Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

Mike Jones <> Fri, 12 September 2014 15:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 65BFB1A6F17; Fri, 12 Sep 2014 08:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 44oYh0rCo-0e; Fri, 12 Sep 2014 08:19:51 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fc10::792]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5D0CA1A0BEB; Fri, 12 Sep 2014 08:19:51 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1024.12; Fri, 12 Sep 2014 15:19:27 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1029.13 via Frontend Transport; Fri, 12 Sep 2014 15:19:26 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1019.14 via Frontend Transport; Fri, 12 Sep 2014 15:19:26 +0000
Received: from ([]) by ([]) with mapi id 14.03.0195.002; Fri, 12 Sep 2014 15:18:44 +0000
From: Mike Jones <>
To: Kathleen Moriarty <>, "" <>, "" <>, "" <>, "" <>, Stephen Kent <>
Thread-Topic: JWK member names, was: [jose] SECDIR review of draft-ietf-jose-json-web-key-31
Thread-Index: AQHPzoESD2WvkanDakGRB2XPz/nr6pv9mXgQ
Date: Fri, 12 Sep 2014 15:18:42 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439AEC00DBTK5EX14MBXC292r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(189002)(377454003)(199003)(43784003)(51444003)(24454002)(19300405004)(74662001)(33656002)(15975445006)(79102001)(85806002)(80022001)(87936001)(99396002)(86612001)(81156004)(71186001)(66066001)(85852003)(16236675004)(83072002)(2501002)(85306004)(50986999)(46102001)(106116001)(97736003)(104016003)(19625215002)(19617315012)(512874002)(95666004)(19580405001)(92566001)(19580395003)(76176999)(107046002)(77096002)(83322001)(77982001)(107886001)(2656002)(44976005)(26826002)(92726001)(69596002)(31966008)(81542001)(84326002)(84676001)(74502001)(81342001)(2201001)(230783001)(106466001)(68736004)(21056001)(54356999)(64706001)(15202345003)(4396001)(6806004)(90102001)(20776003)(76482001)(55846006)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:CH1PR03MB611;; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;UriScan:;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0332AACBC3
Received-SPF: Pass ( domain of designates as permitted sender); client-ip=;;
Authentication-Results: spf=pass (sender IP is;
Subject: Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Sep 2014 15:19:57 -0000

Sure.  Here’s an analysis of the requirements about duplicate member names.

There could be two very different kinds of objections to the present text:
A.  People think we have the semantics for duplicate identifiers wrong.
B.  People think we should explain the current semantics for duplicate identifiers more clearly.

I sure hope that we’re dealing with B and not A.  Stephen, which is the nature of your critique of this text?

If we’re in the realm of A, I think there are three possibilities for the semantics:

1.  Require producers not use duplicate members and require consumers to reject inputs with duplicate member names.
Pros:  This is the most locked-down, consistent, and alternative.
Cons:  Real JSON parsers don’t all reject duplicate inputs.  If we force people to write custom parsers, this will result in exploitable bugs (and some just won’t do it and won’t be conformant).

2.  Require producers not to use duplicate members but allow consumers to accept inputs with duplicate member names in the manner defined in ECMAscript.  (This is the current choice.)
Pros:  People can use all standard JSON parsers.  Producers are still required to produce well-formed data structures.
Cons:  The requirements on producers are stricter than those on consumers.

3.  Allow both producers and consumers to use duplicate members, with duplicate member names handled in the manner defined in ECMAscript.
Pros:  People can use ECMAscript parsers (which are more liberal than some JSON parsers).  The requirements on producers and consumers are the same.
Cons:  Hidden content can be inserted into duplicate member names.  This could give attackers a way to manipulate the inputs to crypto operations.  Strict JSON parsers (that reject inputs with duplicate members) can’t be used.

Practically, I think were we presently are (2) is the best compromise between implementability, consistency, and security.  The working group put a lot of discussion into this, including changing from (1) to (2) and it’s my sense that most agree we’ve landed in the right place.  From a security perspective, I don’t think that (3) is a viable option.

If people think that the current semantics are right but are not sufficiently clearly explained or motivated, I’d certainly welcome proposed text to clarify the explanation.

                                                            -- Mike

From: Kathleen Moriarty []
Sent: Friday, September 12, 2014 5:00 AM
To:;;;; Stephen Kent; Mike Jones
Subject: JWK member names, was: [jose] SECDIR review of draft-ietf-jose-json-web-key-31

Hi Mike,

The text Steve called out below has been very problematic as you know.  Could you call out some options here as the last time this came up, we didn't resolve it.  The working group was asked for suggestions, but none came through.  If you could provide some options and then have the working group weigh in, I think that would be good.

I snipped away the rest of the review and changed the subject as not to get in the way of the current dialog.


On Wed, Sep 10, 2014 at 8:57 PM, Mike Jones <<>> wrote:
Hi Stephen.  Thanks for your detailed and useful review.  I’ve cc’ed the working group in my reply so they’re aware of the contents of your review.  Replies are inline below…

From: Stephen Kent []
Sent: Tuesday, September 02, 2014 1:09 PM
To:<>; Mike Jones;<>; Moriarty, Kathleen
Subject: SECDIR review of draft-ietf-jose-json-web-key-31


This section imposes a rather wimpy constraint on parameter names:

   The member names within a JWK MUST be unique; recipients MUST either

   reject JWKs with duplicate member names or use a JSON parser that

   returns only the lexically last duplicate member name, as specified

   in Section 15.12 (The JSON Object) of ECMAScript 5.1 [ECMAScript].

This text says that member names MUST be unique, but if they are not, that’s OK too; just use the last instance of a member with a duplicate name. This seems like a terrible design principle. It imposes what appears to be a requirement, then says how to accommodate data structures that fail to meet the requirement. This would seem to encourage sloppy implementations (for JWK generation). I’d like to see the rationale for this.

Unfortunately, the intentional laxness in the spec in this regard is a reflection of the semantics of the actual JSON specifications and implementations.  For instance, says:

   An object whose names are all unique is interoperable in the sense
   that all software implementations receiving that object will agree on
   the name-value mappings.  When the names within an object are not
   unique, the behavior of software that receives such an object is
   unpredictable.  Many implementations report the last name/value pair
   only.  Other implementations report an error or fail to parse the
   object, and some implementations report all of the name/value pairs,
   including duplicates.

This topic has been heavily discussed by the working group, and while the specs used to just say that objects with duplicate member names MUST be rejected, working group members, including Tim Bray (the editor of the JSON spec), prevailed on us to weaken this so that parsers that implement the ECMAscript behavior of returning only the last member name may be legally used.  (The argument was made that there was more security downside in effectively requiring people to write and debug their own strict parsers than in using laxer, but well-supported and debugged parsers.)

However, we also intentionally require that producers use only one instance of each member name, so that legally produced objects will never exercise the ambiguities that are present in real JSON parsers.  That seemed to be the most practical solution to the working group.

                                                            Thanks again, Stephen,
                                                            -- Mike

jose mailing list<>


Best regards,


Best regards,