IETF Logo Mail Archive

Re: [jose] order of step for encryption. JWE section 5

Mike Jones <Michael.Jones@microsoft.com> Mon, 20 August 2012 18:12 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A6021F86BE for <jose@ietfa.amsl.com>; Mon, 20 Aug 2012 11:12:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.84
X-Spam-Level:
X-Spam-Status: No, score=-3.84 tagged_above=-999 required=5 tests=[AWL=-0.241, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0E2zgyBFkfQ4 for <jose@ietfa.amsl.com>; Mon, 20 Aug 2012 11:12:13 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe002.messaging.microsoft.com [213.199.154.205]) by ietfa.amsl.com (Postfix) with ESMTP id DF98421E8049 for <jose@ietf.org>; Mon, 20 Aug 2012 11:12:12 -0700 (PDT)
Received: from mail38-am1-R.bigfish.com (10.3.201.251) by AM1EHSOBE005.bigfish.com (10.3.204.25) with Microsoft SMTP Server id 14.1.225.23; Mon, 20 Aug 2012 18:12:12 +0000
Received: from mail38-am1 (localhost [127.0.0.1]) by mail38-am1-R.bigfish.com (Postfix) with ESMTP id D7464380069; Mon, 20 Aug 2012 18:12:11 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -29
X-BigFish: VS-29(zz9371I542M1432I111aI1447Izz1202hzz1033IL8275dhz2fh2a8h668h839h944hd25hf0ah107ah1155h)
Received-SPF: pass (mail38-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC106.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail38-am1 (localhost.localdomain [127.0.0.1]) by mail38-am1 (MessageSwitch) id 1345486328154949_12153; Mon, 20 Aug 2012 18:12:08 +0000 (UTC)
Received: from AM1EHSMHS003.bigfish.com (unknown [10.3.201.254]) by mail38-am1.bigfish.com (Postfix) with ESMTP id 1ABA840044; Mon, 20 Aug 2012 18:12:08 +0000 (UTC)
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS003.bigfish.com (10.3.207.103) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 20 Aug 2012 18:12:04 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.176]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.02.0309.003; Mon, 20 Aug 2012 18:11:58 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] order of step for encryption. JWE section 5
Thread-Index: Ac1y1wQPutAF2XyLQPOP3bTnOMCRMwALGibgAHLgNQACjA8d0A==
Date: Mon, 20 Aug 2012 18:11:57 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943667A2030@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <CE8995AB5D178F44A2154F5C9A97CAF402517DB698C5@HE111541.emea1.cds.t-internal.com> <4E1F6AAD24975D4BA5B1680429673943667537AF@TK5EX14MBXC285.redmond.corp.microsoft.com> <015001cd74ce$ee7a7460$cb6f5d20$@augustcellars.com>
In-Reply-To: <015001cd74ce$ee7a7460$cb6f5d20$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.76]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [jose] order of step for encryption. JWE section 5
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2012 18:12:14 -0000

The problem is that sub-lists are formatted with the same indentation as the lists that enclose them.

-----Original Message-----
From: Jim Schaad [mailto:ietf@augustcellars.com] 
Sent: Tuesday, August 07, 2012 12:01 PM
To: Mike Jones; jose@ietf.org
Subject: RE: [jose] order of step for encryption. JWE section 5

Mike,

What is you issue of dealing with lists inside of lists for xml2rfc - is it just a question of how things are formatted?  If so then this is an issue that can be left to the RFC Editor.  Such formatting should be improved in general over the next few months as the new version of xml2rfc processing starts to get fully tested and rolled out.

If the problem is something else, I would be interested in hearing what it is.

> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf 
> Of Mike Jones
> Sent: Sunday, August 05, 2012 5:20 AM
> To: Axel.Nennker@telekom.de; jose@ietf.org
> Subject: Re: [jose] order of step for encryption. JWE section 5
> 
> Thanks for the careful read, Axel.  I'll work to make the write-up of 
> the
steps
> clearer, using your input.  In particular, I'll look for ways to 
> better
structure
> the steps.  (Unfortunately, the xml2rfc tool doesn't do a particularly
good job
> of structuring lists with sub-lists.)
> 
> Answering your point 2c, a random CMK is not used in this case.  
> Instead,
the
> agreed-upon key is used directly to perform the encryption.  I also 
> plan
to
> add a key agreement example in the next draft.  I expect that this 
> will
help
> make this case clearer.
> 
> 				Thanks again,
> 				-- Mike
> 
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf 
> Of Axel.Nennker@telekom.de
> Sent: Saturday, August 04, 2012 11:55 PM
> To: jose@ietf.org
> Subject: [jose] order of step for encryption. JWE section 5
> 
> Hi,
> 
> I have two issues with section 5 of
> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-05.html
> 
> 1)
> I would prefer it if the order of the steps 1 and 2 were reversed in
section 5.
> 
> Currently we have:
> Message Encryption
> 
> 
>    The message encryption process is as follows.  The order of the steps
>    is not significant in cases where there are no dependencies between
>    the inputs and outputs of the steps.
> 
>    1.   When key agreement is employed, use the key agreement algorithm
>         to compute the value of the agreed upon key.  When key agreement
>         without key wrapping is employed, let the Content Master Key
>         (CMK) be the agreed upon key.  When key agreement with key
>         wrapping is employed, the agreed upon key will be used to wrap
>         the CMK.
> 
>    2.   When key wrapping, key encryption, or key agreement with key
>         wrapping are employed, generate a random Content Master Key
>         (CMK).  See RFC 4086 [RFC4086] for considerations on generating
>         random values.  The CMK MUST have a length equal to that of the
>         larger of the required encryption and integrity keys.
> 
> Step 1 refers to the CMK that might be randomly created in step 2. I 
> think
it is
> better to have the CMK generation .
> 
> 2) I find the text of the current step 1 confusing.
>  2a) The first sentence is nearly a tautology
>  2b) All sentences begin with When but the sentences two and three are 
> alternative choices and the first is not.
>  2c) Does "When key agreement without key wrapping is employed, let 
> the Content Master Key
>         (CMK) be the agreed upon key." make sense?
>        What is the key agreement good for then?
>        Should this read: "When key agreement without key wrapping is 
> employed, let the agreed upon key be the CMK" ? There SHOULD be some 
> randomness e.g. through the epk.
> 
> Could we structure these steps more? I) determine the CEK, generate 
> random values like IVs and epks II) build the jweHeaderSegment (e.g.
> put the IV there) III) build the jweKeySegment (e.g. key wrapping) IV)
build
> the jweCryptoSegment V) build the jweIntegritySegment VI) base64url 
> encode and concatenate the segments 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
> 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email