IETF Logo Mail Archive

Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens

Mike Jones <Michael.Jones@microsoft.com> Fri, 20 April 2018 15:18 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 577A9124F57; Fri, 20 Apr 2018 08:18:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nEvJakLNXtT0; Fri, 20 Apr 2018 08:18:15 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0139.outbound.protection.outlook.com [104.47.33.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1A88124B17; Fri, 20 Apr 2018 08:18:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=h8jEjry4XdqGWxSFhviY9ax7ncHO4RK6BT3vK2yQ3NY=; b=IYFvu69It71bnVJSZCgDtEE8aJQH8BZZ7Mx1CxME0t6N2dyTHsfyrMdDptvv33nZZhVeT9MsAeaUveKCM01tJeL0TJ3vAcEyQc7PDXF4awr0JNp0wr9AycezJXOnS/20OIT/+7o72wUJpPB571/vmCP4Ym3aoYTTFJ69yfJ4jp0=
Received: from SN6PR00MB0301.namprd00.prod.outlook.com (2603:10b6:805:b::27) by SN6PR00MB0448.namprd00.prod.outlook.com (2603:10b6:805:d::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.734.0; Fri, 20 Apr 2018 15:18:11 +0000
Received: from SN6PR00MB0301.namprd00.prod.outlook.com ([fe80::f0f1:9187:23d6:1dc7]) by SN6PR00MB0301.namprd00.prod.outlook.com ([fe80::f0f1:9187:23d6:1dc7%5]) with mapi id 15.20.0734.000; Fri, 20 Apr 2018 15:18:04 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Carsten Bormann <cabo@tzi.org>, Neil Madden <neil.e.madden@gmail.com>
CC: "cfrg@ietf.org" <cfrg@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [Cfrg] [jose] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens
Thread-Index: AQHT2Jc7m/3WOZ14uUeqVakI/+p1jaQJvW5g
Date: Fri, 20 Apr 2018 15:18:04 +0000
Message-ID: <SN6PR00MB0301F595CF57BF58D4BAA4D2F5B40@SN6PR00MB0301.namprd00.prod.outlook.com>
References: <CAKws9z15m6WY+-mz5D01vxB4s-TE7nQN56=ssYt=vz3z4gAj6A@mail.gmail.com> <DBC2F048-C949-4362-8FD0-A43A54767B03@gmail.com> <CAKws9z277JLfv7Pb9wSkJ7zYR8FzoAfiXuFS6Vq0x32-3bWx7Q@mail.gmail.com> <DB58CEFE-ED93-4C1C-9212-B622DFCCFFB9@gmail.com> <A6784DBB-C147-40B7-8A5C-E96F431020F6@tzi.org>
In-Reply-To: <A6784DBB-C147-40B7-8A5C-E96F431020F6@tzi.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:e::6c3]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR00MB0448; 7:G0FuV3+cGxICF6ajnPzYwdcQ5SE8wdwl6cxgEeEU/mXCVw2S9RwVceUMAJ+MqPmXURksCZOqstGcHBzzvYZwEfAoy/CGSUw2XxjrPtZWkVlrlpjaO3n/YCtuuxk86IZXvlk86jfjC+fjr9DiZkY3Z4vRWoWlIDO+WIpMbIR3lQ05juckQ4uMKt95UCjqhC8wugPRbTwvMw9A9z0+sYnaL/YdPLD5rnBKMbkjShLmuFYwob6T/SdCTUxlkCEgorES; 20:yb7MahuTyU0ap8Szcw8LYAxGF5I3k3lDGdPQwSdwg5XQ8RXtZH3tODJNtrbrZnZASQDwnBbfH34O4LPYZHnVItBgWr+Fz9dm2l1g1+AWKN3/5HgoQLlEl/jajAYVpkhtcwssQSCQKmQpARMubq+T2YmzjtSXrYLD8/YZ+bpXiQ0=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(48565401081)(2017052603328)(7193020); SRVR:SN6PR00MB0448;
x-ms-traffictypediagnostic: SN6PR00MB0448:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-prvs: <SN6PR00MB0448165B4EF964757C70D097F5B40@SN6PR00MB0448.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(85827821059158);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(61425038)(6040522)(2401047)(8121501046)(5005006)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(10201501046)(93006095)(93001095)(3002001)(3231232)(944501395)(52105095)(6055026)(61426038)(61427038)(6041310)(20161123560045)(20161123558120)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:SN6PR00MB0448; BCL:0; PCL:0; RULEID:; SRVR:SN6PR00MB0448;
x-forefront-prvs: 0648FCFFA8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39860400002)(366004)(376002)(39380400002)(346002)(13464003)(39060400002)(2906002)(22452003)(72206003)(966005)(14454004)(478600001)(10290500003)(4326008)(93886005)(3280700002)(99286004)(33656002)(3660700001)(53936002)(110136005)(316002)(8936002)(8676002)(6116002)(6246003)(81166006)(54906003)(305945005)(7736002)(5660300001)(15650500001)(74316002)(2900100001)(25786009)(9686003)(86362001)(46003)(6306002)(55016002)(229853002)(476003)(10090500001)(6436002)(446003)(7696005)(59450400001)(6506007)(52396003)(53546011)(76176011)(8990500004)(11346002)(5250100002)(186003)(86612001)(102836004); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR00MB0448; H:SN6PR00MB0301.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; MLV:ovrnspm; PTR:InfoNoRecords;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: XBwtKxcYQ0flTzdJm+BsWoexJzjt5Qeivkvw7fR5U+qsfzD5kJFaTCzaC68w0iammMDQ8KvIfsfZqDDcusZCxMdJ3e8Mv6EKOO09ElchvIG7T61nNYNCOZ+R6mll+9JlJkQSr09EiOshpywTAi6Kp4z2BcBmVDFA7fGXJgUjKhhV1xbkS/71feRoOcNwDJ6s
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 0bbed353-6b10-4a4e-f4dd-08d5a6d1ea07
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0bbed353-6b10-4a4e-f4dd-08d5a6d1ea07
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2018 15:18:04.5737 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR00MB0448
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/O8cG9QaY3aj66P5wRneEpJeRwQU>
Subject: Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2018 15:18:18 -0000

