Re: [jose] Gen-ART review of draft-ietf-jose-json-web-signature-31
Mike Jones <Michael.Jones@microsoft.com> Tue, 23 September 2014 23:03 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D690D1A8957; Tue, 23 Sep 2014 16:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.399
X-Spam-Level:
X-Spam-Status: No, score=0.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MANGLED_LIST=2.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id odS-qJBJgwD5; Tue, 23 Sep 2014 16:03:46 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0132.outbound.protection.outlook.com [207.46.100.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BAC81A8907; Tue, 23 Sep 2014 16:03:46 -0700 (PDT)
Received: from CO2PR03CA0026.namprd03.prod.outlook.com (10.141.194.153) by BY2PR03MB394.namprd03.prod.outlook.com (10.141.141.13) with Microsoft SMTP Server (TLS) id 15.0.1039.15; Tue, 23 Sep 2014 23:03:44 +0000
Received: from BY2FFO11FD018.protection.gbl (2a01:111:f400:7c0c::162) by CO2PR03CA0026.outlook.office365.com (2a01:111:e400:1414::25) with Microsoft SMTP Server (TLS) id 15.0.1034.13 via Frontend Transport; Tue, 23 Sep 2014 23:03:44 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD018.mail.protection.outlook.com (10.1.14.106) with Microsoft SMTP Server (TLS) id 15.0.1029.15 via Frontend Transport; Tue, 23 Sep 2014 23:03:43 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.23]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.03.0195.002; Tue, 23 Sep 2014 23:03:30 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Russ Housley <housley@vigilsec.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: Gen-ART review of draft-ietf-jose-json-web-signature-31
Thread-Index: AQHPv9ECk81UIBSPuUyJNF9LPTtocJvh7EOwgC2X+JA=
Date: Tue, 23 Sep 2014 23:03:29 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BA6ED86@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <D4999910-8500-4114-9670-08436D64FF28@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.78]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439BA6ED86TK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(199003)(189002)(13464003)(377454003)(377424004)(51914003)(51444003)(86362001)(19273905006)(19300405004)(64706001)(92566001)(107046002)(20776003)(92726001)(86612001)(512954002)(97736003)(19580395003)(19580405001)(83322001)(44976005)(6806004)(15975445006)(2501002)(81342003)(80022003)(79102003)(69596002)(74662003)(230783001)(104016003)(66066001)(68736004)(77982003)(71186001)(19617315012)(90102001)(46102003)(74502003)(81542003)(85852003)(83072002)(77096002)(95666004)(76176999)(54356999)(50986999)(85306004)(99396002)(31966008)(55846006)(561944003)(10300001)(120916001)(84676001)(16236675004)(4396001)(85806002)(76482002)(81156004)(106466001)(33656002)(84326002)(2656002)(16297215004)(21056001)(87936001)(15202345003)(106116001)(19625215002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB394; H:mail.microsoft.com; FPR:; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB394;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0343AC1D30
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/F1iJq1xw2bdLxaY69tsVBIIh-xg
Cc: "gen-art@ietf.org" <gen-art@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [jose] Gen-ART review of draft-ietf-jose-json-web-signature-31
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Sep 2014 23:03:51 -0000
Thanks again for your review, Russ. The proposed resolutions below have been applied in the -32 draft.
-- Mike
From: Mike Jones
Sent: Monday, August 25, 2014 6:22 PM
To: 'Russ Housley'
Cc: jose@ietf.org
Subject: RE: Gen-ART review of draft-ietf-jose-json-web-signature-31
Thanks for the useful review, Russ. Proposed resolutions to your comments follow inline. Please let me know if you agree. Also, working group members, please follow this discussion, as these comments will likely result in changes to the current drafts.
-----Original Message-----
From: ietf [mailto:ietf-bounces@ietf.org] On Behalf Of Russ Housley
Sent: Sunday, August 24, 2014 12:23 PM
To: draft-ietf-jose-json-web-signature.all@tools.ietf.org<mailto:draft-ietf-jose-json-web-signature.all@tools.ietf.org>
Cc: IETF Gen-ART; IETF
Subject: Gen-ART review of draft-ietf-jose-json-web-signature-31
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
Please resolve these comments along with any other Last Call comments you may receive.
