IETF Logo Mail Archive

Re: [jose] Working Group last call on draft-ietf-jose-jwk-thumbprint

Mike Jones <Michael.Jones@microsoft.com> Sat, 24 January 2015 02:13 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DFE51A02BE for <jose@ietfa.amsl.com>; Fri, 23 Jan 2015 18:13:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Level:
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xM575FqGBGR9 for <jose@ietfa.amsl.com>; Fri, 23 Jan 2015 18:13:29 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0759.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:759]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44F9E1A009B for <jose@ietf.org>; Fri, 23 Jan 2015 18:13:29 -0800 (PST)
Received: from BN3PR0301CA0053.namprd03.prod.outlook.com (25.160.152.149) by BY1PR0301MB0837.namprd03.prod.outlook.com (25.160.193.143) with Microsoft SMTP Server (TLS) id 15.1.59.20; Sat, 24 Jan 2015 02:13:06 +0000
Received: from BN1BFFO11FD052.protection.gbl (2a01:111:f400:7c10::1:199) by BN3PR0301CA0053.outlook.office365.com (2a01:111:e400:401e::21) with Microsoft SMTP Server (TLS) id 15.1.65.19 via Frontend Transport; Sat, 24 Jan 2015 02:13:05 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD052.mail.protection.outlook.com (10.58.145.7) with Microsoft SMTP Server (TLS) id 15.1.75.11 via Frontend Transport; Sat, 24 Jan 2015 02:13:04 +0000
Received: from TK5EX14MBXC291.redmond.corp.microsoft.com ([169.254.2.242]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0224.003; Sat, 24 Jan 2015 02:12:11 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, ⌘ Matt Miller <mamille2@cisco.com>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [jose] Working Group last call on draft-ietf-jose-jwk-thumbprint
Thread-Index: AdA2r3oUosT0/BMvQzmHVjikyAzy8gAbPXWAAAVlCoAAAbWAgAAAVB8wAADzjgAAABJmUAAC5KsAAAGDgyAAANtDAAAA0kKAAALhm4AABGc9UA==
Date: Sat, 24 Jan 2015 02:12:10 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943A21ECFC5@TK5EX14MBXC291.redmond.corp.microsoft.com>
References: <046701d036af$c74ec7b0$55ec5710$@augustcellars.com> <CAL02cgSvp7d14B2Yan2-CHsi__ZedHfrvOAGbJRmnU93i33jbA@mail.gmail.com> <54C284C3.7070902@cisco.com> <601AAE53-0A77-4582-B56D-B126ECBEEFBE@ve7jtb.com> <4E1F6AAD24975D4BA5B1680429673943A21EB5D7@TK5EX14MBXC291.redmond.corp.microsoft.com> <CAL02cgQgV+b6rdOn9nHRS0cNgrb4-1A669vr9Q9L_XyMQ9BO6A@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943A21EB6E9@TK5EX14MBXC291.redmond.corp.microsoft.com> <CAL02cgQQUo6P3XD7QDADNhrXkcmSL9X0oxMmXAiMkgJh78eQ-Q@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943A21EBD4B@TK5EX14MBXC291.redmond.corp.microsoft.com> <325597BB-8A06-4410-85F8-E01906B399F4@ve7jtb.com> <54C2C223.2040302@cisco.com> <54C2D579.9000505@cs.tcd.ie>
In-Reply-To: <54C2D579.9000505@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.72]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=pass action=none header.from=microsoft.com;
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(51704005)(377454003)(479174004)(24454002)(13464003)(86362001)(6806004)(19580395003)(104016003)(33656002)(230783001)(19580405001)(87936001)(86612001)(2656002)(106466001)(55846006)(23676002)(46102003)(15975445007)(102836002)(50466002)(62966003)(76176999)(47776003)(50986999)(2900100001)(66066001)(93886004)(77156002)(2920100001)(92566002)(2950100001)(54356999); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0301MB0837; H:mail.microsoft.com; FPR:; SPF:None; MLV:sfv; LANG:en;
X-DmarcAction-Test: None
X-DmarcStatus-Test: Passed
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(3005004)(3003004); SRVR:BY1PR0301MB0837;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004); SRVR:BY1PR0301MB0837;
X-Forefront-PRVS: 0466CA5A45
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:; SRVR:BY1PR0301MB0837;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jan 2015 02:13:04.9774 (UTC)
X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[131.107.125.37]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0301MB0837
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/EirjWM7plQ3MLSJlTnfpjpM-0ak>
Cc: Richard Barnes <rlb@ipv.sx>, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Working Group last call on draft-ietf-jose-jwk-thumbprint
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Jan 2015 02:13:31 -0000

> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
> Sent: Friday, January 23, 2015 3:13 PM
> To: ⌘ Matt Miller; John Bradley; Mike Jones
> Cc: Richard Barnes; Jim Schaad; jose@ietf.org
> Subject: Re: [jose] Working Group last call on draft-ietf-jose-jwk-thumbprint
> 
> On 23/01/15 21:50, ⌘ Matt Miller wrote:
> > Or maybe we seriously consider SPKI.
> 
> Yes. It works. It's used elsewhere so offers better interop. All libraries
> support it so coding up the thumbprint stuff with that is trivial and far less
> error prone.

I believe you that you have SPKI support if you're writing in C/C++, Java, or C# but not necessarily if you're writing in JavaScript, Ruby, Python, etc.

> It avoids any need for (even more) pointless debate about
> hash-input nitpicking. There's less spec text needed too. All useful
> asymmetric algs will have a well defined SPKI for the next decade because
> those are used in TLS and for the WebPKI which is not going away no matter
> how much you want it to go away. That is a pile of advantages.
> 
> And, most important, there is zero advantage in pointlessly inventing a new
> variation. Frankly the supposed advantages offered so far:
> 
> - - a line or two less code, (maybe, maybe not,
>   unimportant in any case)
> - - "not asn.1" (nonsense, SPKI needs no generic
>   asn.1 support, we've known for decades how
>   to do without that, and your library constructs
>   the octets from the key already)
> - - "it should be json" (more nonsense, it's a hash
>   input and never sent or stored, nobody cares what
>   format it has)
> 
> ...are utterly unconvincing in any rational view.

If you follow this line of reasoning to its logical conclusion, we would have insisted on people always using SPKI and/or X.509 key representations, rather than "pointlessly inventing a new variation" called JWK.  And for that matter, we would have insisted on people using CMS rather than developing JWS and JWE. ;-)

I'm not saying that it's not possible to construct SPKI hash inputs from JWKs in JavaScript, etc., but creating the one specified in the draft seems a lot more straightforward to me if what you already have is a JWK.

> PS: As another data point, the W3C sub-resource integrity spec [1] uses ni
> URIs today. I've no idea if that's likely to last into a W3C REC or get deployed,
> but seems to me like not-reinventing in this space is one sensible thing those
> folks have
> (sensibly:-) done, given the utter lack of benefit from re-inventing.
> 
> [1] http://www.w3.org/TR/SRI/

P.S.  There's nothing stopping someone from writing a very short draft also registering header parameter names for hashes of SPKI key values.  I'm all for that.  Then people can vote with their feet (with their code) on which they prefer to build and use.

				-- Mike

v2.23.0 | Report a Bug | By Email