IETF Logo Mail Archive

Re: [jose] I-D Action: draft-ietf-jose-fully-specified-algorithms-01.txt

Brian Campbell <bcampbell@pingidentity.com> Fri, 01 March 2024 21:41 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4AC8C151547 for <jose@ietfa.amsl.com>; Fri, 1 Mar 2024 13:41:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77padn3rtdI0 for <jose@ietfa.amsl.com>; Fri, 1 Mar 2024 13:41:54 -0800 (PST)
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEDC8C15108F for <jose@ietf.org>; Fri, 1 Mar 2024 13:41:54 -0800 (PST)
Received: by mail-il1-x136.google.com with SMTP id e9e14a558f8ab-365253c52aaso8525845ab.2 for <jose@ietf.org>; Fri, 01 Mar 2024 13:41:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1709329314; x=1709934114; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vCrvDxJQql3olXBkf5TOczavL/2Az+60iPyEBOhDOtc=; b=NzponE0l45mDVkSyktAO6UrDvdn1sw7KJeE0NWTvoZRAhhDO3n3sPhlFn7Vyw3dmdc 73/3z/Jp2b4GP+qG6JtvHAAera+zWi9m4uoem1obvcS5OYCkK2fnN8mN0+L24ouXvM2Z 13X7uwObc3wQpce1Gr5h/PsmT/D5gLtL/ooT0r6SOW7LhPvCNCokbpedfPi8UM9vCoHB tJCKQfQ0vlIn7Mw/7FPh0fl/SrbQv+6AQXfHlpCYcqHByoXxzP11/yHr/WEDNapiIP+b pdy/+hyXko+k3xfydQADUL+UneU0KpstRX04k6/dYgNCo0OJxs5NXp00x/mP0HKK4Ps1 m5fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709329314; x=1709934114; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vCrvDxJQql3olXBkf5TOczavL/2Az+60iPyEBOhDOtc=; b=qRsVx9PSmC9SRH11TaoK3sLLHVc2REQ+MB/ea3V8gxVPhV+D8M8yOnhk20hb+MQFXy bnH4Kr7QCSmidJoXSlrUYmyAk2ulUMKpryouZY4rkcFZ1+Pz9z52dc5ZUzxY8WTDZZHT NGEAbVb+fprLuLt86AQ6iLKyM0rRs8PsZhBGDNjG12dm+GfigcJWfMVh0bmC0oPVUl7u 0JTWkKC0rmBS6qSFP+CxSqKmwiayR/RaZ516ej66oLbOcxarQLvsOJQu2Fq1qkEZi4M/ UXRo66eBJj2HpMQDPl1P03ix/hHWMbwpusaWJ85C7t21kb+sO4GEaTJRaz8uEpaYeYm2 KnFg==
X-Forwarded-Encrypted: i=1; AJvYcCVJubUQ+nriSy6+HNnKblvWsG5/AjKGfFw/bnoZxaTzpVKZvkFVZTcIvVU8wfuRZ86ULXndGH3HmkVbDCov
X-Gm-Message-State: AOJu0YzYUA7A+0Z4cbIZz9aJqqmU2ug6CijmaydNmaXnGJHQ3uiMw4gr cYTt005IGpls14RyfV/4P+DorSVvr5pJ1PcjEpcJMPelbRg0Rrc+fPGVKK7UNvk7Jgi45crbLIS BgVb40dIkVnowAi7u2ATxeeGv9FeOqW4JCT3bO0nEL/wyeEfo/ku8h/HVXTM/4RBb8p3wVCiCjS 2UQ2f8+7Y9UPf0HobCPKTGyA==
X-Google-Smtp-Source: AGHT+IGicvr1AA+y9XrqilgkoVX/Yq3TyFI5UWNYh+MepewqFg1g8NpbsHVBE8eZycEbWM2leFRcKoFvk3/98A4+nx4=
X-Received: by 2002:a05:6e02:1c46:b0:365:2390:9313 with SMTP id d6-20020a056e021c4600b0036523909313mr3515333ilg.12.1709329313881; Fri, 01 Mar 2024 13:41:53 -0800 (PST)
MIME-Version: 1.0
References: <170914224026.56455.15183346032212380498@ietfa.amsl.com> <Zd-VJUMiAt4I8nBx@LK-Perkele-VII2.locald> <PH0PR02MB74304D9DFD11894C957AAB3EB7582@PH0PR02MB7430.namprd02.prod.outlook.com> <ZeCc0TVTMmHPCe9u@LK-Perkele-VII2.locald> <SJ0PR02MB74399E80DC38388CD56695BFB75E2@SJ0PR02MB7439.namprd02.prod.outlook.com>
In-Reply-To: <SJ0PR02MB74399E80DC38388CD56695BFB75E2@SJ0PR02MB7439.namprd02.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 01 Mar 2024 14:41:20 -0700
Message-ID: <CA+k3eCS6CCvEKDQc6ZmQWnBfRn0tDxtjbjtReHLkTyUrp5SkDw@mail.gmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008eff710612a03e1e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/LGqdnxk-ziF2Odm6CuxTUYnaKnc>
Subject: Re: [jose] I-D Action: draft-ietf-jose-fully-specified-algorithms-01.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2024 21:41:58 -0000

