Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Fri, 10 October 2014 22:19 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADBB61AD41C for <jose@ietfa.amsl.com>; Fri, 10 Oct 2014 15:19:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHKCL2GZax3A for <jose@ietfa.amsl.com>; Fri, 10 Oct 2014 15:19:32 -0700 (PDT)
Received: from mail-vc0-f171.google.com (mail-vc0-f171.google.com [209.85.220.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65FE01A88C5 for <jose@ietf.org>; Fri, 10 Oct 2014 15:19:32 -0700 (PDT)
Received: by mail-vc0-f171.google.com with SMTP id hy10so3411323vcb.16 for <jose@ietf.org>; Fri, 10 Oct 2014 15:19:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=SiJfoZbb8kj87p8JBtce26/KqGfJ3mgIaEX8OZAdjP8=; b=RYCRt/92wD1UTp/3E7S5SWD/51VcnAy2AVIEcl0+bdqgikDc+NQxQ3bDXguAy434R/ Abi9593sLnl4BKf1UREtjnvxMy+uLNU/TZzNIatCGWEGmAJKXDBqrGIMGOgDReOEBP0x YCJhbGnxnGE8KmvILw0P9ra+2nmTZWuyeBim6ziyz0VAl9B2yVi2IePqkepwElsrpQIM skYqupfSwZuwRZ0F+7GmZKQXHKB2iKIwOEUDq0vh255a6idl3OI3o9Mp0UJapjjvz4kZ /lmyh280STp4JrpoM/u8c4E2wKKYWdOnQ0gR7Xx85qUF5DDwB454SwfjLocBpPRtNlsS 7ruw==
X-Gm-Message-State: ALoCoQnf+90W2lA6WP0PiSWDQgMm1GsCfX3TZIenw58CSt+WHtDcY1jcqR0JuWRsqS3rElxKKLqQ
MIME-Version: 1.0
X-Received: by 10.221.5.66 with SMTP id of2mr5018471vcb.40.1412979571458; Fri, 10 Oct 2014 15:19:31 -0700 (PDT)
Received: by 10.31.134.17 with HTTP; Fri, 10 Oct 2014 15:19:31 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BAF0C55@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20141002042150.11117.29199.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439BAF0C55@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Fri, 10 Oct 2014 18:19:31 -0400
Message-ID: <CAL02cgRSufwEk1eF=AFOXMSzkWpSTRbdtBX9yMOtkMN58uH1zQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=089e012941366ea634050518f1c5
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/DWpzaPLoGMI4TmAk0Jh-NshMWs4
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, "jose@ietf.org" <jose@ietf.org>, "draft-ietf-jose-json-web-signature@tools.ietf.org" <draft-ietf-jose-json-web-signature@tools.ietf.org>
Subject: Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-signature-33: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Oct 2014 22:19:35 -0000

On Mon, Oct 6, 2014 at 3:54 AM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> Thanks for your review, Richard.  I'm repeating my previous responses from
> my Thursday reply, but this time using ">" quoting rather than colors, for
> better readability by people not using HTML-enabled mail readers...
>
> > -----Original Message-----
> > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes
> > Sent: Wednesday, October 01, 2014 9:22 PM
> > To: The IESG
> > Cc: jose-chairs@tools.ietf.org; jose@ietf.org; draft-ietf-jose-json-web-
> > signature@tools.ietf.org
> > Subject: [jose] Richard Barnes' Discuss on
> draft-ietf-jose-json-web-signature-33:
> > (with DISCUSS and COMMENT)
> >
> > Richard Barnes has entered the following ballot position for
> > draft-ietf-jose-json-web-signature-33: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> email
> > addresses included in the To and CC lines. (Feel free to cut this
> introductory
> > paragraph, however.)
> >
> >
> > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-signature/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > Overall, this document is in much more solid shape than when it began.
> > Thanks to the WG for a lot of hard work.  I only have two remaining
> concerns,
> > which should hopefully be easy to address.
> >
> > Section 7.2.
> > I've had several implementors trying to use JWS in the JSON
> serialization ask why
> > it was necessary to include a "signatures" array in cases where there's
> only one
> > signer.  It seems like this is going to be a major barrier to deployment
> and re-
> > use, so I would propose including the following text:
> >
> > """
> > In cases where the JWS has been signed by only a single signer, the
> "signatures"
> > array will contain a single object.  In such cases, the elements of the
> single
> > "signatures" object MAY be included at the top level of the JWS object.
> A JSON-
> > formatted JWS that contains a "signatures" field MUST NOT contain a
> > "protected", "header", or "signature" field, and vice versa.
> > """
> >
> > This may also require some other changes where "signatures" is relied
> on, e.g.,
> > in Section 9 of the JWE spec.
>
> This was previously proposed (I believe during the Denver interim meeting)
> and rejected by the working group because it complicates both producers and
> parsers by introducing an unnecessary special case.  Currently, by design,
> whether there are single or multiple signatures, the same syntax is used.
> Your proposal would use a different syntax in the single signature case
> than in the multiple signature case.  This is likely to result in
> implementation bugs and inconsistencies.
>

This assertion of complexity is bogus.  Have you implemented this syntax,
or can you point me to someone who has, and has had problems?  I have
implemented it and I'm asking for the simpler syntax.  I've gotten the same
request from others, for JWE.



