IETF Logo Mail Archive

Re: [jose] Deprecation of legacy algorithms

Neil Madden <neil.e.madden@gmail.com> Wed, 06 March 2024 08:10 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEFDBC14F60C for <jose@ietfa.amsl.com>; Wed, 6 Mar 2024 00:10:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SSAMUM0XfRHQ for <jose@ietfa.amsl.com>; Wed, 6 Mar 2024 00:09:58 -0800 (PST)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCA12C14F60B for <jose@ietf.org>; Wed, 6 Mar 2024 00:09:58 -0800 (PST)
Received: by mail-lj1-x234.google.com with SMTP id 38308e7fff4ca-2cd3aea2621so17170531fa.1 for <jose@ietf.org>; Wed, 06 Mar 2024 00:09:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709712597; x=1710317397; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=gVQ7VADqT0jv+PwN3w7pSTq+XSXbcUNXWZ/+o095HKc=; b=Y1P9LPqYeHkS53zd1JVh+eJJdx61gaWEOYQM6Wa9uF4TnsoiREv5pWY6H0Kj4Da0L4 K/KO8hKirgnzUwu+w0xJGTOfba+ljr+KOHx1SYpB8X3Wz9AQCkxRVq0p0sT3OjafdyzB EtLPCq/+u79/MbBxc9D39aOTvv4wsyxuCzjUPD4sW7HjBFzIDeOXvx36JCYurMRkPr2B PZlHIt/2o8aEN0FPQy6VYShaEw5coMVo5uhQScbCzdeOxqFglYQ+rhS9/ZAsGL4jL1Fj V8LdqCg44LWGNDdNZ0pB9/GuDhVSw8jjFpMHht3CJKocrwQH5DjQrI5K+frOpZyMXutE tl4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709712597; x=1710317397; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gVQ7VADqT0jv+PwN3w7pSTq+XSXbcUNXWZ/+o095HKc=; b=LSKmlfP7tGVr+sys3JuybR1qpxT+LbXCSqwfnDq6WWVyVsn+0PQvEIvmzzW2MBr3aJ fsd88sl+FLS+6QLgSwpRsFyGcxW9aOKD0DpL+ianymxAvGgGJDJEOjDZtRItPE2tG+zu iWKEajgZDdeXSXC72PB9vobXEPJv3/LcnVyhBDHYz+1MgDChid8JzNgtMxT7g+P2cjyN NFGtryDmvqlGvCYjJCoTXOBaCzRhKtMPWjINVrCcGmealob7i0wNw5BBGwo4eORYwy8e ZfnClluNLqM4ZN57uY4703Whb2LQwZjda0KnzuEAiuvGsad6RvzKWAjO8uYTCCYj3zyS ZfMA==
X-Forwarded-Encrypted: i=1; AJvYcCU/9CvBforvccZ0Ac/GxRXPYv2mwFwf7fsEYHTkxssENX12DqgeRd2cjbdvNTDW6Cv6m48t4aWVMMAFdTmL
X-Gm-Message-State: AOJu0YyGWQ6K7DIIWza08RA/Oe77yfNDu8BVVvowQxi9ytM50iz2GewJ 1qmLQMHfPYlz4jg514gdtsJ+DB4uk9rnSMm0WaeViYQqpvV9hREbR6H4hMP7B9o=
X-Google-Smtp-Source: AGHT+IG06+yDTmI+hYyn3X7XQo88xOoluFiXPDz3Po3iY3KYBrzvFM4Kl9BB33xpBqOBFJBS8ZvAbw==
X-Received: by 2002:a2e:9058:0:b0:2d2:5d6d:9db3 with SMTP id n24-20020a2e9058000000b002d25d6d9db3mr1794801ljg.0.1709712596275; Wed, 06 Mar 2024 00:09:56 -0800 (PST)
Received: from smtpclient.apple (232.211.93.209.dyn.plus.net. [209.93.211.232]) by smtp.gmail.com with ESMTPSA id j5-20020a2e8505000000b002cf1cf44a00sm2505810lji.52.2024.03.06.00.09.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 06 Mar 2024 00:09:55 -0800 (PST)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Date: Wed, 06 Mar 2024 08:09:44 +0000
Message-Id: <3D80FCAB-5898-4929-A453-0BA3F27E1673@gmail.com>
References: <SJ0PR02MB7439A5E8950C64607EA16629B7222@SJ0PR02MB7439.namprd02.prod.outlook.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, JOSE WG <jose@ietf.org>
In-Reply-To: <SJ0PR02MB7439A5E8950C64607EA16629B7222@SJ0PR02MB7439.namprd02.prod.outlook.com>
To: Michael Jones <michael_b_jones@hotmail.com>
X-Mailer: iPhone Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/85HvRb1ylw0WIuYfPaXTcFDORsk>
Subject: Re: [jose] Deprecation of legacy algorithms
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 08:10:02 -0000

On 5 Mar 2024, at 23:24, Michael Jones <michael_b_jones@hotmail.com> wrote:
> 
> While this is been said many times before, it seems that it's time to say it again.  The last point in the Message Signature or MAC Validation section at https://www.rfc-editor.org/rfc/rfc7515.html#section-5.2 is:
> 
> "Finally, note that it is an application decision which algorithms may be used in a given context.  Even if a JWS can be successfully validated, unless the algorithm(s) used in the JWS are acceptable to the application, it SHOULD consider the JWS to be invalid."
> 
> "alg":"none" can only cause a problem if the application fails to validate whether the algorithms used are appropriate for use by the application in that context.  The need to validate whether "alg":"none" is appropriate is no different than the need to validate whether use of RSA1_5 is appropriate.

There are three big differences between these cases:

* alg:none provides no security properties, whereas all of the other algorithms do
* alg:none doesn’t require a key, so will not be caught by checks on key type/algorithm
* alg:none purports to be a signature algorithm, but isn’t. Many developers don’t even know it exists. 

For example, OIDC says ID Tokens MUST be signed, which would imply to most people that they are always integrity protected. But somehow “none” is a valid signature algorithm. 

> 
> An ID Token using "alg":"none" sent over a TLS connect is fine, because TLS makes it tamper-proof.

This not true. 

>  As it says at https://openid.net/specs/openid-connect-core-1_0.html#IDToken:
> 
> "ID Tokens MUST NOT use "none" as the "alg" value unless the Response Type used returns no ID Token from the Authorization Endpoint (such as when using the Authorization Code Flow) and the Client explicitly requested the use of "none" at Registration time."
> 
> The context where the algorithm is used matters.  In the above usage, "alg":"none" is safe and appropriate.

Sure, but just returning some JSON would also be fine. What benefit does it gain?

> 
> The issues that have happened only happened in applications that didn't implement the algorithm appropriateness check in Section 5.2.  If they're not doing it for "none", they probably aren't doing it for any algorithms, and so the application would still be vulnerable to using obsolete algorithms even if we deprecated "none".
> 
> Fix the broken applications.  Don't remove essential functionality that's been a standard for nearly a decade and has been in production use longer than that.

This is the same reasoning as “C is a safe language, you’re just using it wrong”. We can’t keep having multiple critical vulnerabilities per year due to a feature that actually almost nobody intentionally uses. 

As a counterpoint, while I was still there ForgeRock disabled “none” by default. As far as I’m aware nobody ever complained or even noticed. I’ve never met anyone who wants unsecured ID Tokens. 

— Neil

v2.23.0 | Report a Bug | By Email