Re: [jose] #15: Broken examples in JWE / JWS
Mike Jones <Michael.Jones@microsoft.com> Mon, 25 March 2013 22:49 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C6A321F863B for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 15:49:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1GeCuLqL8YAk for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 15:49:34 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0212.outbound.protection.outlook.com [207.46.163.212]) by ietfa.amsl.com (Postfix) with ESMTP id 60DE221F8623 for <jose@ietf.org>; Mon, 25 Mar 2013 15:49:34 -0700 (PDT)
Received: from BY2FFO11FD007.protection.gbl (10.173.161.204) by BL2FFO11HUB027.protection.gbl (10.173.161.51) with Microsoft SMTP Server (TLS) id 15.0.651.3; Mon, 25 Mar 2013 22:49:26 +0000
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD007.mail.protection.outlook.com (10.1.14.128) with Microsoft SMTP Server (TLS) id 15.0.651.3 via Frontend Transport; Mon, 25 Mar 2013 22:49:25 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.224]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.02.0318.003; Mon, 25 Mar 2013 22:49:11 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Dick Hardt <dick.hardt@gmail.com>
Thread-Topic: [jose] #15: Broken examples in JWE / JWS
Thread-Index: AQHOJ0GRGLcBFTS/L0CrF4Bh9JphKZiyPD8AgAAKWICAAA89AIAAI4YAgAAGLwCAA9bwAIAAmwcAgAAGaeCAAA2zgIAAAVjA
Date: Mon, 25 Mar 2013 22:49:10 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394367588A40@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <049.dec2e6a11006261f47529bfcdfa8c51d@trac.tools.ietf.org> <064.854734170572ce8e0ba10611390025ce@trac.tools.ietf.org> <012701ce274a$8e17ca30$aa475e90$@augustcellars.com> <CAL02cgQ00JWPph9irvkcyqHi=gOMVt4W9J47e_UMWxdr=1_=MQ@mail.gmail.com> <013c01ce2763$ef72d950$ce588bf0$@augustcellars.com> <CAL02cgRZA8vvXcUjpnPMzjzZYLbNFTbceZ9JyjQwBt5bpuy5Aw@mail.gmail.com> <CA+k3eCR+GGRA_CSRXktGzGqV-8aZuvpYBDAR8UUFeZ0=NiEMAw@mail.gmail.com> <CAL02cgRQF18RPmCOAs-ObF=prVpcTO3q9YpRKE7hUwKPxzROKw@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943675886B8@TK5EX14MBXC283.redmond.corp.microsoft.com> <2D50F89B-5A07-4379-A532-CDC6B5E1BB33@gmail.com>
In-Reply-To: <2D50F89B-5A07-4379-A532-CDC6B5E1BB33@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.78]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394367588A40TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(189002)(199002)(24454001)(51704002)(377454001)(13464002)(512954001)(54356001)(74502001)(47976001)(69226001)(76482001)(54316002)(51856001)(80022001)(65816001)(15202345001)(16236675001)(56816002)(77982001)(56776001)(4396001)(49866001)(33656001)(59766001)(50986001)(44976002)(66066001)(5343655001)(55846006)(79102001)(71186001)(74662001)(31966008)(63696002)(5343635001)(46102001)(16406001)(47446002)(53806001)(20776003)(47736001)(550254004); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB027; H:TK5EX14HUBC101.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0796EBEDE1
Cc: Richard Barnes <rlb@ipv.sx>, "draft-ietf-jose-json-web-encryption@tools.ietf.org" <draft-ietf-jose-json-web-encryption@tools.ietf.org>, Jim Schaad <ietf@augustcellars.com>, Brian Campbell <bcampbell@pingidentity.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #15: Broken examples in JWE / JWS
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 22:49:38 -0000
As I'd already written, I have no problem with some of the examples containing a Key ID. But it's also the case in many deployment environments that keys are pre-shared and known by both parties in advance of any tokens being exchanged. This is often true when per-client symmetric keys are used with OAuth, for instance.
-- Mike
From: Dick Hardt [mailto:dick.hardt@gmail.com]
Sent: Monday, March 25, 2013 3:43 PM
To: Mike Jones
Cc: Richard Barnes; Brian Campbell; draft-ietf-jose-json-web-encryption@tools.ietf.org; Jim Schaad; jose@ietf.org
Subject: Re: [jose] #15: Broken examples in JWE / JWS
I think the example should contain the KID as one would expect that to be the common case.
On Mar 25, 2013, at 2:54 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
If you already know that something is going on out of band, the indication in the JOSE object would be unnecessary.
