[jose] WGLC comments from Mike Jones on draft-ietf-jose-cfrg-curves-02
Mike Jones <Michael.Jones@microsoft.com> Wed, 15 June 2016 03:28 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A802112D59B for <jose@ietfa.amsl.com>; Tue, 14 Jun 2016 20:28:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZMDqBz7wzA7h for <jose@ietfa.amsl.com>; Tue, 14 Jun 2016 20:28:42 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0109.outbound.protection.outlook.com [65.55.169.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 975CC12D0DA for <jose@ietf.org>; Tue, 14 Jun 2016 20:28:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Sx6fUI9hPtFCttYiCRKkm9iRJfJMaHDMhxPmqb13z4s=; b=gDXTSIGCXQgjtQWaIqQHtbGrwQKeJu3AY7wMliE9K9/SqZXpk1anFVhCKJdzIBt42nUStJl/NBND7MzNUiuRzqaVDBg7Ze3ZnUvo84DElit7lMZvsQM3nmnIsGATbw0ANb9xao9KxkaCmPcyf7+Lr/uQlSOj58AODFf7xVUjC6A=
Received: from SN1PR0301MB1645.namprd03.prod.outlook.com (10.162.130.139) by SN1PR0301MB1645.namprd03.prod.outlook.com (10.162.130.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.517.8; Wed, 15 Jun 2016 03:28:39 +0000
Received: from SN1PR0301MB1645.namprd03.prod.outlook.com ([10.162.130.139]) by SN1PR0301MB1645.namprd03.prod.outlook.com ([10.162.130.139]) with mapi id 15.01.0517.011; Wed, 15 Jun 2016 03:28:39 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "jose@ietf.org" <jose@ietf.org>
Thread-Topic: WGLC comments from Mike Jones on draft-ietf-jose-cfrg-curves-02
Thread-Index: AdHGtI9mYRUHQSbhQ8S+7MAQubfAdQ==
Date: Wed, 15 Jun 2016 03:28:38 +0000
Message-ID: <SN1PR0301MB1645CB221341960B88E732B8F5550@SN1PR0301MB1645.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:4898:80e8:3::650]
x-ms-office365-filtering-correlation-id: e9d56d8a-6ad7-4e5b-07ff-08d394cd2478
x-microsoft-exchange-diagnostics: 1; SN1PR0301MB1645; 6:UxKKtIDKAHPb7picIM4eOachcooWUkCYZVGwbKP9ZGRoFb/2rPlXs6RcCJ0kU0yTGvijRzibkyDgUunVz2HOhxJFXQOp07PVCs3TWxZfZ//7dAcEUjczwHpVXq2woq3TZCb6PPTQTRc2ErGECXlptxx65qOeJP/2w4iFBLZhL3aS5JcsR5mO9Jfjj9kEgn49/ohPtWmARMmWoNFFgVd5m0ANH1tuUfG8+t+rCTRTRrm2SYsGRIaUQ25PhgmKlQRT5Za9TBFluNdjf+bmA0FxifNM6fKXyZ/3BHlysV8lrbk5jNfw2s1OlpEfDbdZREo1; 5:Ctty6aZN9ISIU4TnpFROd1tPY7BlDHsYu0aspFurNeGwZrlte8wb47prdKvbBzsZ1V14uFrErf0aCAnBcglIGwAKRmO6NpK9fzgid6wqp9nNi0hUYwzhnPaI89zs7PKqWSRTl1OTZag+GdcqAlCwoA==; 24:KbzzvnYT6+5skVH56pJKvIa27UFz/n0LdDXnZcKS4U+rkKFm6D2AdZMDWwrxlAW3W3NJNVPjto6XhSmH07q260xRxw/FGWJ7GvJF5al0oLw=; 7:DSalCFw6rZPJw+1z/j/Ms6bnwHgYKizW0t0CGgP8PWTNzxUWZKpe+WzYoH3lgHgHiALmJl3/LVYnzUReUpmWD6lsQ0FS2fqf80qzHtawSy2kEtTuJ5RxJDoTK8RpgxPfahkQGUCoMD1VHe5nKesZ7Wxa8dsRC8RGX8gjUYeaAhFZf0AbPohX9i7Qr4rUAgQxTpgDYTHb+lLHTMNxeiTxbsDZ8d5qkXqOFizkdBg4sv0=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SN1PR0301MB1645;
x-microsoft-antispam-prvs: <SN1PR0301MB1645442D67A0038E52182730F5550@SN1PR0301MB1645.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415321)(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:SN1PR0301MB1645; BCL:0; PCL:0; RULEID:; SRVR:SN1PR0301MB1645;
x-forefront-prvs: 09749A275C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(189002)(199003)(43784003)(76576001)(87936001)(189998001)(33656002)(15975445007)(5002640100001)(77096005)(5004730100002)(74316001)(19580395003)(2900100001)(54356999)(3660700001)(50986999)(19625215002)(97736004)(99936001)(110136002)(81156014)(68736007)(229853001)(5008740100001)(101416001)(92566002)(3280700002)(5630700001)(5640700001)(86612001)(5003600100002)(81166006)(8676002)(1730700003)(6116002)(99286002)(4326007)(2906002)(105586002)(106356001)(2351001)(16236675004)(5890100001)(122556002)(86362001)(230783001)(2501003)(10400500002)(10090500001)(10290500002)(5005710100001)(8936002)(8990500004)(19300405004)(586003)(11100500001)(102836003)(790700001)(9686002)(3826002)(569005); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR0301MB1645; H:SN1PR0301MB1645.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; CAT:NONE; LANG:en; CAT:NONE;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/mixed; boundary="_004_SN1PR0301MB1645CB221341960B88E732B8F5550SN1PR0301MB1645_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jun 2016 03:28:38.8862 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR0301MB1645
