IETF Logo Mail Archive

Re: [jose] JOSE dependence on "Key Guessing"

"Manger, James" <James.H.Manger@team.telstra.com> Thu, 08 February 2018 06:20 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39DE512D847 for <jose@ietfa.amsl.com>; Wed, 7 Feb 2018 22:20:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=teamtelstra.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vPrQZsBVI0uM for <jose@ietfa.amsl.com>; Wed, 7 Feb 2018 22:20:22 -0800 (PST)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FDAB1243F6 for <jose@ietf.org>; Wed, 7 Feb 2018 22:20:21 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.46,477,1511787600"; d="scan'208";a="97073808"
Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipocvi.tcif.telstra.com.au with ESMTP; 08 Feb 2018 17:20:18 +1100
X-IronPort-AV: E=McAfee;i="5900,7806,8798"; a="922363847"
Received: from wsmsg3751.srv.dir.telstra.com ([172.49.40.172]) by ipcbvi.tcif.telstra.com.au with ESMTP; 08 Feb 2018 17:20:18 +1100
Received: from wsapp6783.srv.dir.telstra.com (10.75.131.38) by wsmsg3751.srv.dir.telstra.com (172.49.40.172) with Microsoft SMTP Server (TLS) id 8.3.485.1; Thu, 8 Feb 2018 17:20:18 +1100
Received: from wsapp5585.srv.dir.telstra.com (10.75.3.67) by wsapp6783.srv.dir.telstra.com (10.75.131.38) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 8 Feb 2018 17:20:17 +1100
Received: from AUS01-SY3-obe.outbound.protection.outlook.com (10.172.101.125) by wsapp5585.srv.dir.telstra.com (10.75.3.67) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Frontend Transport; Thu, 8 Feb 2018 17:20:17 +1100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=teamtelstra.onmicrosoft.com; s=selector1-team-telstra-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1zB6vc6zMNngNQBhBkC2kQAx4BR1LxIk5CJ3vaU9TRQ=; b=WBkP5zRuzfdUwXJFBak4qfVo0CFuaK4wxHPfb8FOXbp+3a16nijUi5FSUl/+KSWgJ3n+QZlOERQ5Js6t6gTAx2Yjfg6ken3bXN30XWZ+YDJA4yycb3Hra7Mb6OOWdDdehh7MFz3jNI+FHuzc6iBEEyd5DOUiLyfZpEE8SXRCzN8=
Received: from SYXPR01MB1087.ausprd01.prod.outlook.com (10.169.175.16) by SYXPR01MB0158.ausprd01.prod.outlook.com (10.162.71.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.485.10; Thu, 8 Feb 2018 06:20:15 +0000
Received: from SYXPR01MB1087.ausprd01.prod.outlook.com ([10.169.175.16]) by SYXPR01MB1087.ausprd01.prod.outlook.com ([10.169.175.16]) with mapi id 15.20.0464.016; Thu, 8 Feb 2018 06:20:15 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] JOSE dependence on "Key Guessing"
Thread-Index: AQHTn9ltHb3pzYaePkyhTZV5hRwZEaOYeGOAgAGJ7AA=
Date: Thu, 08 Feb 2018 06:20:15 +0000
Message-ID: <SYXPR01MB1087D3C529EAD61DB1E5D83EE5F30@SYXPR01MB1087.ausprd01.prod.outlook.com>
References: <6b3f854d-f370-8f94-12ca-0f8ae0051362@gmail.com> <SN6PR2101MB09437284FC84E3154BC8C64EF5FC0@SN6PR2101MB0943.namprd21.prod.outlook.com>
In-Reply-To: <SN6PR2101MB09437284FC84E3154BC8C64EF5FC0@SN6PR2101MB0943.namprd21.prod.outlook.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=James.H.Manger@team.telstra.com;
x-originating-ip: [203.35.185.254]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SYXPR01MB0158; 7:XgfGf8Hv/OF3f47xmQeW0oEdNf+NInhJg/b1/oZbx6ONoMLsf5NpEQufKi/RI0cZ+D4HYqon5zRsl+akY/lQUby6Gv7tKFpOQbT1ZzEBkNFSYvisgYnHSp5sC2x6l2Hvv7ZzJjVYWPy49E0BJS9Qz2RGLheadKoBj0tTIB5GMtOkvApxMmodaA6D49Ph4s+QeKDDX2y19jTgELR3+WRKpdO1O/pzRoaYLQhsJE8MxCCwV10wfGvq8OD++pTDypUZ
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: dcc26993-5c9c-4a25-2c4d-08d56ebc04bf
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:SYXPR01MB0158;
x-ms-traffictypediagnostic: SYXPR01MB0158:
x-microsoft-antispam-prvs: <SYXPR01MB0158A0D5BC77BF7D3E2B7AB8E5F30@SYXPR01MB0158.ausprd01.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(85827821059158);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(3231101)(2400082)(944501161)(10201501046)(3002001)(93006095)(93001095)(6041288)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123560045)(6072148)(201708071742011); SRVR:SYXPR01MB0158; BCL:0; PCL:0; RULEID:; SRVR:SYXPR01MB0158;
x-forefront-prvs: 0577AD41D6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(39860400002)(376002)(366004)(39380400002)(189003)(199004)(377424004)(13464003)(102836004)(551934003)(81156014)(81166006)(2501003)(8936002)(2906002)(3660700001)(3280700002)(186003)(2950100002)(42882006)(77096007)(26005)(106356001)(105586002)(8666007)(14454004)(6306002)(6436002)(55016002)(9686003)(6246003)(6116002)(966005)(3846002)(53936002)(72206003)(6506007)(53546011)(33656002)(59450400001)(1511001)(76176011)(229853002)(478600001)(68736007)(39060400002)(2900100001)(66066001)(7736002)(7696005)(97736004)(305945005)(5660300001)(8676002)(99286004)(86362001)(110136005)(74316002)(316002)(53376002)(25786009); DIR:OUT; SFP:1102; SCL:1; SRVR:SYXPR01MB0158; H:SYXPR01MB1087.ausprd01.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
received-spf: None (protection.outlook.com: team.telstra.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 5T3UX0ypnmzbWa2hTMOA3sZm8zsCVZpqv7bWLld8hd0bK7ZOwXK8Z6IB2dNhd7+7Srb3Eq7mH0Sz2GqhfkV9cA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: dcc26993-5c9c-4a25-2c4d-08d56ebc04bf
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Feb 2018 06:20:15.5025 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB0158
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/CVei78Egat7JbAQ-9xtJZQDyKaQ>
Subject: Re: [jose] JOSE dependence on "Key Guessing"
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2018 06:20:25 -0000

