IETF Logo Mail Archive

Re: [jose] Deprecation of legacy algorithms

Brian Campbell <bcampbell@pingidentity.com> Tue, 05 March 2024 17:40 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E60A9C14F6A0 for <jose@ietfa.amsl.com>; Tue, 5 Mar 2024 09:40:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fpgRYy6o96zf for <jose@ietfa.amsl.com>; Tue, 5 Mar 2024 09:40:23 -0800 (PST)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09457C180B66 for <jose@ietf.org>; Tue, 5 Mar 2024 09:40:23 -0800 (PST)
Received: by mail-io1-xd2a.google.com with SMTP id ca18e2360f4ac-7bc332d3a8cso365228239f.2 for <jose@ietf.org>; Tue, 05 Mar 2024 09:40:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1709660422; x=1710265222; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3DadybEVyjxIDVj3ZVWel6hH7Z2Za0wObN+pW7qYq0Q=; b=I+8+TpdZ+todYZ4Mrq7/QClA+lQtCUu5Sd21ijdPx/taECIJxKaFFI6DLJixuUEwgG Fi95NY9bu/S4sml4UsoLd/FiEORTRNKqMzWOljNTVS0MDIa4MGH63DerVBgx6vDTmn59 FHsMneXy7ujHFWdxLkc7q8EtyCWO5fXTc/nBBNgTPBV/iY6vYh+3RuMp5lVyqoRBy0Pu kJr/44d1GOgkrJnA+12jRd/COeSfIzG9YJpNbw2PC08ui82znKT4WmnyZsrBZ5nx/xya 1zLnv2bgtaIok2zG/ccMBBolH8sLfS56IMUoNP0Y4m6HOD0urSp9fAlvY/hJr87g3GbE G0ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709660422; x=1710265222; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3DadybEVyjxIDVj3ZVWel6hH7Z2Za0wObN+pW7qYq0Q=; b=ULSwB774M2pl65h668WctjlsWeqm5STi5N/YgXLiTFDWozSLo5jDtfXnT+Glu5xvW7 ZsIH+zwisU3RwbFUxzInAdbJb6yLdscr4F1vWXqunzIfIRn0G3mTGC33pIEHqQsCK0qU HRNvNvXMKsz/V5uAWZ1MilWxG1uxuLYqK6HmPc1cJ0DxOpjjCdO9MCEX/L89CM8niLOq Jamj7y+3bcR4WUiAbxtrBRx1qtF2IlFHSLdbZWe7wDI3v7bF2Ky+3nDsh3KP5mQMISN8 aG6a+Sqvx3V05dI3NnbeR6pB5ta7jdXBrEN/oa4U9/plA+sG8B2X73fV6yvXX39m+kvB KUgA==
X-Forwarded-Encrypted: i=1; AJvYcCW6GJI2w3S500uyneK0kLzV4DtEoOEMVL3b75VUaLoZFj6V3bCyTwfYkJrwVjQAqXamDGFXOqb33KzJjCBZ
X-Gm-Message-State: AOJu0Yz0D76ulal/9IPOaj+Du/aFG8QFZlRM9Eyp+EHh3ySDlSnTHJKS YmcAflzTTyI2NbFI11SS9el8IQzRruMsVE9ptJB0cwNvomZiF2TyyuYbAiuCdF8h2NyTTaWr7Yc gnYMS1ohBIvs/yck6wuHmZlHzLuOhLM3Q1GkJOcTLkY+Kant18+yIJoogxUzckAUoUZT+Y8YXQk hymb9I49lL
X-Google-Smtp-Source: AGHT+IHdC9IhlvG0bFZS10SujwBG4wIJYNh7DT4agAZU47MB0pS2kTgI4f96NEFC/kpD+SMAQV9mIMsEPc58GLY+tuc=
X-Received: by 2002:a05:6e02:1a8e:b0:363:e7c8:2180 with SMTP id k14-20020a056e021a8e00b00363e7c82180mr17597460ilv.12.1709660422174; Tue, 05 Mar 2024 09:40:22 -0800 (PST)
MIME-Version: 1.0
References: <30D0C208-4543-48C0-952D-59B57633C1EA@gmail.com> <SJ0PR02MB74391F8A6CA547FB2830163EB7222@SJ0PR02MB7439.namprd02.prod.outlook.com>
In-Reply-To: <SJ0PR02MB74391F8A6CA547FB2830163EB7222@SJ0PR02MB7439.namprd02.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 05 Mar 2024 10:39:47 -0700
Message-ID: <CA+k3eCT8uQFTakpapby3uKcSAyjv1ssZFBa4Qqi1cweW2jqQqQ@mail.gmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>
Cc: Neil Madden <neil.e.madden@gmail.com>, JOSE WG <jose@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000026a0320612ed56f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/0yvl5lqQWn8n15sAqcM0lm1bM8M>
Subject: Re: [jose] Deprecation of legacy algorithms
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 17:40:27 -0000

The JWE RSA1_5 alg is not required for OpenID Connect as far as I know?

On Tue, Mar 5, 2024 at 9:39 AM Michael Jones <michael_b_jones@hotmail.com>
wrote:

> I would not support deprecation of either of these algorithms.  They are
> both required for OpenID Connect and are in extremely widespread use.
>
>
>
> *From:* jose <jose-bounces@ietf.org> *On Behalf Of *Neil Madden
> *Sent:* Tuesday, March 5, 2024 7:57 AM
> *To:* JOSE WG <jose@ietf.org>
> *Subject:* [jose] Deprecation of legacy algorithms
>
>
>
> Hi all,
>
>
>
> Leaving aside all the exciting work on shiny new algorithms to *add* to
> JOSE, I would like to raise the prospect of deprecating some existing
> algorithms that have passed their best. Before I start work on writing the
> drafts for these, I'd like to gauge if there is some support or this is
> likely to be wasted effort. The algorithms I think that should be
> deprecated are:
>
>
>
> RSA1_5 - currently marked as Recommended- in the IANA registry. PKCS#1
> v1.5 padding for encryption has been a source of repeated vulnerabilities
> over the years, and they keep cropping up. I believe the main reason this
> exists at all was to allow continued use of legacy hardware, in particular
> where FIPS approval was required. However, PKCS#1 v1.5 padding has been
> forbidden by FIPS (for encryption) since the end of this 2023 [1]. If
> someone is really stuck with a hardware device that only supports this
> encryption mode then they can use it to encrypt local files containing keys
> for other algorithms rather than using it directly.
>
>
>
> none - I know this one is more controversial in some quarters, but
> alg=none has been responsible for a steady stream of serious security
> vulnerabilities, and even spawned its own website:
> https://www.howmanydayssinceajwtalgnonevuln.com. I'm not sure there has
> actually been a year where this algorithm *hasn't* caused a vulnerability.
> I've yet to see a genuine use-case for it in the wild. The pain:gain ratio
> on this algorithm is extremely high.
>
>
>
> I would also like to write a draft (either combined with the above or
> separate) that establishes some baseline security properties for future
> algorithm registrations:
>
>
>
> * All signature algorithms MUST achieve unforgeability under chosen
> message attack (EUF-CMA).
>
> * All encryption algorithms MUST achieve at least IND-CCA2.
>
>
>
> [1]:
> https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf (see
> table 5 on page 15)
>
>
>
> Thoughts?
>
>
>
> -- Neil
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email