Document: draft-ietf-jose-json-web-signature-31
Reviewer: Russ Housley
Review Date: 2014-08-24
IETF LC End Date: 2014-09-03
IESG Telechat date: unknown
Summary: Not quite ready. Some issues to resolve.
Major Concerns:
- At first reading, I thought that Sections 2 and 3 were defining the
same terms. On the second or third reading, I figured it out.
I think it would be more clear in Section 3 to state that a JWS is
constructed from a sequence of the things that are already defined
in Section 2.
I understand that there is some repetition between the Terminology section and the JWS Overview section. I will plan to eliminate this duplication in the manner you suggested - by simply using, rather restating the definitions of, the terms, and saying that they are defined above. (Jim Schaad - note that this will condense some of the text that you'd requested be added to Section 3 to explicitly spell out the parts of a JWS, and will result in a parallel change to JWE. Is that OK with you?)
- In Section 5.2, it says that in some cases, all must successfully
validate, but in other cases, only a specific signature, MAC, or
plaintext value needs to be successfully validated. How does the
recipient know which case applies?
The recipient knows what application it is part of, and so knows the application decisions described in 5.2, paragraph 2 about whether all or some signatures must validate.
I do agree that the text in step 9 (signature validation) could be read as being in conflict with paragraph 2. I'll plan to modify this to say that the step records whether the signature validated, rather than saying that it must validate. Then I'll add a step 11 saying to reject the input if no signature validated and a step 12 saying to return a result indicating which signatures were successfully validated, so that the application can determine whether to accept the input and which signatures to trust. Will that work for you?
It's more complicated a description, but a more general description of the things that can happen in the multiple signatures case, in which some signatures validate and some don't and you may need to tell the application which ones were good and which were bad. (It's much simpler in the single signature case, in which you can make a simple accept/reject decision.)
- In Section 8, why not say that TLS 1.2 or later MUST be supported?
This text is modelled after http://tools.ietf.org/html/rfc6749#section-1.6, but updated to remove the reference to TLS 1.0. I don't believe the working group felt that it had sufficient data on TLS 1.2 deployment to understand whether it could now safely mandate 1.2 or whether this would effectively mean that many deployments would be non-conformant. Is there data saying that greater than N% of devices in common use now support TLS 1.2 - where N% is preferably over 90%? It would be good have such data about commonly used platforms such OS X, iOS, Android, Linux, and Windows to help inform this decision.
- Section 10 says, "The entire list of security considerations is
beyond the scope of this document..." This reads like a red flag to
me. While it is not possible to discuss every possible implementation
consideration that impacts security, the document should cover the
topics discussed in RFC 3552. At a minimum, I think the following
need to be discussed:
-- the consequences of compromise of the signer's private key
-- the consequences of compromise of the MAC key
-- the consequences of poor random numbers, which are needed for
more than just key entropy with some algorithms like ECDSA
-- awareness that cryptographic algorithms become weaker with time
I agree that the phrase "The entire list of security considerations is beyond the scope of this document..." adds no or negative value. I'll remove it.
I'll also plan to explicitly make sure that we address the topics in your list above and go through RFC 3552 looking for others that we need to cover.
Minor Concerns:
- Section 1, 1st paragraph says: "The JWS cryptographic mechanisms
provide integrity protection for an arbitrary sequence of octets."
This is true, but this is not the whole story. A sentence or two
should be added about when a signature mechanism is appropriate
and when a MAC mechanism is appropriate. Alternatively, a pointer
to Section 10.4 could be included.
I will plan to add the pointer to Section 10.4.
- In Section 4.1.4, should the value match the subject key identifier
if an X.509 certificate is used?
That was not an intended usage of this field, although nothing precludes particular applications from specifying its use in that manner. Its intended usage is to match JWK "kid" values, as described. I don't plan to make a change to the document in response to this comment unless you believe that one is truly necessary.
- In Section 4.1.5, why is TLS required to fetch digitally signed
X.509 certificates?
