[jose] Comments on draft-barnes-jose-spi-00

"Jim Schaad" <ietf@augustcellars.com> Tue, 02 April 2013 15:58 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BDD921F8BD7 for <jose@ietfa.amsl.com>; Tue, 2 Apr 2013 08:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EL-6HJt9k9K0 for <jose@ietfa.amsl.com>; Tue, 2 Apr 2013 08:58:54 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id 8963E21F8B9C for <jose@ietf.org>; Tue, 2 Apr 2013 08:58:54 -0700 (PDT)
Received: from Philemon (unknown [207.55.8.2]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id D808238F0E; Tue, 2 Apr 2013 08:58:53 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: draft-barnes-jose-spi@tools.ietf.org
Date: Tue, 02 Apr 2013 08:58:18 -0700
Message-ID: <005301ce2fba$e4c68100$ae538300$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0054_01CE2F80.3869F2F0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac4vue6obQLednUzQFaZUQMA+jFf/g==
Content-Language: en-us
Cc: jose@ietf.org
Subject: [jose] Comments on draft-barnes-jose-spi-00
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 15:58:55 -0000

Richard,

 

There is not yet sufficient detail in this document for me to do a proper
evaluation of how things are going to work.  Example questions that I have.

 

1.        What headers are required and which can  be implicit - for example
can the algorithm fields be implicit in the SPI?

2.       Are the integrity value computed across the fully populated header
or the SPI header?

3.       Is there a way to forward a message from person A which knows the
SPI values and person B which does not?

4.       What is the correct algorithm for determining the JWS vs JWE in the
event that all of the algorithms are implicit

5.       What happens if you have implicit parameters and explicit
parameters and they do not match?

6.       Is there a recommended way to determine what the SPI parameters are
going to be?  Does the application need to pre-parse the message to get the
SPI value or is there a recommendation that some type of callback be
included

7.       Can you make things like the IV be implicit?  Thus agree on a
starting value and an increment and compute the new IV for each new message

8.       If you are requiring that the values be populated by the
application - does this require that you have a canonical encoding of how
those values are placed into the header for the purposes of the integrity
check?

 

Jim