IETF Logo Mail Archive

Re: [jose] AD review of draft-ietf-jose-jwk-thumbprint-04

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 21 April 2015 21:20 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C28021B2B82 for <jose@ietfa.amsl.com>; Tue, 21 Apr 2015 14:20:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8GDdMdmyUfbM for <jose@ietfa.amsl.com>; Tue, 21 Apr 2015 14:20:49 -0700 (PDT)
Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 802A11B2B93 for <jose@ietf.org>; Tue, 21 Apr 2015 14:20:17 -0700 (PDT)
Received: by lagv1 with SMTP id v1so160912019lag.3 for <jose@ietf.org>; Tue, 21 Apr 2015 14:20:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ygTxTxRjg3WUI6t8BbZTWG/jG2UInESQ4qp8xIV5jMU=; b=0QLS5YLLBm2bsNBgcx6/pyXzstKjvY2aF1I4QF3Kq4Sqh2DnZlQWP0rNNNE6YCaAUa guge8fzSCAwtLQqRXxlcA7wYANdLUN8M9dI+g4/EKF1hZ9yHECLg2Kajqmsw7LdGVRKU 0ycMHt7MU79LQRDpnyt+vKUSG/1Arb3QR5iqsH7oyiu19r7KX0nU7VZwOd3FwsZlxUSL bS2lrLNQvopOO0Gc3JVfYRbNLugjVk1izf5SEGkDYItdnBKO6Tk2XUZxeZ6ZOXPzYHTp xFUsHstxsZMNKEhkmsQrKJtI+PcN3qOvkBVJ3IuJ0ReHqhcV05pakuB1wjPGPPfGrCAv SZCQ==
MIME-Version: 1.0
X-Received: by 10.112.167.228 with SMTP id zr4mr21644387lbb.113.1429651215950; Tue, 21 Apr 2015 14:20:15 -0700 (PDT)
Received: by 10.112.11.199 with HTTP; Tue, 21 Apr 2015 14:20:15 -0700 (PDT)
In-Reply-To: <00f701d07c6e$9d433aa0$d7c9afe0$@augustcellars.com>
References: <CAHbuEH4UfvUJtRE8Nj3vQv2B+yGKjPqi10+vSZoTvE4KYu79og@mail.gmail.com> <CAHbuEH7ns7+bc-CZROtta5OHOLizg1+b7PBn=RmBsRx5WNnX3Q@mail.gmail.com> <BY2PR03MB442D069E5BD81B2FF64467DF5EF0@BY2PR03MB442.namprd03.prod.outlook.com> <CAHbuEH4tEOgAprVokd4ki+RKP1gjGWq3ij25Qps4HR13Jb-rvA@mail.gmail.com> <00b101d07c59$bbd24e80$3376eb80$@augustcellars.com> <BY2PR03MB4423DD1A72C5FAA71BC6AF8F5EF0@BY2PR03MB442.namprd03.prod.outlook.com> <CAHbuEH6aB7+JGAFUepf4qN7a3P0G1+oGBfn5BH=k80bK-TEkUQ@mail.gmail.com> <00f701d07c6e$9d433aa0$d7c9afe0$@augustcellars.com>
Date: Tue, 21 Apr 2015 17:20:15 -0400
Message-ID: <CAHbuEH43rtuoGwbj-jpUNnPOU-dvRVXBu_fmSGvzWc+PRbMH4g@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Content-Type: multipart/alternative; boundary="001a11c2432ae128310514429c33"
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/CGEWpKvhQcgUFIK0ZjIbO73TBzc>
Cc: Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] AD review of draft-ietf-jose-jwk-thumbprint-04
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2015 21:20:56 -0000

Jim,


On Tue, Apr 21, 2015 at 4:06 PM, Jim Schaad <ietf@augustcellars.com> wrote:

> Kathleen,
>
>
>
> No it is really more like taking the hash of a SPKI.  The required fields
> match up closer to the OID for the algorithm ID and the components of the
> key.
>

OK, but it's not just the key as is stated in one sentence of this section.
  I'm just looking for consistency.

>
>
> The entire reason that I wanted to have a good section on why optional
> items are not present, is that this is not similar to hashing a certificate
> because things like the user name (no JWK attribute) or key usage (either
> ‘uses’ or ‘key_opts’) values are not included as part of the hash.
>
>
>
> My original hope for the addition to section 3.2.2 was to have text that
> clarified what it would mean to hash the optional fields vs what it means
> to just use the required fields.  And then justify the reasoning behind
> doing the equivalent of just hashing the SPKI of the JWK.
>

Once you update the text in the abstract and definition, could you please
update this section as well to make that intent clear and to make sure it
is consistent across all sections?  My issue in this section was that it
mentions repeatedly that the JWK Thumbprint is a digest of the key and it
doesn't include other data... but it does.  The JWK thumbprint include the
required JWK members, it's not just the key.  I see your point as to why
you wanted this text, but think the current text is confusing as it leaves
out that this is the JWK thumbprint of the required members of the JWK,
which includes the key.

