Re: Encryption beyond ws-security: JWE, encrypted content-coding, CMS or else

Anders Rundgren <anders.rundgren.net@gmail.com> Tue, 29 September 2020 16:44 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC85E3A0EFB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 29 Sep 2020 09:44:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.962
X-Spam-Level:
X-Spam-Status: No, score=-2.962 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.213, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mZEkWKrsZ8ZX for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 29 Sep 2020 09:44:35 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 558E43A0A35 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 29 Sep 2020 09:44:34 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1kNIhS-0000MT-1H for ietf-http-wg-dist@listhub.w3.org; Tue, 29 Sep 2020 16:41:58 +0000
Resent-Date: Tue, 29 Sep 2020 16:41:58 +0000
Resent-Message-Id: <E1kNIhS-0000MT-1H@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <anders.rundgren.net@gmail.com>) id 1kNIhN-0000Lc-Oi for ietf-http-wg@listhub.w3.org; Tue, 29 Sep 2020 16:41:53 +0000
Received: from mail-wr1-x434.google.com ([2a00:1450:4864:20::434]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <anders.rundgren.net@gmail.com>) id 1kNIhM-0001Ru-9I for ietf-http-wg@w3.org; Tue, 29 Sep 2020 16:41:53 +0000
Received: by mail-wr1-x434.google.com with SMTP id k10so6167351wru.6 for <ietf-http-wg@w3.org>; Tue, 29 Sep 2020 09:41:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=qRF/JxWBUStMPzjp/1HxnQT9ypLhscmSnv2AP/V4/SU=; b=FDePv8AfYUJ5x3ASkS6VEMXP5nSq2mLFF+c68Jl0ttZWbzHKrRFan2tc9+7vscOFO+ HywPs3QfNoOSDsb6LC+odtwBSJoX6sAFVucSuPO60hEynC7LfUPbMGProbGuLUoY38dp cHmUvXe3xwogHp7I6OdRDd5iyKPe+snAS2vntA6w/PcK4kCppL7CTjPOdH28a5VsMVDz WAynDUn9tIjyWfSnegsQMirC/qr/2wOb3zvH3wdrom7OoIQk68k0qb+9NidY1F73GCRJ 1PSEoWEyPJp27bwOwZ4YKy2RafIMNARpPuhLTl/eIu7hYRt64mp4Lf2oP1TL8yKiQGRk w6Rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=qRF/JxWBUStMPzjp/1HxnQT9ypLhscmSnv2AP/V4/SU=; b=XaNpQA4NERnGF00Xe2QnpxChMuMvEyy6nFFGSgOtpSYbpEa8cC7TIblvGMnJFZfwaD rD2I80y2THr9yQqSFphFSJUlh5OwqyPmMjktJaCqaSAjRm/EMb0/JMyi14f1jveYvOl9 5+pz+Ai9Dsmou6tbc1dJMcy1No8PpFZCx2iou1AMDUr8evxbZAlNXuTElyJnfTHD71Rk XF5MWEGr39QkvBkBBmAjHeFM4h6efkEsrRwW10YVpp0Z0C3L44wPfPRbWiqg1s/p1e7B HYOXhDRKH0GaSJuLDc/uvOykDH6Lz4iyiI+jdEge327JVGm3y8zj5/JHUjN3w6Drp2RY dFLQ==
X-Gm-Message-State: AOAM533JbLJQF5wZv3+O3KFpvAQGfPw9Wy27JTUsXW8WbDoLUU/ciw9V pRCbSg3Vtm7JMsb7RfVBwbE=
X-Google-Smtp-Source: ABdhPJy1J0BGzUAV88JlfxCss3AfaEV5jYcO2FuraYoB1aaC1uM9DGpNuB2S0Ufa9xGS3pwHyPJ4RQ==
X-Received: by 2002:adf:e690:: with SMTP id r16mr5237167wrm.15.1601397700803; Tue, 29 Sep 2020 09:41:40 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id n3sm6290220wmn.28.2020.09.29.09.41.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 29 Sep 2020 09:41:39 -0700 (PDT)
To: Roberto Polli <robipolli@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Cc: Alexander.Hoose@fitko.de
References: <CAP9qbHU-Nkd-3rtL5zb1=C7Uvf+4Pb=ws73R7NF6q_2eVysrTg@mail.gmail.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <397b10f9-0be9-70fe-bc23-326d00d3b45b@gmail.com>
Date: Tue, 29 Sep 2020 18:41:38 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <CAP9qbHU-Nkd-3rtL5zb1=C7Uvf+4Pb=ws73R7NF6q_2eVysrTg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=2a00:1450:4864:20::434; envelope-from=anders.rundgren.net@gmail.com; helo=mail-wr1-x434.google.com
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1kNIhM-0001Ru-9I 481f0f5e74096b9e6513e95ea0f5dd8a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Encryption beyond ws-security: JWE, encrypted content-coding, CMS or else
Archived-At: <https://www.w3.org/mid/397b10f9-0be9-70fe-bc23-326d00d3b45b@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38068
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 2020-09-29 17:57, Roberto Polli wrote:
> Hi @all,
> 
> I'm trying to find a suitable way to replace ws-* for encrypting
> payload bodies with some other specification more suitable to a REST
> approach.
> It seems that the enterprise industry is still fond of JWE - but  I'd
> avoid it if I can, considering that a good library like google/tink is
> not going to implement it
> https://github.com/google/tink/issues/342#issuecomment-658450381
> moreover the specs
> 
> Leveraging the content-coding feature of HTTP, there's rfc8188 which
> seems interesting: still I don't know how many implementers are in the
> wild. Don't know if that mechanism can be extended to PKI encryption.
> Another solution could be CMS / S-mime.
> 
> What do you think/use/suggest?

I believe the use cases for encrypting an entire payload are pretty few,
and probably already implemented in applications like communication
software and copy protected media streaming.

FWIW, I'm working on alternatives to JWS and JWE that are based on
the recently published RFC 8785.  They are targeted at "information-
centric systems" using JSON, like Open Banking.

Thanx,
Anders

https://cyberphone.github.io/doc/security/jsf.html
https://cyberphone.github.io/doc/security/jef.html
https://mobilepki.org/jsf-lab/home

> 
> Thanks and regards,
> R.
>