A URI pointing to a JWK Set (jku) plus a key-id (kid) is sufficient to identify one specific key. But you should be able to point to a single key with a single URI. You can't with RFC7517 JWK, and that is a flaw. The sensible solution would be to define how to put a kid in the fragment portion of a URI that points to a JWK Set (application/jwk-set+json). For example, https://example.com/keys.jwks#2011-04-29 to identify the 2nd key from RFC7517 Appendix A.1.

I assume we can define the fragment format specific to application/jwk-set+json. Unless the +json suffix means it must use a generic JSON fragment format?

Then you can authorize a set of keys that will change over time with key roll-over by giving a URI to a JWK Set. And you can identify the specific key used in a specific transaction with a URI-with-fragment.

--
James Manger

-----Original Message-----
From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Wednesday, 7 February 2018 5:23 PM
To: Anders Rundgren <anders.rundgren.net@gmail.com>; jose@ietf.org
Subject: Re: [jose] JOSE dependence on "Key Guessing"

Anders, you misunderstand the feature and its purpose.  The ability to reference a set of keys is essential to performing key roll-over - a critical security function.  The "kid" (key ID) value is typically used to indicate which member of the key set was employed.  There is no "key guessing".

For an example of how JWK sets are used for key roll-over in a production system, see http://openid.net/specs/openid-connect-core-1_0.html#Signing.

				-- Mike

-----Original Message-----
From: jose <jose-bounces@ietf.org> On Behalf Of Anders Rundgren
Sent: Tuesday, February 6, 2018 10:03 PM
To: jose@ietf.org
Subject: [jose] JOSE dependence on "Key Guessing"

Dear list,

Believe or not but there is a new multi-party IETF effort in the workings for dealing with "clear text" versions of JWS and JWE.  Our BOF request was though turned down due to lack of published drafts and "customers" so issues will have to go through the mailing list only.

The goal is reusing as much as possible of the existing specifications, essentially limiting the work to repackaging.

However, it turned out that I wasn't fully up-to-date on the JOSE concept "Key Guessing":
https://tools.ietf.org/html/rfc7515#appendix-D

As far I can tell they only way you would ever need to do "Key Guessing" as described in appendix-D is if you have a scheme where the sender doesn't inform the receiver which key it actually used which sounds like a poor idea as well as highly unlikely to be used anywhere in practice.

Therefore I didn't bother too much with that until I had implemented support for JKU where the sender supplies a URL to a set of keys for the receiver to try out.  That is, "Key Guessing" is not only a possibility, it is an intrinsic part of the JOSE specifications.

So the question simply boils down to: Should derived standards-to-be, inherit obvious design flaws as well? IMO, they should not.  JKU could be redefined to point to a single JWK, removing the need for "Key Guessing" altogether.  Yes, there are "workarounds" like requiring additional key identification properties...

thanx,
Anders

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email