Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
Richard Barnes <rlb@ipv.sx> Thu, 02 October 2014 04:07 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03BE31A0062 for <jose@ietfa.amsl.com>; Wed, 1 Oct 2014 21:07:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iigogMxReb-Z for <jose@ietfa.amsl.com>; Wed, 1 Oct 2014 21:07:47 -0700 (PDT)
Received: from mail-lb0-f177.google.com (mail-lb0-f177.google.com [209.85.217.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9C6A1A0060 for <jose@ietf.org>; Wed, 1 Oct 2014 21:07:46 -0700 (PDT)
Received: by mail-lb0-f177.google.com with SMTP id w7so1535411lbi.36 for <jose@ietf.org>; Wed, 01 Oct 2014 21:07:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=8A6daFnPjgF+NdnNASgKzhNf95i8KqeE8kRcIOe5ehg=; b=OyJA7t9MWfVIpvooVdOoOS7Jmyw+WUdzLPQBSk+94c59WBoO5mq0vAZb6d8nanfE4z rWT9tRGVO6+MPWzY+g0jocKo7OlNiSipk0w6Ens6VldGCdxGIm/8XtBrbuLNculKep5I cptAxX2xnkjC9sI6BZP9XZbxo940T157E7yfJxfKb0qu7pDbVc8ewQGVZZfuNeUHqWYj +XQzXyAejvAmFvEMpD/9Bx3FLv1kcoXiOdBzMgZl5Yr/fBKbH8diEQn9kAaxn7BKsK9k qYUWibTPpIATZKscQ8spElo8FrkJFWyDEkO7UzpaP7zYnon1t+7Mb+HkINtmhixGdPQS L/tA==
X-Gm-Message-State: ALoCoQmC8bKbjhDiZwGxP4pGZZcaidqhTsdEc7R1Ptsg8p9WiMv9p0piIP8E7BWuiPwafwQC3V8P
MIME-Version: 1.0
X-Received: by 10.112.167.137 with SMTP id zo9mr27659409lbb.0.1412222865116; Wed, 01 Oct 2014 21:07:45 -0700 (PDT)
Received: by 10.25.142.3 with HTTP; Wed, 1 Oct 2014 21:07:45 -0700 (PDT)
In-Reply-To: <0fba01cfddf4$393fb970$abbf2c50$@augustcellars.com>
References: <20141002023617.18602.69709.idtracker@ietfa.amsl.com> <0fba01cfddf4$393fb970$abbf2c50$@augustcellars.com>
Date: Thu, 02 Oct 2014 00:07:45 -0400
Message-ID: <CAL02cgT0KD1w7pmw=oSrnaDuzSdEvmBjwTkf7JWRHmxBLfVbjg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Jim Schaad <ietf@augustcellars.com>
Content-Type: multipart/alternative; boundary="001a11c2adde3814c7050468c29e"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/EoyekpbbFDt_oOw9mjG-aJ7QCag
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "jose@ietf.org" <jose@ietf.org>, The IESG <iesg@ietf.org>, "<draft-ietf-jose-json-web-algorithms@tools.ietf.org>" <draft-ietf-jose-json-web-algorithms@tools.ietf.org>
Subject: Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 04:07:53 -0000
On Wed, Oct 1, 2014 at 11:52 PM, Jim Schaad <ietf@augustcellars.com> wrote: > > > -----Original Message----- > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes > Sent: Wednesday, October 01, 2014 7:36 PM > To: The IESG > Cc: jose-chairs@tools.ietf.org; > draft-ietf-jose-json-web-algorithms@tools.ietf.org; jose@ietf.org > Subject: [jose] Richard Barnes' Discuss on > draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT) > > Richard Barnes has entered the following ballot position for > draft-ietf-jose-json-web-algorithms-33: Discuss > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-algorithms/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Section 3.2. > "This computed HMAC value is then compared to the result of base64url > decoding the received encoded JWS Signature value." > Need to add: > "In order to avoid timing attacks, the comparison of the computed HMAC > value > to the JWS Signature value MUST be done in a constant-time manner." > > Section 3.6. > I'm not going to object to "none", even though I think it's a very > dangerous > feature because of the risk of confusion between Secured and Unsecured JWS. > But there needs to be stronger guidance: > 1. An implementation SHOULD NOT support "none" unless the implementor knows > that it will be used in application context s that require it. > 2. If an implementation does support "none", then it MUST NOT accept it as > part of generic JWS validation. Instead, it should require the application > to explicitly signal that an Unsecured JWS is expected for a given > validation operation. > > Section 4.2. > Systems that support RSAES-PKCS1-V1_5 key unwrap are commonly vulnerable to > oracle attacks based on whether they accept the wrapped key or not. > See, e.g., > https://www.w3.org/Bugs/Public/show_bug.cgi?id=25431 > http://cryptosense.com/choice-of-algorithms-in-the-w3c-crypto-api/ > In light of that, it seems irresponsible to include this algorithm without > extensive security precautions, and especially irresponsible for it to be > REQUIRED. It's been dropped from WebCrypto, and is being dropped from TLS > in v1.3. > > Section 6.3.1. > The descriptions of these parameters are really vague, especially when it > comes to the "oth" parameters. Please cite a reference that provides more > detail, e.g., RFC 3447. > > Section 6.3.2.6. > This section defines the wrong parameter. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Section 1.1. > The pointer for BASE64URL should be to JWS. One level of indirection, > please :) > > Section 3.1, 4.1, and 5.1. > As I said in the working group, the implementation requirements in these > registries should be removed. They are unnecessary for interoperability, > and highly likely to be ignored by implementors, both because (1) many > implementations are for specific applications that do not require all of > the > REQUIRED algorithms, and (2) many implementations use cryptographic > libraries that do not support some REQUIRED algorithms. I have personally > written more than one JWS/JWE implementation that ignored these > requirements, for exactly these reasons. (This would be a DISCUSS for me, > if not for my having made this argument already in the WG.) > > Section 3.2. > "A key of the same size as the hash output (for instance, 256 bits for > "HS256") or larger MUST be used with this algorithm." > A pointer to Section 3 of RFC 2104 here would be helpful. I was surprised > at this requirement, given that FIPS 198 says "The size of the key, K, > shall > be equal to or greater than L/2, where L is the size of the hash function > output." > > [JLS] This does not seem to be the statement in sp800-107 rev1 (section > 5.3.4) which updated FIPS 198. It says that the security = min (length of > K, 2*C) where C is the internal barrel length. > Ah, OK. Thanks for the updated reference. I stand corrected. --Richard > > Section 3.4. > It might be worth noting that though this format seems ad-hoc, it is the > same used by WebCrypto. > > Section 4.7.1.1. > Shouldn't you require that this field MUST encode a 16-octet / 128-bit > value? > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] Richard Barnes' Discuss on draft-ietf-jose… Richard Barnes
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Jim Schaad
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Brian Campbell
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Kathleen Moriarty
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Richard Barnes