The JWT Best Current Practices (BCP) draft catalogs the different implementation mistakes that have been documented and describes how not make them.  The timing of this discussion is good because the draft is currently in working group last call - through Monday, April 30th.  Have a look at https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-01.  If you believe that additional content is needed, please send your reviews to oauth@ietf.org.

Also, see Neil Madden's draft https://tools.ietf.org/html/draft-madden-jose-siv-mode-02 on misuse-resistant cryptography for JOSE.  I've encouraged him to take it forward.  Please provide feedback on that as well.

				-- Mike

-----Original Message-----
From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Carsten Bormann
Sent: Friday, April 20, 2018 4:03 AM
To: Neil Madden <neil.e.madden@gmail.com>
Cc: cfrg@ietf.org; jose@ietf.org
Subject: Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens

On Apr 20, 2018, at 12:49, Neil Madden <neil.e.madden@gmail.com> wrote:
> 
> insecure implementations of old standards don’t go away because you introduce a new standard

Exactly.

If we have to invent a new standard each time an existing standard is implemented with a security flaw, we have a lot of work to do.

Insecure implementations exist even of standards such as TLS.  Usually the strategy is to fix the implementations.  (It is also a good idea to envision what implementers will mess up when creating a new standard.  But there are limits to that approach.)

One of the objectives in the definition of COSE was to avoid some of the pitfalls of JOSE.
There is also work ongoing to document the security considerations of JOSE better, e.g., draft-ietf-oauth-jwt-bcp.

I’d like to focus the energy that appears to be visible here on agreeing good SIV constructions and getting them registered with COSE.

Grüße, Carsten

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email