IETF Logo Mail Archive

Re: [jose] Question on enc location

Mike Jones <Michael.Jones@microsoft.com> Tue, 23 July 2013 21:33 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65CF511E8149 for <jose@ietfa.amsl.com>; Tue, 23 Jul 2013 14:33:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.431
X-Spam-Level:
X-Spam-Status: No, score=-3.431 tagged_above=-999 required=5 tests=[AWL=-0.833, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z2A2WixG+frm for <jose@ietfa.amsl.com>; Tue, 23 Jul 2013 14:33:32 -0700 (PDT)
Received: from db9outboundpool.messaging.microsoft.com (mail-db9lp0253.outbound.messaging.microsoft.com [213.199.154.253]) by ietfa.amsl.com (Postfix) with ESMTP id 4F5AE11E82F4 for <jose@ietf.org>; Tue, 23 Jul 2013 14:33:30 -0700 (PDT)
Received: from mail13-db9-R.bigfish.com (10.174.16.236) by DB9EHSOBE023.bigfish.com (10.174.14.86) with Microsoft SMTP Server id 14.1.225.22; Tue, 23 Jul 2013 21:33:28 +0000
Received: from mail13-db9 (localhost [127.0.0.1]) by mail13-db9-R.bigfish.com (Postfix) with ESMTP id CB25D4019C; Tue, 23 Jul 2013 21:33:28 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -21
X-BigFish: VS-21(zz98dI9371Ic85fhzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1d7338h1de098h1033IL17326ah8275dh18c673h1de097h1de096h8275bhdda1eiz2fh2a8h668h839hd25hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1bceh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail13-db9: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC103.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail13-db9 (localhost.localdomain [127.0.0.1]) by mail13-db9 (MessageSwitch) id 1374615206602976_9791; Tue, 23 Jul 2013 21:33:26 +0000 (UTC)
Received: from DB9EHSMHS019.bigfish.com (unknown [10.174.16.250]) by mail13-db9.bigfish.com (Postfix) with ESMTP id 835CD2A0041; Tue, 23 Jul 2013 21:33:26 +0000 (UTC)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.8) by DB9EHSMHS019.bigfish.com (10.174.14.29) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 23 Jul 2013 21:33:25 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.38]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0136.001; Tue, 23 Jul 2013 21:33:18 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, 'Richard Barnes' <rlb@ipv.sx>
Thread-Topic: [jose] Question on enc location
Thread-Index: Ac6HM7oJ9KwXoeAcSzSJtgQcSJVj8gABB71gABkzjYAAAKv1gAAGTAVgAAtY+AAAAVuI0A==
Date: Tue, 23 Jul 2013 21:33:17 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B7044A2@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <05a101ce8733$d96415e0$8c2c41a0$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436B6FFED3@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgRFsoVOu4=opCark=iY6EXZ4kscR5Q3v2KpcZu4_ubQQw@mail.gmail.com> <05fd01ce879f$581712a0$084537e0$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436B702C5E@TK5EX14MBXC284.redmond.corp.microsoft.com> <065a01ce87e5$ee9a1920$cbce4b60$@augustcellars.com>
In-Reply-To: <065a01ce87e5$ee9a1920$cbce4b60$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.74]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436B7044A2TK5EX14MBXC284r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Question on enc location
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2013 21:33:39 -0000

For the second, you're right - you don't need encrypted_key.  I'll plan to be clear on that (and the other fields that are omitted for some algorithms) for the JSON Serializations.  I believe you still need "recipients" - for consistency reasons, even if the array elements contain an empty object.

                                                            -- Mike

From: Jim Schaad [mailto:ietf@augustcellars.com]
Sent: Tuesday, July 23, 2013 1:48 PM
To: Mike Jones; 'Richard Barnes'
Cc: jose@ietf.org
Subject: RE: [jose] Question on enc location

But in this case I don't think that I need an encrypted key value because I am using direct.

From: Mike Jones [mailto:Michael.Jones@microsoft.com]
Sent: Tuesday, July 23, 2013 8:29 AM
To: Jim Schaad; 'Richard Barnes'
Cc: jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: [jose] Question on enc location

For the first, no - it's missing the required "recipients" element.

For the second, no - the "recipients" value is missing the required "encrypted_key" value.

Answering Richard's comment - I expect that in most cases people will put elements such as "enc" that are common between all recipients in either the "protected" or "unprotected" top-level headers, but this isn't a requirement.  In the worst case, should a sender use different "enc" values for different recipients, the result will be that the JWE will fail to decrypt for all the recipients in which the "enc" value is incorrect.

                                                            -- Mike

From: Jim Schaad [mailto:ietf@augustcellars.com]
Sent: Tuesday, July 23, 2013 5:23 AM
To: 'Richard Barnes'; Mike Jones
Cc: jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: [jose] Question on enc location

As a follow up.   Is this legal?

{
  Header: <alg:"direct", enc:"AES-GCM"},
  IV: ..., tag:..., payload:...
}

Or is the line

Recipients:[{}],

Required?

From: Richard Barnes [mailto:rlb@ipv.sx]
Sent: Tuesday, July 23, 2013 5:04 AM
To: Mike Jones
Cc: Jim Schaad; jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: [jose] Question on enc location

In which case, it seems like it should be in the top level header, to avoid having it repeated every time.

In general, it seems like there are "content" parameters (e.g., enc, zip, cty) that should go at the top level, and "key" parameters that should be per-recipient (e.g., alg, epk, salt).  It would be helpful to implementors to be clear about what goes where.



On Monday, July 22, 2013, Mike Jones wrote:
No - just that the "enc" field for all recipients be the same.

From: jose-bounces@ietf.org<javascript:_e(%7b%7d,%20'cvml',%20'jose-bounces@ietf.org');> [mailto:jose-bounces@ietf.org<javascript:_e(%7b%7d,%20'cvml',%20'jose-bounces@ietf.org');>] On Behalf Of Jim Schaad
Sent: Monday, July 22, 2013 4:33 PM
To: jose@ietf.org<javascript:_e(%7b%7d,%20'cvml',%20'jose@ietf.org');>
Subject: [jose] Question on enc location

Is there supposed to be a requirement in the JWE specification that the enc field be in the common protected (or unprotected) header and no in the individual recipient header information?

Jim

v2.23.0 | Report a Bug | By Email