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/1y2Z3oP7_mNqfSI4WY2I_kDtWKM>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>
Subject: [jose] WGLC comments from Mike Jones on draft-ietf-jose-cfrg-curves-02
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2016 03:28:46 -0000
This is a straightforward document that presents its subject clearly. All but two of my comments propose corrections to editorial nits. Rather than having lots of comments like "please add 'the' here...", I've produced an edited version containing my proposed changes. It is attached, with diffs also following in the body of this message.
The one normative change suggested is as follows. Section 3.2.1 "Performing the ECDH Operation" currently says "The output is the value for "x" parameter of "epk" field". This should be changed instead to "The base64url encoding of the output is the value for the "x" parameter of the "epk" field".
In Appendix A.3 "JWK Thumbprint Canonicalization", I also propose supplying a base64url encoded version of the JWK Thumbprint value. I added this to the edited draft attached.
Thanks again, Ilari,
-- Mike
diff draft-ietf-jose-cfrg-curves-02.xml draft-ietf-jose-cfrg-curves-02+Mike.xml
36,37c36,37
< <t>This document defines how to use Diffie-Hellman algorithms "X25519" and "X448" as well
< as signature algorithms "Ed25519" and "Ed448" from IRTF CFRG elliptic
---
> <t>This document defines how to use the Diffie-Hellman algorithms "X25519" and "X448" as well
> as the signature algorithms "Ed25519" and "Ed448" from the IRTF CFRG elliptic
48c48
< signature algorithms ("Ed25519" and "Ed448");
---
> signature algorithms ("Ed25519" and "Ed448";
52,53c52,53
< <t>This document defines the conventions to be used in context of <xref target="RFC7517" />
< and <xref target="RFC7518" /></t>
---
> <t>This document defines the conventions to be used in the context of <xref target="RFC7517" />
> and <xref target="RFC7518" />.</t>
57,58c57,58
< sufficient for the purposes of JOSE and are much easier to use (e.g. trying to apply ECDSA
< to those curves leads to nasty corner-cases and produces odd results).</t>
---
> sufficient for the purposes of JOSE and are much easier to use. (Trying to apply ECDSA
> to those curves leads to nasty corner-cases and produces odd results.)</t>
61,62c61,62
< be octet strings, with the exception of output of verification function, which is a
< boolean.</t>
---
> be octet strings, with the exception of outputs of verification functions, which are
> booleans.</t>
71c71
< <section anchor="okp-keytype" title="Key type 'OKP'">
---
> <section anchor="okp-keytype" title='Key Type "OKP"'>
76,81c76,81
< <t>The parameter "crv" MUST be present, and contain the subtype of the key (from "JSON
< Web Elliptic curve" registry).</t>
< <t>The parameter "x" MUST be present, and contain the public key encoded using
< base64url <xref target="RFC4648" /> encoding.</t>
< <t>The parameter "d" MUST be present for private keys, and contain the private key
< encoded using base64url encoding. This parameter MUST NOT be present for public
---
> <t>The parameter "crv" MUST be present and contain the subtype of the key (from the "JSON
> Web Elliptic Curve" registry).</t>
> <t>The parameter "x" MUST be present and contain the public key encoded using
> the base64url <xref target="RFC4648" /> encoding.</t>
> <t>The parameter "d" MUST be present for private keys and contain the private key
> encoded using the base64url encoding. This parameter MUST NOT be present for public
85,86c85,86
< "crv" and "x" parameters (for instance, this key type could be extended to represent DH
< algorithms based on hyperelliptic surfaces).
