IETF Logo Mail Archive

Re: [jose] Fully-Specified Algorithms for JOSE and COSE

Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 30 August 2023 05:50 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 100E8C151710 for <jose@ietfa.amsl.com>; Tue, 29 Aug 2023 22:50:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.196
X-Spam-Level:
X-Spam-Status: No, score=-2.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9_FpTJTlEkOK for <jose@ietfa.amsl.com>; Tue, 29 Aug 2023 22:49:55 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2FCBC1516F8 for <jose@ietf.org>; Tue, 29 Aug 2023 22:49:55 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-3fef34c33d6so48812315e9.3 for <jose@ietf.org>; Tue, 29 Aug 2023 22:49:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693374594; x=1693979394; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=/4YpXsXU+K2CYgUTFewNwSR/E2i9cZz+gO0fnwMY5Gs=; b=mL373ukGUzqsjeHUkf5ieUCz/C1tdBOZmZQwmsfRrdrqqXpuaFOfqfpuQHwh035p4L /YfbVCtBZ2Z0r7OcmzNpLCVY4FwHxcZVQUgZoChn5ANN+gXNI8Kwkijgl+69GsapnO4C qRJBu5x99oa4KMREUpCIkrP39V8KqLcmIGMsY2R3cfwDBqauGyquNrtPCpCb4hcfcfle 8tCnYRRyeDyrC7kIJxC4skru8uu8yJhOxwlPXSYeD8j2ffSZUgwPGen5XKZcim3RuGnn YkCJr737atJrsi2NQZVrUvH3ZE2HhjK17LAtvQlCKLI8XfrPxzzrLsY1OyTr2tWsBD/D Af1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693374594; x=1693979394; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/4YpXsXU+K2CYgUTFewNwSR/E2i9cZz+gO0fnwMY5Gs=; b=UQsk2kyH4AbQ7hefnSpAMMIgRbgbXszyns3XsEu2nvF2eRARDXEYjBaFMbvHdETLza 6gQ8wShjXH6PUUgDv0LY9M4nI5XpjJvDLjAmCUuGblHlytmBk5RFTqnxyfZpwVz2Bu0X HkE7AEoyuAuJthGeoVrTLJF5wKqOkvjtCxCELMy0mku3RZ47q+K3KhgxlcvE5/qES+CD 4ytDWBTl+2tyvFOZAyIY7IbheCYgVV6oUOAMD5ddtYsKM6nEOoDDwRGb272VDSjCZouo icl/i7Dp+PXBYFFHtQxkhilM6WDR8UMwWOzmQ6iG9/DikD5oQ507kK86q8wPdN/OiDPU OpPg==
X-Gm-Message-State: AOJu0YwcSDUxqECgmDm1LxzWvOvwYCZpCOelSGM88ZknTo9Iw7AP5E9Z n/9foT799PDjbA97H6rLDfA=
X-Google-Smtp-Source: AGHT+IGAw1rTu6BlApu/smglhPUAR4cd4RhQxIo1egruDPwf20tw1DwbcnP32bIs8O3lEJ8r4duNag==
X-Received: by 2002:a7b:c414:0:b0:401:d258:ad25 with SMTP id k20-20020a7bc414000000b00401d258ad25mr896710wmi.31.1693374593620; Tue, 29 Aug 2023 22:49:53 -0700 (PDT)
Received: from ?IPV6:2a01:e34:ec4e:5670:94ca:1ea4:3b94:6af0? ([2a01:e34:ec4e:5670:94ca:1ea4:3b94:6af0]) by smtp.googlemail.com with ESMTPSA id w24-20020a05600c2a1800b003fed9b1a1f4sm1950793wme.1.2023.08.29.22.49.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 29 Aug 2023 22:49:52 -0700 (PDT)
Message-ID: <bda94ea4-87e7-3faf-fe6d-4831ca03379c@gmail.com>
Date: Wed, 30 Aug 2023 07:49:51 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.14.0
Content-Language: en-US
To: Michael Jones <michael_b_jones@hotmail.com>, "jose@ietf.org" <jose@ietf.org>
Cc: Orie Steele <orie@transmute.industries>
References: <MW4PR02MB74287C966F89DBE52787E914B7E6A@MW4PR02MB7428.namprd02.prod.outlook.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
In-Reply-To: <MW4PR02MB74287C966F89DBE52787E914B7E6A@MW4PR02MB7428.namprd02.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/N5c1ZrnZIZOF05Bjt7KNzUBsm18>
Subject: Re: [jose] Fully-Specified Algorithms for JOSE and COSE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Aug 2023 05:50:01 -0000

Interesting considering the pushback I got when I claimed that polymorphic (I used the term overloaded) algorithms wasn't such a great idea, although I was mainly complaining about OKP.

