Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-encryption-33: (with DISCUSS and COMMENT)
⌘ Matt Miller <mamille2@cisco.com> Mon, 20 October 2014 17:05 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1632D1A6F5D; Mon, 20 Oct 2014 10:05:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.211
X-Spam-Level:
X-Spam-Status: No, score=-14.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Yuc9vyNvviR; Mon, 20 Oct 2014 10:05:42 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEE611A6F60; Mon, 20 Oct 2014 09:53:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9194; q=dns/txt; s=iport; t=1413824035; x=1415033635; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=McVS9xMB+Fah71cQDY97hk7LwtI5ZIkNiAGlxmV2rD4=; b=XBQ5jInPpTMKTUI7MkF9l2RkF4shlPyjRSgHSvEQON2I7QmGLKF5Ddl5 wo8NinqqynNeYRVZhZSgCz5+Hf/6HT+txJL+T6AVUPd0BLJlHMm4L61B3 Bc++nxrac4Zo3iE2IHsT5jx/dybZJku+dGTjzv4ZWYKQwR5LWJKFyJBM6 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhoFAAg9RVStJA2N/2dsb2JhbABcgw5TWASDAsAOiRAKh00CgRMWAX2EAgEBAQQBAQEgDwE0BwoBDAQLDgMEAQEBAgIFFgQEAwICCQMCAQIBFR8JCAYBDAEFAgEBBYg2DbFClC0BAQEBAQEBAQEBAQEBAQEBAQEBAQEXgSyOQxEBHTMHBoJxgVQBBIUVgRiFNYplhxOBMDyDCoJyijmEAYIAHhaBYk0BgQ45gQMBAQE
X-IronPort-AV: E=Sophos;i="5.04,757,1406592000"; d="scan'208";a="88683217"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-5.cisco.com with ESMTP; 20 Oct 2014 16:53:54 +0000
Received: from xhc-rcd-x08.cisco.com (xhc-rcd-x08.cisco.com [173.37.183.82]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id s9KGrrUn001043 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 20 Oct 2014 16:53:53 GMT
Received: from [10.129.24.59] (10.129.24.59) by xhc-rcd-x08.cisco.com (173.37.183.82) with Microsoft SMTP Server (TLS) id 14.3.195.1; Mon, 20 Oct 2014 11:53:53 -0500
Message-ID: <54453E25.3030705@cisco.com>
Date: Mon, 20 Oct 2014 10:53:57 -0600
From: ⌘ Matt Miller <mamille2@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>
References: <20141002033659.31345.52942.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439BAFAE6C@TK5EX14MBXC286.redmond.corp.microsoft.com> <CAL02cgQh8cW_ye-E16fYYKDMco7W8q-sHVDFpvUUeS+CqPm30Q@mail.gmail.com>
In-Reply-To: <CAL02cgQh8cW_ye-E16fYYKDMco7W8q-sHVDFpvUUeS+CqPm30Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.129.24.59]
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/ExeviGdD8Gan-0Mv475La8hqDRA
Cc: "draft-ietf-jose-json-web-encryption@tools.ietf.org" <draft-ietf-jose-json-web-encryption@tools.ietf.org>, "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-encryption-33: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 17:05:45 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 10/20/14, 10:21 AM, Richard Barnes wrote: > > > On Sat, Oct 11, 2014 at 6:19 PM, Mike Jones > <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> > wrote: > > Thanks for your review, Richard. Responses are inline below... > >> -----Original Message----- From: jose >> [mailto:jose-bounces@ietf.org > <mailto:jose-bounces@ietf.org>] On Behalf Of Richard Barnes >> Sent: Wednesday, October 01, 2014 8:37 PM To: The IESG Cc: >> draft-ietf-jose-json-web-encryption@tools.ietf.org > <mailto:draft-ietf-jose-json-web-encryption@tools.ietf.org>; jose- >> chairs@tools.ietf.org <mailto:chairs@tools.ietf.org>; > jose@ietf.org <mailto:jose@ietf.org> >> Subject: [jose] Richard Barnes' Discuss on > draft-ietf-jose-json-web-encryption- >> 33: (with DISCUSS and COMMENT) >> >> Richard Barnes has entered the following ballot position for >> draft-ietf-jose-json-web-encryption-33: Discuss >> >> When responding, please keep the subject line intact and reply >> to > all email >> addresses included in the To and CC lines. (Feel free to cut >> this > introductory >> paragraph, however.) >> >> >> Please refer to > http://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found >> here: >> http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-encryption/ > >> > >> >> >> ---------------------------------------------------------------------- > >> > DISCUSS: >> ---------------------------------------------------------------------- > >> > >> Overall, this document is in much more solid shape than when it >> began. Thanks to the WG for a lot of hard work. I only have one > remaining concern, >> that should hopefully be easy to address. >> >> Section 7.2. I've had several implementors trying to use JWE in >> the JSON > serialization ask >> why it was necessary to include a "recipients" array in cases > where there's only >> one recipient. It seems like this is going to be a major >> barrier > to deployment and >> re-use, so I would propose including the following text: """ In >> cases where the JWE is encrypted for only one recipient, the > "recipients" array >> will contain a single object. In such cases, the elements of >> the > "recipients" array >> MAY be included at the top level of the JWE object. If the > generator of a JWE >> chooses to use this representation then all unprotected header > parameters >> MUST be carried in the "header" field, and the "unprotected" >> field > MUST be >> absent. A JSON-formatted JWE that contains a "recipients" field > MUST NOT >> contain a "header" or "encrypted_key" field, and vice versa. """ >> This may also require some other changes where "recipients" is > relied on, e.g., in >> Section 9. > > My response to this parallels that to the similar DISCUSS about > JWS. > > That said, I actually have marginally *more* concerns about this > proposal than the JWS one, because you're making an arbitrary > choice between the multi-recipient "unprotected" parameter and the > per-recipient "header" parameter, and dictating that one be used > in preference to another in the proposed case where "recipients" > array is not present. This adds an additional level of > non-parallelism