[jose] Re: Do you need the JWP JSON Serialization?

Orie Steele <orie@transmute.industries> Fri, 09 August 2024 13:25 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59E81C151527 for <jose@ietfa.amsl.com>; Fri, 9 Aug 2024 06:25:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yp0WBnKo-jRp for <jose@ietfa.amsl.com>; Fri, 9 Aug 2024 06:24:59 -0700 (PDT)
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 379E5C14F61E for <jose@ietf.org>; Fri, 9 Aug 2024 06:24:59 -0700 (PDT)
Received: by mail-pg1-x534.google.com with SMTP id 41be03b00d2f7-7a130ae7126so1458394a12.0 for <jose@ietf.org>; Fri, 09 Aug 2024 06:24:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1723209898; x=1723814698; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=xgIuVlPFustc/DSR//11mAIB8j90sZEUDTN0D+0FDSU=; b=DW+CJU1FQgl5kgQ0E4CKpykP0fTrpbCQWlnFR/2kDHuTYoh+qSkoKQmZRedlCbjRW+ 0C6NuDAWlqVccWBd+AeZIMIR3Vc4jy8n0hZawJ1wDbCT/pN3FJxHVzqVbOKWYkj+4rJ1 j3Q9j7fYmjddv0f4wkjrlgYnSo952EpD1MWk3niBs8+PCqV5MXLZs6ldD1XGc+BPo0ZK x0OgqYV+bp2wCCh24av5itAKEX4N+PGShD3D/C1smM2Hq1tPzlKMF1XtzonG14PfYIRB qXFDJeGXeyLrkN+vX7g/hXhgrOVstJnj+phmvNdQARnp7ctS1kzsXwlfMA3PRUhM53gX LWlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723209898; x=1723814698; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xgIuVlPFustc/DSR//11mAIB8j90sZEUDTN0D+0FDSU=; b=iQe5LDq4BV1Yd1LqpR1XyGna3mei1RnuoRNiKVHeVz7KS5DZGPlDJK68gXwMxNYb6A 8YrMYjqtpSuJNSKKm/6okZ+4Ya7yGXBXLNpSPcHdrikL8xIK9okmjgYGIYC87pbmfF7n Yr6tZZ3uWP2IUzEI3N2CCH2QT6c/tV+xMjkSSRMLnIaHcJhdBYkvbmzNVKys2u2SPgsj Py7U2gaCvZdjAr5ck2zl2kiE1drc9vN04GphmAlnWI1ro5ZzLy0kKRKyhUMazx0QcNbk 6mwqzpBGo/twpY8ZfmH4CqFeXZprjotYpr2RNaH4lu7IgCJ5A8kYPIqSvbm4DMG82K+M tizg==
X-Forwarded-Encrypted: i=1; AJvYcCVji/RE1r7yw/p/ZRTyIO6F58lbCMQootsY1yZ0+KO7+hEByeENTiYBQrYe+yqgh9laIw8N7S7zELI0ebmG
X-Gm-Message-State: AOJu0YyLxvLpdxLM7Cgq25amSDsCMbjzt7Iegmuu/obVsnIYF899KScU m3mK/BxdQvUEPViMfYbA++iAKSJoOvKGL+MGNUvb3vFjVfCG7lQeLUW9RT+9bzdskunyLt0nta1 19sjEuA55/P+sHhHQjQSovr1/ysz8h0+vrLdmdw==
X-Google-Smtp-Source: AGHT+IFt8bA0nR8ds0c5V28xQqv9aF3VolLjJWMeAPcA/gJ9OJzAaCJ8JMG6zPYX6A5WfmmyvaAcp7DG2VqiZGlGgqo=
X-Received: by 2002:a17:90a:6d26:b0:2cb:3306:b2cc with SMTP id 98e67ed59e1d1-2d1e7f96b43mr1737224a91.1.1723209898000; Fri, 09 Aug 2024 06:24:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_JeE=RCsw4VhMT85DOVwyxvs4PCDHWQOOh-WENVt=CbPg@mail.gmail.com> <D1EB7404-573A-46F2-A7D5-EC72E917F24C@gmail.com>
In-Reply-To: <D1EB7404-573A-46F2-A7D5-EC72E917F24C@gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Fri, 09 Aug 2024 08:24:47 -0500
Message-ID: <CAN8C-_+Gx1B7SU6X_wkZSz-4VhPJXh=MO4wJ2gAqq6_Aq8e+Wg@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000d81fc5061f401114"
Message-ID-Hash: Z7PJNFEEK4HYONEJHXIW4ZCSKI4TLNGF
X-Message-ID-Hash: Z7PJNFEEK4HYONEJHXIW4ZCSKI4TLNGF
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Brian Campbell <bcampbell@pingidentity.com>, jose@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: Do you need the JWP JSON Serialization?
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/FuZZFxGgeuPrvta3RwypZS4TikY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

On Fri, Aug 9, 2024 at 2:00 AM Neil Madden <neil.e.madden@gmail.com> wrote:

>
>
> On 8 Aug 2024, at 23:34, Orie Steele <orie@transmute.industries> wrote:
>
> On Thu, Aug 8, 2024 at 3:26 PM Neil Madden <neil.e.madden@gmail.com>
> wrote:
>
>>
>>
>> On 8 Aug 2024, at 20:44, Orie Steele <orie@transmute.industries> wrote:
>>
>> 
>> That only applies to "SD-JWT+KB"
>>
>>
>> I don’t think so, otherwise SD-JWT would not be secure. The signature
>> covers the claims, which includes the hashes of all the disclosures. Thus
>> the disclosures are all protected (cannot be altered/forged) and immutable.
>>
>
> In SD-JWT (without +KB) the Issuer's signature covers the claims which
> include hashes of the disclosures, that is true.
>
> The order of ~ separated stuff is not secured ... because that stuff is
> not included in the claims.
>
>
> What security property do you think is being violated here?
>

I'm just describing how SD-JWT works.
My point is that this part is similar to how COSE Sign1 works as well.
In COSE Sign1 the unprotected header is also unordered, and not integrity
protected.