Thanks,
Kathleen

Jim
>
>
>
>
>
> *From:* jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Kathleen
> Moriarty
> *Sent:* Tuesday, April 21, 2015 10:48 AM
> *To:* Mike Jones
> *Cc:* Jim Schaad; jose@ietf.org
>
> *Subject:* Re: [jose] AD review of draft-ietf-jose-jwk-thumbprint-04
>
>
>
> Hi Mike,
>
>
>
> On Tue, Apr 21, 2015 at 1:43 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> Jim, I assumed that her uses of JWT were typos for JWK.
>
> Yep, thanks.
>
>
>
> Kathleen, thanks for clarifying what you found confusing.  I’ll think
> about it some more, but my initial reaction is that the name “JWK
> Thumbprint” is appropriate because it specifies a thumbprint computation
> over a JWK representation of a key.  Even if, per Section 3.4, the key
> didn’t start life as a JWK, the thumbprint computation specified creates a
> JWK representation of the key and hashes it.  Hence “JWK Thumbprint”.  I’ll
> think some more, particularly when revising the introduction and
> definitions, about how to make this clearer.
>
>
>
> I'm fine with the term "JWK Thumbprint" if it is clearly defined and used
> consistently.  It's just not clear to me that it is a "Key fingerprint" as
> well since required fields of the JWK are included in addition to the key.
> In that respect, it is more like a certificate fingerprint that includes
> the key and attributes of a certificate, but I understand it is a JWK
> Thumbprint.
>
>
>
> Thanks,
>
> Kathleen
>
>
>
>                                                             Thanks again,
>
>                                                             -- Mike
>
>
>
> *From:* Jim Schaad [mailto:ietf@augustcellars.com]
> *Sent:* Tuesday, April 21, 2015 10:37 AM
> *To:* 'Kathleen Moriarty'; Mike Jones
> *Cc:* jose@ietf.org
> *Subject:* RE: [jose] AD review of draft-ietf-jose-jwk-thumbprint-04
>
>
>
> Kathleen,
>
>
>
> Some of you message is confusing me.  You keep referring to JWT in it.
> Are you doing this as JW Token or JW Thumbprint?  JWT is currently
> “reserved” for the token and thus it is being confused.   Can you clarify?
>
>
>
> Jim
>
>
>
>
>
> *From:* jose [mailto:jose-bounces@ietf.org <jose-bounces@ietf.org>] *On
> Behalf Of *Kathleen Moriarty
> *Sent:* Tuesday, April 21, 2015 8:48 AM
> *To:* Mike Jones
> *Cc:* jose@ietf.org
> *Subject:* Re: [jose] AD review of draft-ietf-jose-jwk-thumbprint-04
>
>
>
> Hi Mike,
>
>
>
> On Tue, Apr 21, 2015 at 11:22 AM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> Hi Kathleen,
>
>
>
> Thanks for taking the time to review the draft and write up today’s and
> yesterday’s comments.  Replies inline below…
>
>
>
> *From:* jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Kathleen
> Moriarty
> *Sent:* Tuesday, April 21, 2015 7:47 AM
> *To:* jose@ietf.org
> *Subject:* Re: [jose] AD review of draft-ietf-jose-jwk-thumbprint-04
>
>
>
> Another thing has been bugging me since reading the draft yesterday and
> I'm not sure if this was discussed in the WG or not.  There appear to be
> differences in how a JWT thumbprint is described in the draft.  I'd like to
> see if we can work this out before progress the draft into IETF last call.
>
>
>
> The definition is not entirely clear.
>
> Section 3 clearly states that the required members of the JWT are part of
> the thumbprint.
>
> Section 3.2.2, although the subtitle makes the point that this is about
> why optional members are not included, the following sentence appears:
>
>    The JWK Thumbprint value is a
>
>    digest of the key value itself -- not of additional data that may
>
>    also accompany the key.
>
>
>
> 3.2.2 was included in response to earlier review comments by Jim Schaad.
> It’s there to motivate the particular choices made.  Is there some way in
> which you find 3 and 3.2.2 to be inconsistent?  3 is a positive statement
> about what’s included and the sentence in 3.2.2 that you quoted above is a
> negative statement about what’s not included, but that is consistent with
> the positive statement.  The negative statement is included to help readers
> understand the reasoning.  Is there some way in which you found it
> confusing or misleading?  Is there a particular change you might suggest to
> alleviate your concern?
>
> [JLS] And I didn’t complain but it did not do a good job of what I asked
> it to do.
>
>
>
> It is confusing.  Is this a thumbprint of the JWT or just the key?  If
> it's just the key, it should be called a Key thumbprint.  If it is of the
> JWK members that includes a key, I'm fine with this being the "JWK
> thumbprint".  If it's just of the key, the quoted sentence above is fine,
