[jose] JWK glitches in deployment

"Manger, James" <James.H.Manger@team.telstra.com> Tue, 26 August 2014 06:49 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5D0C41A04B9 for <jose@ietfa.amsl.com>; Mon, 25 Aug 2014 23:49:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.499
X-Spam-Level: **
X-Spam-Status: No, score=2.499 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id xGVXfeExR2Lj for <jose@ietfa.amsl.com>; Mon, 25 Aug 2014 23:49:34 -0700 (PDT)
Received: from ipxcno.tcif.telstra.com.au (ipxcno.tcif.telstra.com.au []) by ietfa.amsl.com (Postfix) with ESMTP id B36D91A0266 for <jose@ietf.org>; Mon, 25 Aug 2014 23:49:33 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.04,402,1406556000"; d="scan'208,217";a="207628539"
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([]) by ipocni.tcif.telstra.com.au with ESMTP; 26 Aug 2014 16:39:18 +1000
X-IronPort-AV: E=McAfee;i="5600,1067,7541"; a="195500855"
Received: from wsmsg3755.srv.dir.telstra.com ([]) by ipcani.tcif.telstra.com.au with ESMTP; 26 Aug 2014 16:49:32 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([]) by WSMSG3755.srv.dir.telstra.com ([]) with mapi; Tue, 26 Aug 2014 16:49:31 +1000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: "jose@ietf.org" <jose@ietf.org>, "cmortimore@salesforce.com" <cmortimore@salesforce.com>
Date: Tue, 26 Aug 2014 16:49:30 +1000
Thread-Topic: JWK glitches in deployment
Thread-Index: Ac/A+eKYNRa6AT3ORduHKtSlXvbGfA==
Message-ID: <255B9BB34FB7D647A506DC292726F6E127C6DE46FD@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E127C6DE46FDWSMSG3153Vsrv_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/AotAc2XL-AsxLF7C33or8up4GRs
Subject: [jose] JWK glitches in deployment
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 06:49:35 -0000

In March, Google's JWK file https://www.googleapis.com/oauth2/v2/certs (used for OpenID Connect) had 3 bugs: base64 instead of base64url; 1024-bit instead of >=2048-bit; leading zero byte on moduli.
Today Google's JWK file has 1 different bug: the base64url encoding has a trailing "=".
Salesforce's JWK file https://login.salesforce.com/id/keys has 1 bug: a leading zero byte on the RSA moduli.

Are these just teething problems, or do we need a stronger warning in the spec. These bugs also change the JWK's thumbprint (another reminder not to base security on thumbprints being unique for a given key).

James Manger