that isn't present in the JWS case. > > For those following along, here are the two mostly equivalent > syntaxes that implementations would have to support in Richard's > proposal: > > {"protected":"<integrity-protected shared header contents>", > "unprotected":<non-integrity-protected shared header contents>, > "recipients":[ {"header":<per-recipient unprotected header 1 > contents>, "encrypted_key":"<encrypted key 1 contents>"}], > "aad":"<additional authenticated data contents>", > "iv":"<initialization vector contents>", "ciphertext":"<ciphertext > contents>", "tag":"<authentication tag contents>" } > > and > > {"protected":"<integrity-protected shared header contents>", > "header":<per-recipient unprotected header 1 contents>, > "encrypted_key":"<encrypted key 1 contents>", "aad":"<additional > authenticated data contents>", "iv":"<initialization vector > contents>", "ciphertext":"<ciphertext contents>", > "tag":"<authentication tag contents>" } > > Plus, there would be a third syntax if use of the "unprotected" > parameter were not arbitrarily ruled out, as his proposal does: > > {"protected":"<integrity-protected shared header contents>", > "unprotected":<non-integrity-protected shared header contents>, > "header":<per-recipient unprotected header 1 contents>, > "encrypted_key":"<encrypted key 1 contents>", "aad":"<additional > authenticated data contents>", "iv":"<initialization vector > contents>", "ciphertext":"<ciphertext contents>", > "tag":"<authentication tag contents>" } > > During the Denver interim meeting in April 2013 and subsequent > working group decisions we all agreed to a specific syntax for the > JWE JSON Serialization. We explicitly agreed to have a > "recipients" array, since this serialization enables multiple > recipients. This syntax was incorporated in draft -11 in May 2013 > and has been stable since then. Given you were an inventor of this > syntax, Richard, I'm surprised to see you questioning it now, this > late in the process. > > I'll therefore ask you to withdraw this DISCUSS, since having > multiple syntaxes to represent the same semantics can only hurt > interoperability. > > > FWIW, I'm not necessarily proposing multiple syntaxes. I would be > A-OK with requiring that single-recipient JWEs follow the > simplified syntax. > > My comments on the JWS thread about the multiple-recipient case > reducing to the single-recipient case also apply here. An > implementor is going to have to build a single-recipient version > *anyway*, since that's how the crypto works, so we might as well > make the syntax match. > > --Richard > As I think I've said in previous discussions about the JSON serialization, I can live with something verbose *BUT* would rather like a lighter syntax for the single-encrypt JSON serialization. While multiple recipients is not quite as rare in encryption as it is for signing, single-encrypt is still the more common usecase, and so optimizing for it seems like a good thing. > > > >> ---------------------------------------------------------------------- > >> > COMMENT: >> ---------------------------------------------------------------------- > >> > >> Section 3.3. Why doesn't this example include the JSON encoding? > > Same answer as to your parallel question on JWS. > >> Section 4.1.3. "This Header Parameter MUST be integrity >> protected" Why is this the case? There is no security reason >> that "zip" must be integrity- protected, and this requirement >> isn't made for any other parameter. > > ekr and others stated reasons for this when the compromise about > allowing some non-integrity-protected parameters was reached. I > believe that they boiled down to ensuring that an attacker > couldn't vary the contents of the plaintext by changing the "zip" > parameter value as part of an attack. Given the effectiveness of > the CRIME attack against compression in SPDY since then, this > advice seems all the more sound in retrospect. > >> Section 7.2. The requirement that the "recipients" field MUST be >> present seems odd. What's the justification for this? > > Simplicity. The structure of a JWE using the JSON Serialization > is always the same that way, simplifying generators and parsers. > If this weren't the case, they'd have to have a special case for > the situation where the "recipients" array was omitted. > >> Appendix A seems kind of unnecessary given >> draft-ietf-jose-cookbook. > > Developers have found the examples to be useful in practice. > Having more in the cookbook just adds value, without detracting > from the value of the examples in the JWE spec. > >> _______________________________________________ jose mailing >> list jose@ietf.org <mailto:jose@ietf.org> >> https://www.ietf.org/mailman/listinfo/jose > > Thanks again, -- Mike > > > > > _______________________________________________ jose mailing list > jose@ietf.org https://www.ietf.org/mailman/listinfo/jose > - -- - - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJURT4lAAoJEDWi+S0W7cO1oUoH/icet/JldtOQKwedTjDu2bY0 J8y9Ahy9rVgN8TbDxoKhSt/GFu2CIIZ5BaNvcV7uViHlI6ip8gPhbhmcIyNiAOUj ZEFk8Xu5UfOmWDYdxSfJy+R9I7mGJZDY5ikZGrMgp3Kz/JUNFv8Q3XHte4Dq2txJ ELkRob7PSQnbcf2qycamGH9vEEeVKGMvz+UFU2jwcwF3ewi8kJFXSYbhP2bgSSfu pgS3nURakFa7hpQjoFFDsrF0USFojlUfYUaqeiWwg4NRUrKwZ42hcgd3RRKj+TbY t1AZq+9pLzNQ4bmJEC9rp3cBN/8bXxOT28CHNqeVZyPD7owKK+HAp3mValwA06k= =J5EG -----END PGP SIGNATURE-----
- [jose] Richard Barnes' Discuss on draft-ietf-jose… Richard Barnes
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… ⌘ Matt Miller
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Martin Thomson
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Jim Schaad
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Kathleen Moriarty
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Richard Barnes