This question was explicitly discussed by the working group at IETF 87. The discussion is recorded in the minutes<http://www.ietf.org/proceedings/87/minutes/minutes-87-jose> as follows:
If there is an x5u pointing to a certification issued by a major CA, is TLS required for the HTTP query used to retrieve this certificate? TLS shouldn't be needed since the certificate is a signed object. Therefore, the "MUST" use TLS for cert retrieval should be changed to "SHOULD". This is an application decision. Mike Jones doesn't want removal of TLS in the case where there's no external means to verify the retrieved key. Matt Miller: agrees with the jku case, but argues that for x5u, there is a class of applications where it isn't known if the retrieved object is self-protecting (like a certificate) until after it is retrieved. Even if the object appears to be self-protecting, if the retriever doesn't have a trusted root for that object, it might not be able to verify the protection anyhow. So it use of TLS might still be preferable instead of having to potentially retrieve an object twice, once over HTTP and then over HTTPS. Joe Hildebrand wanted to know what the upside of this proposal is. Richard says it saves on TLS handshakes; Hildebrand envisions a world where TLS is ubiquitous. Paul Hoffman said that a similar issue in DANE ended up being dropped after a couple of months of discussion. Richard agreed to drop the TLS MUST to SHOULD proposal.
- Section 10.2 talks about chosen plaintext attacks. However, there
are much worse things than chosen plaintext attacks that will result
if a third party can get a signer to sign a content of its choosing.
What's there now is about attackers getting to choose part of the plaintext. I think you're talking about attacks in which the attacker gets to choose the whole plaintext, which is clearly far worse. At that point, the signature of the signer obviously becomes pretty worthless. Is that your point here? If so, I could take a stab at writing something about this, or you could suggest some text if you'd like.
Other Comments:
- I suggest a rewording for a part of Section 2:
OLD:
JOSE Header
JSON object containing the parameters describing the cryptographic
operations and parameters employed. The members of the JOSE
Header are Header Parameters.
NEW:
JOSE Header
JSON object containing the parameters describing the cryptographic
operations and parameters employed. The JOSE Header is composed
of a set of Header Parameters.
OK
- I think that Section 3.1 would be more clear by saying:
In the JWS Compact Serialization, a JWS object is represented as:
BASE64URL(UTF8(JWS Protected Header)) || "." ||
BASE64URL(JWS Payload) || "." ||
BASE64URL(JWS Signature)
OK
- I think that Section 3.1 would be more clear by saying:
In the JWS JSON Serialization, a JWS object is represented as:
BASE64URL(UTF8(JWS Protected Header)) || "." ||
JWS Unprotected Header || "." ||
BASE64URL(JWS Payload) || "." ||
BASE64URL(JWS Signature)
This isn't accurate. Assuming you're talking about 3.2, the representation isn't the concatenation above - it's a JSON object containing some or all of the values above. Nonetheless, I can try to revise the text to be more direct here as well.
Then, the text needs to say that whitespace may appear anywhere.
OK
- Some additional whitespace would make Section 7.2 easier to read.
OK
- The IANA Considerations section requires the establishment of a new
mail list: jose-reg-review@ietf.org<mailto:jose-reg-review@ietf.org>. The process for setting up the
list is described at the bottom of this web page:
http://www.ietf.org/list/nonwg.html.
This text was taken from RFC 6749 and the list is modelled after the oauth-ext-review@ietf.org<mailto:oauth-ext-review@ietf.org> list described therein. It's not clear to me whether you want a change to the draft (if so please specify) or whether you were just being helpful (which is appreciated).
Thanks again,
-- Mike
- Re: [jose] Gen-ART review of draft-ietf-jose-json… Mike Jones
- Re: [jose] Gen-ART review of draft-ietf-jose-json… Jim Schaad
- Re: [jose] Gen-ART review of draft-ietf-jose-json… Mike Jones
- Re: [jose] Gen-ART review of draft-ietf-jose-json… Kathleen Moriarty
- Re: [jose] Gen-ART review of draft-ietf-jose-json… Mike Jones
- Re: [jose] Gen-ART review of draft-ietf-jose-json… Kathleen Moriarty
- Re: [jose] Gen-ART review of draft-ietf-jose-json… Mike Jones
- Re: [jose] Gen-ART review of draft-ietf-jose-json… Mike Jones