> but if the JWK required members are included and it's not just the key, you
> have conflicting statements.
>
>
>
>
>
> Section 3.4 - Why is this allowed?  If it's not in JWT format, it is some
> other kind of thumbprint. You are essentially creating a JWK to have the
> key and required members I am assuming, but that's not clear and this text
> could leave interoperability challenges.
>
>
>
> 3.4 points out that the draft specifies a mathematical computation over a
> key value, which can be performed on any key.  It’s stating what’s
> possible, more than what’s stating what’s allowed.  Yes, you’re right that
> you’d be creating a JWK representation of the key value to create the
> thumbprint.  If a thumbprint of the key is needed, this may be a reasonable
> choice in some application contexts.
>
>
>
> Again, is this a "Key Thumbprint" or a "JWK Thumbprint".  The draft needs
> to be consistent and use the correct term depending on what type of
> thumbprint this is.  I'm assuming JWK Thumbprint, that is kind of similar
> to a certificate thumbprint in that it's over a full set of data and not
> just the key (JWK or certificate in the case of X.509).
>
>
>
> I hope that further clarifies why I find the text confusing.
>
>
>
>
>
> Thanks,
>
> Kathleen
>
>
>
> On Mon, Apr 20, 2015 at 3:23 PM, Kathleen Moriarty <
> kathleen.moriarty.ietf@gmail.com> wrote:
>
> Hi,
>
>
>
> Thanks for your work on draft-ietf-jose-jwk-thumbprint-04.  This is the
> last one, right?  Great job getting through the JOSE work!
>
>
>
> I read through the draft and have mostly editorial comments that I'd like
> to see if we can fix.
>
>
>
> Section 2:
>
> The definition needs some tweaking:
>
>
>
>  JWK Thumbprint
>
>       The digest value for a key that is the subject of this
>
>       specification.
>
>
>
> "the subject of this specification" should not part of text for a
> definition.  The definition needs to clearly explain the term without
> having to read the whole specification.  Can you suggest something else?
>
>
>
> Karen relayed text from Jim to me that I like and that will be used to
> improve the definition.  It was:
>
>
>
> “This document defines a method for computing a hash value over a JSON Web
> Key structure.  The document describes what the subset of fields in a key
> to be used are, the method of creating a canonical form for those fields
> and how to convert the resulting UNICODE string into a byte sequence
> appropriate for hashing.”
>
>
>
> That helps to improve the abstract and introduction, thank you.  How about
> the definition of JWK Thumbprint?  It should not include things like "this
> specification" or "this document".  It should be a stand alone definition.
>
>
>
> Section 4:
>
>
>
> Can you break this sentence into 2:
>
> However, if new JWK members are defined that use non-ASCII member
>
>    names, their definitions should specify the exact Unicode code point
>
>    sequences used to represent them, particularly in cases in which
>
>    Unicode normalization could result in the transformation of one set
>
>    of code points into another under any circumstances.
>
>
>
> OK
>
>
>
> Can you get rid of the parens around the second sentence?
>
>    Use of escaped characters in JWKs for which JWK Thumbprints will be
>
>    computed should be avoided.  (Use of escaped characters in the hash
>
>    input JWKs derived from these original JWKs is prohibited.)
>
>
>
> OK
>
>
>
> Can you reword this sentence/paragraph?  I had to read it multiple times.
> While I understand what you are saying, it could be easier to read.
>
>    While there is a natural representation to use for numeric values
>
>    that are integers, this specification does not attempt to define a
>
>    standard representation for numbers that are not integers or that
>
>    contain an exponent component.  This is not expected to be a problem
>
>    in practice, as the required members of JWK representations are not
>
>    expected to use numbers that are not integers.
>
>
>
> OK
>
>
>
> General comment, the use of long sentences and frequency of parens make
> the draft more difficult to read.
>
>
>
> Thanks for pointing this out.  I’ll try to keep this in mind.
>
>
>
> Great, thanks!
>
> Kathleen
>
>
>
> Thanks!
>
>
>
>                                                             Thanks again!
>
>                                                             -- Mike
>
>
>
> --
>
>
>
> Best regards,
>
> Kathleen
>
>
>
>
>
> --
>
>
>
> Best regards,
>
> Kathleen
>
>
>
>
>
> --
>
>
>
> Best regards,
>
> Kathleen
>
>
>
>
>
> --
>
>
>
> Best regards,
>
> Kathleen
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email