For JOSE encryption, I think the 4 deprecated algorithms would be ECDH-ES,
ECDH-ES+A128KW, ECDH-ES+A192K, and ECDH-ES+A256KW.

But it seems like there could be as many as 20 new algorithms - one of each
of the above combined with each of EC/P-256, EC/P-384, EC/P-521,
OKP/X25519, and OKP/X448.  Although that list could probably be trimmed
down to only include combinations that "make sense" together based on bit
strength. Maybe that's where Ilari's 12 comes from? Though I get 10 when I
try to make such a list:

ECDH-ES w/ EC/P-256, EC/P-384, EC/P-521, OKP/X25519, and OKP/X448 (5)
ECDH-ES+A128KW w/ EC/P-256 and OKP/X25519 (2)
ECDH-ES+A192KW w/ EC/P-384 (1)
ECDH-ES+A256KW w/ EC/P-521 and OKP/X448 (2)

(5+2+1+2 = 10)

Regardless, I'm not sure how I feel about the combinatorial expansion
there. Especially in the context of adding and deprecating algs into specs
and code with existing widespread usage.



On Fri, Mar 1, 2024 at 2:07 PM Michael Jones <michael_b_jones@hotmail.com>
wrote:

> Thanks again for engaging on this topic, Ilari.  I value your perspectives.
>
> You wrote:  "I think adding all the fully-specified algorithms for
> encryption is 12 new and 4 deprecated algorithms for JOSE, 24 new
> algorithms and 10 deprecated algorithms for COSE."  I would appreciate it
> if you could list the algorithms that you have in mind.  That could help
> inform future updates to the specification.
>
> You may be right about KEMs. Right now the authors are erring on the side
> of providing guidance in areas that may benefit from it, but it's a working
> group decision whether to keep, modify, or delete the current KEM text.
>
>                                 Thanks again,
>                                 -- Mike
>
> -----Original Message-----
> From: jose <jose-bounces@ietf.org> On Behalf Of Ilari Liusvaara
> Sent: Thursday, February 29, 2024 7:04 AM
> To: jose@ietf.org
> Subject: Re: [jose] I-D Action:
> draft-ietf-jose-fully-specified-algorithms-01.txt
>
> On Wed, Feb 28, 2024 at 09:03:18PM +0000, Michael Jones wrote:
> > Thanks for reading the new draft and commenting, Ilari.  Replies inline
> below...
> >
> > -----Original Message-----
> > From: jose <jose-bounces@ietf.org> On Behalf Of Ilari Liusvaara
> > Sent: Wednesday, February 28, 2024 12:19 PM
> > To: jose@ietf.org
> > Subject: Re: [jose] I-D Action:
> > draft-ietf-jose-fully-specified-algorithms-01.txt
> >
> > On Wed, Feb 28, 2024 at 09:44:00AM -0800, internet-drafts@ietf.org
> wrote:
> > > Internet-Draft draft-ietf-jose-fully-specified-algorithms-01.txt is
> > > now available. It is a work item of the Javascript Object Signing
> > > and Encryption
> > > (JOSE) WG of the IETF.
> > >
> > >    Title:   Fully-Specified Algorithms for JOSE and COSE
> > >    Authors: Michael B. Jones
> > >             Orie Steele
> > >    Name:    draft-ietf-jose-fully-specified-algorithms-01.txt
> > >    Pages:   12
> > >    Dates:   2024-02-28
> >
> > Some comments that still look relevant:
> >
> > 1) The encryption case seems like it would be difficult and delay the
