Re: [jose] Ted Lemon's No Objection on draft-ietf-jose-json-web-signature-33: (with COMMENT)
Mike Jones <Michael.Jones@microsoft.com> Tue, 14 October 2014 12:52 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DB641A87C2; Tue, 14 Oct 2014 05:52:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.302
X-Spam-Level:
X-Spam-Status: No, score=-1.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zMc_SAUq6RyF; Tue, 14 Oct 2014 05:52:10 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0128.outbound.protection.outlook.com [65.55.169.128]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3697C1A87BB; Tue, 14 Oct 2014 05:52:10 -0700 (PDT)
Received: from BN3PR0301CA0030.namprd03.prod.outlook.com (25.160.180.168) by CY1PR0301MB1210.namprd03.prod.outlook.com (25.161.212.144) with Microsoft SMTP Server (TLS) id 15.0.1049.19; Tue, 14 Oct 2014 12:52:08 +0000
Received: from BY2FFO11FD042.protection.gbl (2a01:111:f400:7c0c::149) by BN3PR0301CA0030.outlook.office365.com (2a01:111:e400:4000::40) with Microsoft SMTP Server (TLS) id 15.0.1049.19 via Frontend Transport; Tue, 14 Oct 2014 12:52:08 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD042.mail.protection.outlook.com (10.1.14.227) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Tue, 14 Oct 2014 12:52:06 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.03.0210.003; Tue, 14 Oct 2014 12:51:58 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Ted Lemon <ted.lemon@nominum.com>, The IESG <iesg@ietf.org>
Thread-Topic: Ted Lemon's No Objection on draft-ietf-jose-json-web-signature-33: (with COMMENT)
Thread-Index: Ac/nrZ6aE9Zw5colS6KD69A0INeaGQ==
Date: Tue, 14 Oct 2014 12:51:58 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB0D4C5@TK5EX14MBXC286.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(377454003)(51914003)(189002)(43784003)(13464003)(52044002)(51704005)(199003)(52604005)(50986999)(77096002)(23676002)(66066001)(99396003)(15975445006)(120916001)(31966008)(106466001)(15202345003)(86362001)(81156004)(92726001)(54356999)(86612001)(92566001)(107046002)(87936001)(95666004)(33656002)(97736003)(2656002)(21056001)(85806002)(76482002)(85852003)(19580395003)(19580405001)(69596002)(44976005)(26826002)(46102003)(68736004)(80022003)(85306004)(104016003)(6806004)(230783001)(20776003)(47776003)(64706001)(84676001)(50466002)(4396001)(55846006); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB1210; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB1210;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03648EFF89
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/GlSqadxcXMzbRAGSOIUcvWimB54
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "jose@ietf.org" <jose@ietf.org>, "draft-ietf-jose-json-web-signature@tools.ietf.org" <draft-ietf-jose-json-web-signature@tools.ietf.org>
Subject: Re: [jose] Ted Lemon's No Objection on draft-ietf-jose-json-web-signature-33: (with COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 12:52:13 -0000
The resolutions proposed below have been incorporated in the -34 draft. Thanks again, -- Mike > -----Original Message----- > From: Mike Jones [mailto:Michael.Jones@microsoft.com] > Sent: Monday, October 06, 2014 12:54 AM > To: Ted Lemon; The IESG > Cc: jose-chairs@tools.ietf.org; draft-ietf-jose-json-web- > signature@tools.ietf.org; jose@ietf.org > Subject: RE: Ted Lemon's No Objection on draft-ietf-jose-json-web-signature- > 33: (with COMMENT) > > Thanks for the review, Ted. I've added the working group to the thread so > they're aware of your comments. > > > -----Original Message----- > > From: Ted Lemon [mailto:ted.lemon@nominum.com] > > Sent: Thursday, October 02, 2014 6:36 AM > > To: The IESG > > Cc: jose-chairs@tools.ietf.org; draft-ietf-jose-json-web- > > signature@tools.ietf.org > > Subject: Ted Lemon's No Objection on draft-ietf-jose-json-web-signature-33: > > (with COMMENT) > > > > Ted Lemon has entered the following ballot position for > > draft-ietf-jose-json-web-signature-33: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut > > this introductory paragraph, however.) > > > > > > Please refer to > > http://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-signature/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > The following sample text is encoded assuming a CR+LF line terminator: > > > > {"typ":"JWT", > > "alg":"HS256"} > > > > I think it would be better to just encode it as a single line, as was > > done in the JWE spec, so as to avoid confusing people who use operating > > systems that use the single-character line ending ("newline"). I > > suspect this applies to other examples as well. If you have to go > > multiline, you could also address this by just saying "line separators > > in examples are CR+LF ([13, 10])". > > Quoting your response to your own message so the working group will also see > it: > "This is actually covered in the Appendix, so I don't think it's necessary to make > the change I suggest here. Sorry for the confusion." > > > This looks like an attack surface: > > > > The Header Parameter names within the JOSE > > Header MUST be unique; recipients MUST either reject JWSs with > > duplicate Header Parameter names or use a JSON parser that returns > > only the lexically last duplicate member name, as specified in > > Section 15.12 (The JSON Object) of ECMAScript 5.1 [ECMAScript]. > > > > Is this really safe? > > Quoting Kathleen's response on the thread so the working group will see it: > "I pointed to a thread on this in the ballot text, so thanks for weighing in. This > has been a hot discussion in the WG and is unresolved as to how it should be > handled. This discussion seems to be happening on Pete's Abstain, so let's see if > we can keep it there for now and this as a placeholder. It comes down to > implementation issues and a decision as to how we should best handle it. > Thanks." > > > I believe you mean "base64 padding characters" here: > > > > 2. The encoded representation of the JWS Protected Header MUST be > > successfully base64url decoded following the restriction that no > > padding characters have been used. > > > > I mention this because I don't think you require that no whitespace > > characters be present in the encoded JWS protected header, and someone > > might read this text that way. This concern exists in several other > > paragraphs in this document, and also in the JWE document. I don't know > > if it's worth dealing with, but it seems like it might make peoples' > > lives easier if you stated explicitly that you are talking about /base64/ padding. > > Thanks for pointing this out. I believe that it's referring both to base64 padding > characters and whitespace. I'll plan to reword this to make the intent clear. > > > Why not just make this a requirement of JWE: > > > > o Require that the "alg" Header Parameter be carried in the > > protected header. (This is always the case when using the JWS > > Compact Serialization and is the approach taken by CMS > > [RFC6211].) > > > > Relying on the application to get this right seems chancy. > > This point was raised in Tero Kivinen's secdir review as well. Richard Barnes led > a thorough discussion of the topic. The result was the inclusion of the Security > Considerations text in Section 10.7 (Algorithm Protection). > > > This document has a really great security considerations section. > > Thanks for being so thorough and clear. > > Thanks. A lot of smart and knowledgeable people have contributed to it. > Thanks for your contributions as well. > > -- Mike >