Re: [jose] SPI - KID conflict -- Re: SPI proposal

Richard Barnes <rlb@ipv.sx> Thu, 07 February 2013 14:40 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C75D921F8561 for <jose@ietfa.amsl.com>; Thu, 7 Feb 2013 06:40:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.176
X-Spam-Level:
X-Spam-Status: No, score=0.176 tagged_above=-999 required=5 tests=[AWL=-1.065, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Obu1d4-TO1bq for <jose@ietfa.amsl.com>; Thu, 7 Feb 2013 06:40:23 -0800 (PST)
Received: from mail-la0-x241.google.com (mail-la0-x241.google.com [IPv6:2a00:1450:4010:c03::241]) by ietfa.amsl.com (Postfix) with ESMTP id 8AFF521F84DA for <jose@ietf.org>; Thu, 7 Feb 2013 06:40:22 -0800 (PST)
Received: by mail-la0-f65.google.com with SMTP id fq12so470737lab.0 for <jose@ietf.org>; Thu, 07 Feb 2013 06:40:21 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=ooebAtcGWAPrv3IgWfPE2lI4UNDdkI5E/eYRauh9C8E=; b=oUfCkAV5yIWLMlRfel0pY51PZ5hdQFElS9ACpn99clkOl9g9V9AU7ZtQv0pBt7pK55 LOGhnh7i3oul5OsbgjAeyJOxsSl240fd25ma8MGl8Iu9upQV9kea4lWCSdy2il3Tfb8P jvrTAUVXnyuZhH5g6Z1lri1pAXHKeLBtn5+6bZ7CBTX30Pn6zsiqIvvGm1HNugNDX2C5 j2vUdvXhz7DT9rTE2BZhl6YuVYrg3qXLUsBhDQPL+YQxHkijzEEEJWvElxT1CNZDrezt aiV5ZeTRh8UJRE58GmYmGTT+E3ffyaNEoflc7d6f8p4CJFMX22PCbF/4UA69GQlQU5pe eEyA==
MIME-Version: 1.0
X-Received: by 10.112.42.5 with SMTP id j5mr854944lbl.37.1360248021146; Thu, 07 Feb 2013 06:40:21 -0800 (PST)
Received: by 10.112.147.164 with HTTP; Thu, 7 Feb 2013 06:40:21 -0800 (PST)
X-Originating-IP: [155.212.214.60]
In-Reply-To: <51134B1B.6010109@gmx.net>
References: <CAL02cgSt7w5CrP+DXo7bz_+YsxKsVMoRbZLNWa6EHjnAyScWMg@mail.gmail.com> <51134B1B.6010109@gmx.net>
Date: Thu, 7 Feb 2013 09:40:21 -0500
Message-ID: <CAL02cgTYBBCr95atASvQ+7gQK8gH3B2+ebyZO82Q=iSwQxt3AQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=e0cb4efe35721b5c9a04d5236c65
X-Gm-Message-State: ALoCoQksUHnOb2XrroRWwQSSyeGjZ9JSHOrelg7O3PK3HheXsZHzAkDrRonYRb9cO98IEoJrQ8F/
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] SPI - KID conflict -- Re: SPI proposal
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2013 14:40:23 -0000

As I understood it, 'kid' identifies a key, not the whole collection of
security parameters.  But if that's not the case, sure, we can use 'kid'.

In either case, apparently the spec needs to be clarified.


On Thu, Feb 7, 2013 at 1:35 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net
> wrote:

> Hi Richard,
>
> when I tried to use the JW* specifications in OAuth my assumption was that
> the kid (key id) provides exactly the purpose you outline below (and call
> spi). (Btw, I prefer kid rather than SPI).
>
> The only problem with the KID, as I raised on the list before, is that it
> should be in the header and not in the body (since otherwise it would not
> be visible when the data inside the body is encrypted.
>
> Ciao
> Hannes
>
> On 02/07/2013 12:11 AM, Richard Barnes wrote:
>
>> To move us toward closing Issue #9 [9], here is some proposed text for
>> an SPI [1] field.  To recall, SPI stands for "security parameters
>> index", borrowing a term from IPsec.  The idea is that in cases where
>> the same crypto parameters are being used repeatedly, this would save
>> the parties from having to re-send the same parameters.
>>
>> The below text is designed for the JWE spec, but could be adapted for
>> JWS (just keep header, ignore part about key/iv).  Similar text is
>> probably needed for the encryption/decryption/signing/**verification
>> sections.
>>
>> Feedback welcome,
>> --Richard
>>
>> -----BEGIN-----
>> Section 4.1.X. "spi" Header Parameter
>>
>> The "spi" (Security Parameters Index) header parameter contains an
>> opaque byte string that labels a set of security parameters.  This index
>> is designed to enable the use of smaller headers in cases where entities
>> will be re-using the same security parameters for several messages.
>>
>> Entities supporting the use of the "spi" parameter MUST maintain a table
>> of cached security parameters.  When an entity receives an object whose
>> header contains both "spi" and "alg" values, then it MUST cache the
>> following values from the JWE, indexed by the "spi" value:
>> -- Contents of the JWE header
>> -- Encrypted Key
>> -- Initialization Vector
>>
>> If an object containing an "spi" parameter but no "alg" parameter, then
>> it MUST NOT contain an Encrypted Key or Initialization Vector.  That is,
>> it will have the form "header.ciphertext.integrity_**value".  When a
>> recipient receives such an object, it uses the "spi" value to retrieve
>> cached header, key, and initialization vector and reconstructs a full
>> JWE.  This full JWE can then be further processed according to the
>> normal JWE processing rules.  If the recipient has no cached parameters
>> for the "spi" value, the process MUST fail.
>> -----END-----
>>
>>
>> [9] http://tools.ietf.org/wg/jose/**trac/ticket/9<http://tools.ietf.org/wg/jose/trac/ticket/9>
>>
>>
>> ______________________________**_________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/**listinfo/jose<https://www.ietf.org/mailman/listinfo/jose>
>>
>>
>