IETF Logo Mail Archive

Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Mon, 20 October 2014 15:57 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD99C1A03E3 for <jose@ietfa.amsl.com>; Mon, 20 Oct 2014 08:57:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pE4v63KkXdRL for <jose@ietfa.amsl.com>; Mon, 20 Oct 2014 08:57:11 -0700 (PDT)
Received: from mail-vc0-f179.google.com (mail-vc0-f179.google.com [209.85.220.179]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D27301A01F9 for <jose@ietf.org>; Mon, 20 Oct 2014 08:56:00 -0700 (PDT)
Received: by mail-vc0-f179.google.com with SMTP id im17so3803018vcb.10 for <jose@ietf.org>; Mon, 20 Oct 2014 08:55:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=arR8Dm6LKSOnGspnV1iAu6YWUJv0eF2HnBUIykm1GA8=; b=DTTPkERLXyXioVc/nrTIIPF72T2sEjfRh0AD90nH5RazJlhL+sFVyqF51P8sSakENv YsuHOWYari1+g7v63aViRlxLK7RX3KvY8xDeapmKSRc/wkM3zsznv8T0KtEmiJ6P0JQ5 KIuSoPtMQYMoPGZoMu4EGVlmaOezkTLXg4euKTUOjCnNCqGEPSsG6kLup+cIDqAZ7ioo l1D0olhH2xLjhCQTMLlgXXyrKDvVBTXLClYfBCEojgtW34CII6GqZT+73ystyXMdDDTd MVKDKPo49adp3nIzcksPtp8EJTscj1WaFzqZ/jOIjefuNH/gPmE/YPiTiZ4TCeWeyT0n zhJA==
X-Gm-Message-State: ALoCoQmsurao16wHwQRv3RNqOttxJ6jNrQRvMgnZX0J/wSY0AtvJvKDS5sbtiABWvEzKwbsVTMQC
MIME-Version: 1.0
X-Received: by 10.52.233.164 with SMTP id tx4mr1814798vdc.65.1413820139260; Mon, 20 Oct 2014 08:48:59 -0700 (PDT)
Received: by 10.31.149.205 with HTTP; Mon, 20 Oct 2014 08:48:59 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BB18E4B@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20141002023617.18602.69709.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439BAF0C49@TK5EX14MBXC286.redmond.corp.microsoft.com> <CAL02cgR6zHZpDHFwdZHvNd7+wHMwraqCtFz-u=Y3Ogfm9M6n3A@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439BAFACA8@TK5EX14MBXC286.redmond.corp.microsoft.com> <CAL02cgQD2X_ig_JOjW=MZ+jqeditrzm1kb2p+-U8HoiXUGtNoQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439BB18E4B@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Mon, 20 Oct 2014 11:48:59 -0400
Message-ID: <CAL02cgT131Yb0bh76wOm_B3eOQ27Zv_Ooi3Ho_rxs9BkB706LA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="089e011849c42d5da20505dca7f3"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/FK9-W-kObjxMHQIIKCvbskJoFw8
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "jose@ietf.org" <jose@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-jose-json-web-algorithms@tools.ietf.org" <draft-ietf-jose-json-web-algorithms@tools.ietf.org>
Subject: Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 15:57:13 -0000

On Sat, Oct 18, 2014 at 7:09 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> > > > Section 3.6.
> > > > I'm not going to object to "none", even though I think it's a very
> dangerous
> > > > feature because of the risk of confusion between Secured and
> Unsecured JWS.
> > > > But there needs to be stronger guidance:
> > > > 1. An implementation SHOULD NOT support "none" unless the implementer
> > > > knows that it will be used in application context s that require it.
> > > > 2. If an implementation does support "none", then it MUST NOT accept
> it as part
> > > > of generic JWS validation.  Instead, it should require the
> application to explicitly
> > > > signal that an Unsecured JWS is expected for a given validation
> operation.
> > >
> > > As discussed in the working group, your concern about applications
> inappropriately allowing the use of "none" actually is an instance of a
> more general concern that applications not allow *any* algorithms to be
> used that are not appropriate in their application contexts.  This concern
> is already addressed in the specification at the end of Section 5.2 as
> follows:
> > >
> > > "Finally, note that it is an application decision which algorithms are
> acceptable in a given context. Even if a JWS can be successfully validated,
> unless the algorithm(s) used in the JWS are acceptable to the application,
> it SHOULD reject the JWS."
> > >
> > > Since your specific concern is already handled in a more general way,
> I would like to request that you withdraw this DISCUSS on that basis.
> Also, you were one of the contributing authors to the security
> considerations on this topic in Section 8.5 of JWA (Unsecured JWS Security
> Considerations), so it's not clear that there's any cause for you to come
> back with additional wording change requests on this topic at this point.
> > >
> > > Thanks for reminding me about Section 8.5.  I think I would be
> satisfied here if the contents of Section 8.5 were just moved up to this
> section.  That way all of the requirements for implementing "none" will be
> together.
> >
> > Section 3.6 does end with the sentence "See Section 8.5 for security
> considerations associated with using this algorithm" so implementers are
> reminded to also pay attention to the security considerations.  If we were
> to do what you requested, this would be the only algorithm for which the
> security considerations were included in the algorithm description, rather
> than in the security considerations section, which would be fairly weird
> and non-parallel, editorially.
> >
> > Actually, "none" is the only algorithm for which there are additional
> normative requirements in the Security Considerations.  So it actually
> seems more sensible to move those requirements up.
> > I'm really just asking for a copy/paste here, shouldn't be invasive.
> But I do think the level of indirection creates security risk.
>
> I'm OK moving up the three sentences that actually do contain normative
> requirements.  Those are:
>
>    Implementations that support Unsecured JWS objects MUST NOT accept
>    such objects as valid unless the application specifies that it is
>    acceptable for a specific object to not be integrity-protected.
>    Implementations MUST NOT accept Unsecured JWS objects by default.
>    In order to mitigate downgrade attacks, applications MUST NOT signal
>    acceptance of Unsecured JWS objects at a global level, and SHOULD
>    signal acceptance on a per-object basis.
>
> I'm not OK cluttering up the normative description of the algorithm with
> the discussion text.  Assuming you're OK leaving the discussion text and
> "for example" text in 8.5, I think we have a way forward on this one.
> Please let me know if that works for you.
>

Sounds fine to me.  Thanks for the compromise.

--Richard



> > Again, given that you were an author of 8.5 and seemed fine with the
> resolution after the extensive discussion then, I'd ask you to clear the
> DISCUSS on that basis and not request that it be reworked again.
>
>                                 -- Mike
>
>

v2.23.0 | Report a Bug | By Email