whether the document can remain standards track so that it qualifies for "Standards Action" registrations, as described below. My responses are inline below, prefixed by "Mike>". -----Original Message----- From: Benjamin Kaduk via Datatracker <noreply@ietf.org> Sent: Wednesday, June 10, 2020 9:21 PM To: The IESG <iesg@ietf.org> Cc: draft-ietf-cose-webauthn-algorithms@ietf.org; cose-chairs@ietf.org; cose@ietf.org; Ivaylo Petrov <ivaylo@ackl.io>; ivaylo@ackl.io Subject: Benjamin Kaduk's Discuss on draft-ietf-cose-webauthn-algorithms-07: (with DISCUSS and COMMENT) Benjamin Kaduk has entered the following ballot position for draft-ietf-cose-webauthn-algorithms-07: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-cose-webauthn-algorithms/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- As Roman notes, the conversion of secp256k1 to not-recommended in the -07 was incomplete: Table 2 and the prose below it still need to be adjusted. (Putting this in the discuss section so I remember to double-check it when the new revision arrives.) Mike> Sorry for not catching this in the last round of edits. I'll make these updates. Also, I think we need to more strongly reiterate the cross-algorithm risk, specifically mentioned in Section 2.1.1 of draft-ietf-cose-rfc8152bis-algs-09, regarding an attacker changing headers from secp256r1 to secp256k1 (or vice versa), and that the only known way to deal with this attack is to limit any given protocol participant to using at most one of the two curves. (AFAIK neither 'alg' nor 'crv' are required to be protected elements, so while limiting this curve to the ES256K algorithm helps in many cases, is not a fail-safe.) Mike> OK - I'll enhance this discussion along these lines. Finally, my apologies for not catching this earlier, but the COSE charter says that the WG deliverable to "define the algorithms needed for W3C Web Authentication for COSE" is to be an Informational document. It looks like we didn't notice that when the WG -00 was submitted and it has just been carried through unchanged. (Note, however, that the requested values for ES256K and secp256k1 are in the "Standards Action" range and would not be available for an informational document.) Mike> I'd prefer to keep the values in the "Standards Action" range, if we can do that. Is it possible to get the IESG to allow this document to remain standards track? I didn't realize that Informational RFCs didn't qualify for "Standards Action". ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Are we planning to update the section references from RFC 8152 to the bis documents also on this telechat? Mike> I only plan to update the references of the bis documents finish first. Section 2 I see that the IANA registry currently lists RS256 as Recommended:Deprecated, but this document lists it as Recommended:No. Which is correct? Mike> Good catch. It should be "No". I'll inform IANA. Section 3.1 preserved. If the uncompressed representation is used, the "y" value represented MUST likewise be exactly 256 bits, with any leading zeros preserved; if the compressed representation is used, the "y" value MUST be a boolean value, as specified in Section 13.1.1 of [RFC8152]. At least the "MUST be a boolean value" is fully redundant with RFC 8152, and might not need normative language. Mike> OK Section 3.3 This specification defines how to use the secp256k1 curve for ECDSA signatures for both JOSE and COSE implementations. While in theory, the curve could also be used for ECDH-ES key agreement, it is beyond the scope of this specification to state whether this is or is not advisable. Thus, whether to recommend its use with ECDH-ES is left for experts to decide in future specifications. This text doesn't really do a great job at reflecting the potential concerns/risks described at https://mailarchive.ietf.org/arch/msg/cose/kS25kvSH85dcyzZi1lcU2-6yDEE/ -- "there may be theoretical problems with the curve" seems worth noting! Mike> Thanks, I'll add this. Section 5.2 If we're going to mention exponent restrictions from Section 8.3 of RFC 7518 in Section 5.3, we should probably mention them here as well. Mike> OK Section 5.3 New COSE applications MUST NOT use this algorithm. Is it new applications, or new protocols, or something else? Mike> I can say "New COSE applications and protocols MUST NOT use this algorithm." Mike> Thanks again for the thorough review! -- Mike
- [COSE] Benjamin Kaduk's Discuss on draft-ietf-cos… Benjamin Kaduk via Datatracker
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Mike Jones
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Mike Jones