> > document by a lot. There have been requests to get this done quick, so
> > I think that should be punted on.
> >
> > Indeed, an open question called out in
> > https://www.i/
> > etf.org%2Farchive%2Fid%2Fdraft-ietf-jose-fully-specified-algorithms-01
> > .html%23name-ecdh-es-and-its-ephemeral-k&data=05%7C02%7C%7C456f507a355
> > 44371d11308dc3937ad98%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638
> > 448158544780474%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2
> > luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=eNPm2Nz3i2ekQG
> > fcJRiDVwx8nGysX2QI3gOYWyUM2dU%3D&reserved=0
> > is whether to introduce fully-specified algorithm identifiers for ECDH
> > and possibly other encryption algorithms.  I expect this to be one of
> > the discussion topics in Brisbane.
>
> I think if this applies to encryption, then new ECDH algorithms are
> required.
>
> The RSA stuff looks fully specified, and I don't see anything else for
> asymmetric encryption than RSA and ECDH.
>
>
> > 2) Abstract: I don't think the current encryption stuff is fully
> > specified (the behavior of algorithms does depend on the key), so
> > statements about new identifiers need to be qualified to only apply to
> > signatures.
> >
> > You're right that (as called out by the cited text above) some of the
> > current encryption algorithms aren't fully specified.  This
> > specification does two things.
> > (a)  It requires that all algorithms registered in the future be fully
> >      specified.
> > (b)  It creates fully-specified algorithm identifiers that can be used
> >      instead of polymorphic algorithm identifiers.
> >
> > (a) is still very valuable, both for signing and encryption, even if
> > we tactically decide that we don't want to do (b) for all encryption
> > algorithms at this time.
>
> I think that solving one but not the other is the worst option. That is,
> one should solve neither or both.
>
> Otherwise everything using JWE/COSE_Encrypt is left with having to support
> both. Which is obviously harder than having to support just one, whichever
> it might be.
>
> I think adding all the fully-specified algorithms for encryption is 12 new
> and 4 deprecated algorithms for JOSE, 24 new algorithms and 10 deprecated
> algorithms for COSE.
>
>
> > 4) Section 6.3: I don't think anything in COSE or JOSE currently uses
> > KEMs. And the requirement for single KDF goes beyond what fully
> > specified means.
> >
> > https://datatracker.ietf.org/doc/draft-ietf-cose-hpke/ uses KEMs.
> > https://datatracker.ietf.org/doc/draft-rha-jose-hpke-encrypt/ uses KEMs.
>
> No, those use HPKE. Internal details of HPKE are irrelevant, That is the
> entire point of HPKE.
>
>
> > https://csrc.nist.gov/projects/post-quantum-cryptography uses KEMs.
> > I agree with Orie that it's good to include a discussion of KEMs now,
> > since they're clearly coming to both COSE and JOSE.
>
> Isn't requiring fully specified algorithms going forward enough?
> (And if not doing that, then one should not do anything with KEMs
> either.)
>
>
>
>
> -Ilari
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email