---
> "crv" and "x" parameters. (For instance, this key type could be extended to represent DH
> algorithms based on hyperelliptic surfaces.)
88,89c88,89
< <t>When calculating thumbprints <xref target="RFC7638" />, the three public key fields are
< included in the hash. That is, in lexicographic order: "crv", "kty" and
---
> <t>When calculating JWK Thumbprints <xref target="RFC7638" />, the three public key fields are
> included in the hash input in lexicographic order: "crv", "kty", and
101c101
< "crv" EdDSA variant
---
> "crv" EdDSA Variant
119c119
< signature is valid, otherwise signature is invalid.</t>
---
> signature is valid; otherwise, the signature is invalid.</t>
122c122
< <section title="ECDH-ES">
---
> <section anchor="ECDH-ES" title="ECDH-ES">
127c127
< "crv" ECDH Function applied
---
> "crv" ECDH Function Applied
135c135
< <t><xref target="RFC7518" /> section 4.6 defines the ECDH-ES algorithms
---
> <t><xref target="RFC7518" /> Section 4.6 defines the ECDH-ES algorithms
138c138
< <section title="Performing the ECDH operation">
---
> <section title="Performing the ECDH Operation">
140c140
< <t>The "x" parameter of "epk" field is set as follows:</t>
---
> <t>The "x" parameter of the "epk" field is set as follows:</t>
143,144c143,145
< input) and the standard basepoint (as u-coordinate input). The output is the
< value for "x" parameter of "epk" field. All inputs and outputs are octet
---
> input) and the standard basepoint (as u-coordinate input).
> The base64url encoding of the output is the value for the "x" parameter of the "epk" field.
> All inputs and outputs are octet
164c165
< key. To do otherwise opens system up to attacks via mixing up algorithms. It is particularly
---
> key. To do otherwise opens the system up to attacks via mixing up algorithms. It is particularly
167,168c168,169
< <t>Although for Ed25519 and Ed448 the signature binds the key used for signing, do not
< assume this, as there are many signature algorithms that fail to make such binding. If
---
> <t>Although for Ed25519 and Ed448, the signature binds the key used for signing, do not
> assume this, as there are many signature algorithms that fail to make such a binding. If
172c173
< <t>If key generation or batch signature verification is performed, a well-seed
---
> <t>If key generation or batch signature verification is performed, a well-seeded
177,179c178,180
< in key exchange such could be a bad mistake, here either receiver public key has to be
< chosen maliciously or the sender has to be malicious in order to cause problems. And in
< either case, all security evaporates anyway.</t>
---
> in key exchange such could be a bad mistake, here either the receiver public key has to be
> chosen maliciously or the sender has to be malicious in order to cause problems. In
> either case, all security evaporates.</t>
187c188
< <t>Mike Jones for comments on initial pre-draft.</t>
---
> <t>Thanks to Michael B. Jones for his comments on an initial pre-draft.</t>
192c193
< <t>The following is added to JSON Web Key Types Registry:</t>
---
> <t>The following is added to the "JSON Web Key Types" registry:</t>
201c202
< <t>The following is added to JSON Web Key Parameters Registry:</t>
---
> <t>The following is added to the "JSON Web Key Parameters" registry:</t>
229c230
< <t>The following is added to JSON Web Signature and Encryption Algorithms Registry:</t>
---
> <t>The following is added to the "JSON Web Signature and Encryption Algorithms" registry:</t>
236c237
< <t>Specification Document(s): Section 3.1 of [RFC-THIS]</t>
---
> <t>Specification Document(s): <xref target="algorithms"/> of [RFC-THIS]</t>
240c241
< <t>The following is added to JSON Web Key Elliptic Curve Registry:</t>
---
> <t>The following is added to the "JSON Web Key Elliptic Curve" registry:</t>
246c247
< <t>Specification Document(s): Section 3.1 of [RFC-THIS]</t>
---
> <t>Specification Document(s): <xref target="algorithms"/> of [RFC-THIS]</t>
254c255
< <t>Specification Document(s): Section 3.1 of [RFC-THIS]</t>
---
> <t>Specification Document(s): <xref target="algorithms"/> of [RFC-THIS]</t>
262c263
< <t>Specification Document(s): Section 3.2 of [RFC-THIS]</t>
---
> <t>Specification Document(s): <xref target="ECDH-ES"/> of [RFC-THIS]</t>
271c272
< <t>Specification Document(s): Section 3.2 of [RFC-THIS]</t>
---
> <t>Specification Document(s): <xref target="ECDH-ES"/> of [RFC-THIS]</t>
294,296c295,298
< <t>To the extent possible, the examples use material lifted from test vectors of