-- Mike
From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org<mailto:bounces@ietf.org>] On Behalf Of Richard Barnes
Sent: Monday, March 25, 2013 2:31 PM
To: Brian Campbell
Cc: draft-ietf-jose-json-web-encryption@tools.ietf.org<mailto:draft-ietf-jose-json-web-encryption@tools.ietf.org>; Jim Schaad; jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: [jose] #15: Broken examples in JWE / JWS
I realize that's the common case. But the spec doesn't say that.
All I'm saying is, the spec should REQUIRE that a sender include either a key indicator, or an indication that something is going on out of band.
--Richard
On Mon, Mar 25, 2013 at 8:15 AM, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:
/* special magic */ is just some out of band agreement on the key to use or how to infer it. Which isn't really special or magic. But probably pretty common.
On Fri, Mar 22, 2013 at 7:37 PM, Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:
I've renamed the issue to try to clarify.
You're right that there are alternative ways to locate a key. But a JOSE object needs to contain at least one of them, or else the /* special magic */ clause applies.
--Richard
On Fri, Mar 22, 2013 at 9:15 PM, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:
This may or may not be a flaw in the specification. However the item you created in the tracker does not reflect what you have put here. I think you would be better served by saying that there is a flaw in the specifications in that there should be a MUST that some type of key or key reference is required in a JWS or JWE.
I would note that your example code should be more complex in that it does not deal with jku or any of the x* methods of referencing keys.
Jim
From: Richard Barnes [mailto:rlb@ipv.sx<mailto:rlb@ipv.sx>]
Sent: Friday, March 22, 2013 4:09 PM
To: Jim Schaad
Cc: draft-ietf-jose-json-web-encryption@tools.ietf.org<mailto:draft-ietf-jose-json-web-encryption@tools.ietf.org>; jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: [jose] #15: Broken examples in JWE / JWS
I admit that they are not broken according to the current spec. However, I have a lot of trouble figuring out how I would write code to process them.
If "kid" or "jwk" MUST be present to indicate what key I should use, then I can have deterministic code:
if (/* recognized "kid" or "jwk" value */) {
/* use it */
} else {
/* FAIL. can't process this object */
}
As the spec stands, I have no idea what to put in that "else" clause. I'm clearly not supposed to fail, because the parameters are optional. But what else?
if (/* recognized "kid" or "jwk" value */) {
/* use it */
} else {
/* insert special magic here */
}
This is actually what SPI is supposed to clear up. SPI would provide an explicit third branch for the special magic to live in.
if (/* recognized "kid" or "jwk" value */) {
/* use it */
} else if (/* recognized SPI value */) {
/* process using stored parameters */
} else {
/* FAIL. can't process this object */
}
But without the concept of SPI, the spec is broken because of the non-determinism noted above.
--Richard
On Fri, Mar 22, 2013 at 6:13 PM, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:
My inclination is that this response is correct.
What make you think that the key or key reference is required and cannot be
implied?
Jim
> -----Original Message-----
> From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>] On Behalf Of
> jose issue tracker
> Sent: Friday, March 22, 2013 2:37 PM
> To: draft-ietf-jose-json-web-encryption@tools.ietf.org<mailto:draft-ietf-jose-json-web-encryption@tools.ietf.org>;
ignisvulpis@gmail.com<mailto:ignisvulpis@gmail.com>
> Cc: jose@ietf.org<mailto:jose@ietf.org>
> Subject: Re: [jose] #15: Broken examples in JWE / JWS
>
> #15: Broken examples in JWE / JWS
>
>
> Comment (by ignisvulpis@gmail.com<mailto:ignisvulpis@gmail.com>):
>
> I think this is not an issue. The examples are NOT broken and they do not
> need a fix.
> I suggest to close this ticket.
> The draft should definitely not make these illegal. These objects are
perfect
> examples for a valid JWS/JWE.
>
> --
> -------------------------+----------------------------------------------
> -------------------------+---
> Reporter: rlb@ipv.sx<mailto:rlb@ipv.sx> | Owner: draft-ietf-jose-json-web-
> Type: defect | encryption@tools.ietf.org<mailto:encryption@tools.ietf.org>
> Priority: minor | Status: new
> Component: json-web- | Milestone:
> encryption | Version:
> Severity: - | Resolution:
> Keywords: |
> -------------------------+----------------------------------------------
> -------------------------+---
>
> Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/15#comment:1>
> jose <http://tools.ietf.org/jose/>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org<mailto:jose@ietf.org>
> https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- [jose] #15: Broken examples in JWE / JWS jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Jim Schaad
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS Jim Schaad
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Brian Campbell
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS Mike Jones
- Re: [jose] #15: Broken examples in JWE / JWS Jim Schaad
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS Dick Hardt
- Re: [jose] #15: Broken examples in JWE / JWS Mike Jones
- Re: [jose] #15: Broken examples in JWE / JWS Dick Hardt
- Re: [jose] #15: Broken examples in JWE / JWS Dick Hardt
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: At least one key indicator should… jose issue tracker