>
> There could also be extra stuff that appears to be disclosures, but is
> actually not in the issuer SD-JWT.
> See:
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-5.3.1
>
>
>>
>> [..]
>>
>> Unless I am mistaken, there is no ordering requirement for the SD-JWT
>> without key binding, so the disclosures are mutable, until the holder makes
>> them immutable by applying key binding:
>>
>>
>> They are an unordered set, so this “mutability” is irrelevant.
>>
>
> Exactly, they are unordered, and unsecured (they are outside of the JWT).
>
>
> This is not what unsecured means.
>

ok, perhaps I should have said "unprotected".


>
>
> See
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-8.1
>
> """
> If any digest value is encountered more than once in the Issuer-signed JWT
> payload (directly or recursively via other Disclosures), the SD-JWT MUST be
> rejected.
> If any Disclosure was not referenced by digest value in the Issuer-signed
> JWT (directly or recursively via other Disclosures), the SD-JWT MUST be
> rejected.
> """
>
> This means it is possible for an adversary to cause an SD-JWT without key
> binding to be rejected, by dropping or adding properties... in between the
> issuer and the holder, before the key binding token is even possible to
> produce.
>
>
> This is trivially possible in any signature/MAC scheme: the crypto detects
> modifications it doesn’t prevent them.
>
> With apologies to Lea Kissner: cryptography is a tool for turning
> confidentiality and integrity threats into denial of service threats.
>

I completely agree with this point.


>
>
> The only way to know if this is the case as a holder is to perform the
> validation steps in 8.1 on the issuer signed SD-JWT (without KB) before
> considering attempting to use it.
> This property is ensured by: "The Holder or the Verifier MUST perform the
> following (or equivalent) steps when receiving an SD-JWT..."
>
> See:
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-9.3
>
> """
> In case of the General JSON Serialization, there are multiple unprotected
> headers (one per signature). If present, disclosures and kb_jwt, MUST be
> included in the first unprotected header and MUST NOT be present in any
> following unprotected headers.
> """
>
> In SD-JWT JSON Serialization, disclosures and kbt are transmitted in
> unprotected headers... You need to process them carefully as described in
> section 8.1, in order to be assured that they have not been tampered with.
>
>
> I’m not sure what you’re arguing here. There are things you have to do to
> validate any signature scheme. If you don’t do them, the security
> properties don’t apply. (If you want to discuss more misuse-resistant APIs,
> we can do that).
>

I'm not arguing for a change to SD-JWT or COSE Sign1, I am explaining how
they both use unprotected information together with protected information.


>
> In SD-JWT Compact serialization, disclosures and kbt are transmitted as
> concatenated strings... You need to process them carefully as described in
> section 8.1, in order to be assured that they have not been tampered with.
>
> The major difference between these 2 approaches is that there is no
> ability to include "other" unprotected material in the jwp compact
> serialization... this property is unique to JOSE compact serializations,
> because they cannot express unprotected headers.
> COSE / CWP will not have this problem... assuming it follows conventions.
>
> I think JOSE / JWP would be improved if support for unprotected headers
> was consistent in both compact and json.
>
>
> I don’t think this follows at all from your arguments.
>

Since COSE and JSON Serialized SD-JWT support unprotected headers, which
are an extensibility point, but compact SD-JWT does not support unprotected
headers, a better design for JWP would allow unprotected headers in both
compact and json serializations, or there would be just 1 serialization,
and it would support unprotected headers.

The reason I think this is an improvement is that it keeps supported
features aligned between JOSE and COSE, so there is no reason to pick 1
over the other except for in relation to serialization readability,
complexity, and size.

POST https://verifier.example/
content-type: application/jwp or application/jwp+json // both can contain
unprotected stuff

POST https://verifier.example/
content-type: application/cwp // can contain unprotected stuff

I'll argue the opposite to see if you agree with that position:

JWP should be like JWE/SD-JWT, it should not have an unprotected header in
compact serialization, but should have an unprotected header in JSON
Serialization, implementations that start with compact serialization but
need unprotected stuff, will either need to switch to json serialization,
or transport the unprotected stuff in a different part of the protocol, for
example:

POST https://verifier.example/
content-type: application/sd-jwt+json // contains unprotected stuff

POST https://verifier.example/?unprotected-stuff
content-type: application/sd-jwt // no unprotected stuff

POST https://verifier.example/
content-type: application/cwp // can contain unprotected stuff

In summary:

2 media types would be better than 3.
If there are 3 media types, there should not be major extensibility  /
interoperability differences in just 1 of them (the compact one).

If compact serialization supported unprotected headers, I think it's less
likely that jades would have done what it did... and the need for a JSON
serialization is reduced, and I would support deferring its specification
to some future document, when there is a need for it.


>
> — Neil
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>