Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)

"Jim Schaad" <> Thu, 02 October 2014 03:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 607861A005E; Wed, 1 Oct 2014 20:54:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PIITjRGaV4Tw; Wed, 1 Oct 2014 20:54:30 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A0DF11A005B; Wed, 1 Oct 2014 20:54:30 -0700 (PDT)
Received: from Philemon ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id C2E2638F17; Wed, 1 Oct 2014 20:54:29 -0700 (PDT)
From: Jim Schaad <>
To: 'Richard Barnes' <>, 'The IESG' <>
References: <>
In-Reply-To: <>
Date: Wed, 01 Oct 2014 20:52:01 -0700
Message-ID: <0fba01cfddf4$393fb970$abbf2c50$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGR3beyFFG5Lp+ASms+J6JYxjd+2pyYLF/w
Content-Language: en-us
Subject: Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Oct 2014 03:54:32 -0000

-----Original Message-----
From: jose [] On Behalf Of Richard Barnes
Sent: Wednesday, October 01, 2014 7:36 PM
To: The IESG
Subject: [jose] Richard Barnes' Discuss on
draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)

Richard Barnes has entered the following ballot position for
draft-ietf-jose-json-web-algorithms-33: Discuss

When responding, please keep the subject line intact and reply to all email
addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


Section 3.2. 
"This computed HMAC value is then compared to the result of base64url
decoding the received encoded JWS Signature value."
Need to add:
"In order to avoid timing attacks, the comparison of the computed HMAC value
to the JWS Signature value MUST be done in a constant-time manner."

Section 3.6.
I'm not going to object to "none", even though I think it's a very dangerous
feature because of the risk of confusion between Secured and Unsecured JWS.
But there needs to be stronger guidance:
1. An implementation SHOULD NOT support "none" unless the implementor knows
that it will be used in application context s that require it.
2. If an implementation does support "none", then it MUST NOT accept it as
part of generic JWS validation.  Instead, it should require the application
to explicitly signal that an Unsecured JWS is expected for a given
validation operation.

Section 4.2.
Systems that support RSAES-PKCS1-V1_5 key unwrap are commonly vulnerable to
oracle attacks based on whether they accept the wrapped key or not. 
See, e.g.,
In light of that, it seems irresponsible to include this algorithm without
extensive security precautions, and especially irresponsible for it to be
REQUIRED.  It's been dropped from WebCrypto, and is being dropped from TLS
in v1.3.

Section 6.3.1.
The descriptions of these parameters are really vague, especially when it
comes to the "oth" parameters.  Please cite a reference that provides more
detail, e.g., RFC 3447.

This section defines the wrong parameter.


Section 1.1.
The pointer for BASE64URL should be to JWS.  One level of indirection,
please :)

Section 3.1, 4.1, and 5.1.
As I said in the working group, the implementation requirements in these
registries should be removed.  They are unnecessary for interoperability,
and highly likely to be ignored by implementors, both because (1) many
implementations are for specific applications that do not require all of the
REQUIRED algorithms, and (2) many implementations use cryptographic
libraries that do not support some REQUIRED algorithms.  I have personally
written more than one JWS/JWE implementation that ignored these
requirements, for exactly these reasons.  (This would be a DISCUSS for me,
if not for my having made this argument already in the WG.)

Section 3.2.
"A key of the same size as the hash output (for instance, 256 bits for
"HS256") or larger MUST be used with this algorithm."
A pointer to Section 3 of RFC 2104 here would be helpful.  I was surprised
at this requirement, given that FIPS 198 says "The size of the key, K, shall
be equal to or greater than L/2, where L is the size of the hash function

[JLS] This does not seem to be the statement in sp800-107 rev1 (section
5.3.4) which updated FIPS 198.   It says that the security = min (length of
K, 2*C) where C is the internal barrel length.

Section 3.4.
It might be worth noting that though this format seems ad-hoc, it is the
same used by WebCrypto.

Shouldn't you require that this field MUST encode a 16-octet / 128-bit

jose mailing list