< <xref target="RFC7748"/> and <xref target="I-D.irtf-cfrg-eddsa"/></t>
< <section title="Ed25519 private key">
---
> <t>To the extent possible, the examples use material taken from test vectors of
> <xref target="RFC7748"/> and <xref target="I-D.irtf-cfrg-eddsa"/>.</t>
>
> <section title="Ed25519 Private Key">
307c309
< <t>And of the public key:</t>
---
> <t>And of the public key is:</t>
313,314c315,316
< <section title="Ed25519 public key">
< <t>This is the public parts of the previous private key (just omits "d"):</t>
---
> <section title="Ed25519 Public Key">
> <t>This is the public parts of the previous private key (which just omits "d"):</t>
320,322c322,324
< <section title="JWK thumbprint canonicalization">
< <t>The JWK thumbprint canonicalization of the two above examples is (linebreak
< inserted for formatting reasons)</t>
---
> <section title="JWK Thumbprint Canonicalization">
> <t>The JWK Thumbprint canonicalization of the two above examples (with linebreak
> inserted for formatting reasons) is:</t>
327,328c329,332
< <t>Which has the SHA-256 hash of:
< 90facafea9b1556698540f70c0117a22ea37bd5cf3ed3c47093c1707282b4b89</t>
---
> <t>Which has the SHA-256 hash (in hexadecimal) of
> 90facafea9b1556698540f70c0117a22ea37bd5cf3ed3c47093c1707282b4b89,
> which results in the base64url encoded JWK Thumbprint representation of
> "kPrK_qmxVWaYVA9wwBF6Iuo3vVzz7TxHCTwXBygrS4k".</t>
335c339
< <t>This has base64url encoding of:</t>
---
> <t>This has the base64url encoding of:</t>
343c347
< <t>This has base64url encoding of:</t>
---
> <t>This has the base64url encoding of:</t>
352,353c356,357
< <t>Applying Ed25519 signing algorithm to the private key, public key and the JWS
< signing input yields signature (hex):</t>
---
> <t>Applying the Ed25519 signing algorithm using the private key, public key, and the JWS
> signing input yields the signature (hex):</t>
365,366c369,370
< <t>So the compact serialization of JWS is (concatenation of signing input, a dot and
< base64url encoding of the signature:</t>
---
> <t>So the compact serialization of the JWS is (concatenation of signing input, a dot, and
> base64url encoding of the signature):</t>
380c384
< <t>This has 2 dots in it, so it might be valid JWS. Base64url decoding the protected
---
> <t>This has 2 dots in it, so it might be valid a JWS. Base64url decoding the protected
385c389
< <t>So this is EdDSA signature. Now the key has: "kty":"OKP" and "crv":"Ed25519", so
---
> <t>So this is an EdDSA signature. Now the key has: "kty":"OKP" and "crv":"Ed25519", so
392c396
< the signature yields true. So the signature is valid. The message is base64 decoding
---
> the signature yields true. So the signature is valid. The message is the base64url decoding
395c399
< Example of Ed25519 signing
---
> Example of Ed25519 Signing
404c408
< <t>The public key from target key is (hex):</t>
---
> <t>The public key from the target key is (hex):</t>
419c423
< <t>This is packed into ephemeral public key value:</t>
---
> <t>This is represented as the ephemeral public key value:</t>
424c428
< <t>So the protected header could for example be:</t>
---
> <t>So the protected header could, for example, be:</t>
430c434
< <t>And sender computes as the DH Z value as X25519(ephkey,recv_pub) (hex):</t>
---
> <t>And the sender computes as the DH Z value as X25519(ephkey,recv_pub) (hex):</t>
440,441c444,445
< <t>Which is the same as sender's value (the both sides run this through KDF before
< using as direct encryption key or AES128-KW key).</t>
---
> <t>Which is the same as the sender's value (the both sides run this through the KDF before
> using it as a direct encryption key or AES128-KW key).</t>
444c448
< <t>The public key to encrypt to is (linebreak inserted for formatting reasons):</t>
---
> <t>The public key to encrypt to (with linebreak inserted for formatting reasons) is:</t>
446c450
< {"kty":"OKP","crv":"X448","kid":"Dave"
---
> {"kty":"OKP","crv":"X448","kid":"Dave",
485c489
< <t>And sender computes as the DH Z value as X448(ephkey,recv_pub) (hex):</t>
---
> <t>And the sender computes as the DH Z value as X448(ephkey,recv_pub) (hex):</t>
499c503
< <t>Which is the same as sender's value (the both sides run this through KDF before
---
> <t>Which is the same as the sender's value (the both sides run this through KDF before
- Re: [jose] WGLC comments from Mike Jones on draft… Ilari Liusvaara
- [jose] WGLC comments from Mike Jones on draft-iet… Mike Jones