> > Section 6.
> > """
> > These Header Parameters MUST be integrity protected if the information
> that
> > they convey is to be utilized in a trust decision.
> > """
> > This smells really fishy to me.  What's your attack scenario?  I'm
> pretty certain
> > that there's no way any of these fields can be altered in such a way
> that (1) the
> > signature will validate, and (2) the recipient will accept a key it
> shouldn't.  By way
> > of contrast, CMS doesn't sign the certificate fields, and the
> Certificate payload in
> > TLS is only signed as a side effect of the protocol's verification that
> the remote
> > end has been the same through the whole handshake (which doesn't apply
> here).
>
> The attack scenario is trivial to describe.  If an attacker can change
> information used in a trust decision, the trust decision has no validity.
> Unless the information is integrity-protected, the attacker could change
> the non-integrity-protected portions of the JWS in an undetectable way.
>

That's hand waving, not an attack scenario.  Allow me to elaborate on this:

There is no possible attack scenario for the key identifiers that identify
a *key* (vs. a cert) -- jwk, jku, and kid.  For any given signed object,
there is exactly one key that can validate the signature (otherwise the
crypto is broken).  If the attacker changes the validation key, then the
signature won't validate.  So there is no need to integrity protect these
headers, since there's no point to the attacker changing them.  RFC 2634
actually has text to this effect:

"""
   The first version of this attack is a simple denial of service attack
   where an invalid certificate is substituted for the valid
   certificate. This renders the message unverifiable, as the public key
   in the certificate no longer matches the private key used to sign the
   message.
"""

With regard to the certificate identifiers ("x5u", "x5c", "x5t", and
"x5t#S256"), the risks that Jim points out [RFC2634, Section 5] are real,
but only apply in certain narrow circumstances.  Namely, the only time a
risk arises is when two certificates have been issued for the same public
key, with different attributes.  This is exceedingly rare in practice, and
all current secure messaging systems get along fine without protection
against this attack.  And it might not even be an attack -- you could
envision cases with "x5u" where the signer purposely presents different
certificates to different relying parties!

So the blanket requirement that these fields MUST be integrity protected is
not appropriate.  It is only required for certain special situations using
certificates.  Proposed revision:

Delete: "These Header Parameters MUST be integrity protected if the
information that they convey is to be utilized in a trust decision."

Add new paragraph: "In situations where multiple certificates with
different attributes may be issued over the same public key, there is a
risk that one of these certificates may be substituted for another. In such
situations, the creator of a JWS object MUST integrity protect the "x5u",
"x5c", "x5t", and "x5t#S256" attributes, if present."



>
> For what it's worth, Sean had us add language in a number of places that
> basically said that information is only as trustworthy as its source and
> the means by which it is obtained.  If I remember correctly, this was one
> of those places.
>
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > Section 2.
> > In the definition of "Unsecured JWS", it would be good to note that this
> requires
> > "alg" == "none".
>
> OK
>
> > Section 3.3.
> > Why doesn't this section have a JSON-encoded form as well?
>
> Because it's meant to be a simple introductory example to help people get
> their head around the concept - not a complete tutorial.  Other examples of
> JSON-encoded objects are found elsewhere in the document and lots of them
> are found in draft-ietf-jose-cookbook.
>
> > Appendix A.5.
> > I would prefer if this example could be removed.  JWT is the only use
> case for
> > Unsecured JWS right now, and there's already an example in that document.
>
> Mike> Given that it's important that implementers using them understand
> Unsecured JWSs, there is motivation to retain the example.  I'd be
> interested in what others in the working group think, given that there was
> substantial support for retaining this functionality when its removal was
> proposed.
>
> > Thanks for Appendix C.  FWIW, it has been implemented:
> >
> http://dxr.mozilla.org/mozilla-central/source/dom/crypto/CryptoBuffer.cpp#85
>
> You're welcome.
>
> > _______________________________________________
> > jose mailing list
> > jose@ietf.org
> > https://www.ietf.org/mailman/listinfo/jose
>
>                                 Thanks again!
>                                 -- Mike
>