Unfortunately for us implementors this ship has already sailed so in practice we will now have to maintain multiple solutions.

[Somewhat] related: ETSI is a about to take a decision on how to proceed with a JSON-based signature standards proposal building on RFC8785.  Personally, I'm nowadays rather pushing deterministically encoded CBOR which removes the need for canonicalization and is trivial to implement.
https://github.com/cyberphone/cbor-everywhere/tree/main#cryptographic-operations
I believe the myriad of "Wallet" projects out there would benefit by taking a peek at CBOR and enveloped signature solutions.  COSE algorithms and keys still apply.

Anders

On 2023-08-30 3:27, Michael Jones wrote:
> Orie Steele <https://twitter.com/OR13b> and I have written a new specification creating algorithm identifiers for JOSE and COSE that fully specify the cryptographic operations to be performed – something we’d promised to do during our presentation to the JOSE working group <https://datatracker.ietf.org/meeting/117/materials/slides-117-jose-fully-specified-algorithms-for-jose-and-cose-00> at IETF 117. The introduction to the specification (quoted below) describes why this matters.
> 
> The IANA algorithm registries for JOSE [IANA.JOSE.Algorithms <https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms>] and COSE [IANA.COSE.Algorithms <https://www.iana.org/assignments/cose/cose.xhtml#algorithms>] contain two kinds of algorithm identifiers:
> 
> ·*Fully Specified*: Those that fully determine the cryptographic operations to be performed, including any curve, key derivation function (KDF), hash functions, etc. Examples are |RS256| and |ES256K| in both JOSE and COSE and |ES256| in JOSE.
> 
> ·*Polymorphic*: Those requiring information beyond the algorithm identifier to determine the cryptographic operations to be performed. Such additional information could include the actual key value and a curve that it uses. Examples are |EdDSA| in both JOSE and COSE and |ES256| in COSE.
> 
> This matters because many protocols negotiate supported operations using only algorithm identifiers. For instance, OAuth Authorization Server Metadata [RFC8414 <https://www.rfc-editor.org/rfc/rfc8414.html>] uses negotiation parameters like these (from an example in the specification):
> 
> |"token_endpoint_auth_signing_alg_values_supported": ["RS256", "ES256"]|
> 
> OpenID Connect Discovery [OpenID.Discovery <https://openid.net/specs/openid-connect-discovery-1_0.html>] likewise negotiates supported algorithms using |alg| and |enc| values. W3C Web Authentication [WebAuthn <https://www.w3.org/TR/2021/REC-webauthn-2-20210408/>] and FIDO Client to Authenticator Protocol (CTAP) [FIDO2 <https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html>] negotiate using COSE |alg| numbers.
> 
> This does not work for polymorphic algorithms. For instance, with |EdDSA|, you do not know which of the curves |Ed25519| and/or |Ed448| are supported! This causes real problems in practice.
> 
> WebAuthn contains this de-facto algorithm definition to work around this problem:
> 
> |-8 (EdDSA), where crv is 6 (Ed25519)|
> 
> This redefines the COSE |EdDSA| algorithm identifier for the purposes of WebAuthn to restrict it to using the |Ed25519| curve – making it non-polymorphic so that algorithm negotiation can succeed, but also effectively eliminating the possibility of using |Ed448|. Other similar workarounds for polymorphic algorithm identifiers are used in practice.
> 
> This specification creates fully-specified algorithm identifiers for all registered polymorphic JOSE and COSE algorithms and their parameters, enabling applications to use only fully-specified algorithm identifiers. It furthermore deprecates the practice of registering polymorphic algorithm identifiers.
> 
> The specification is available at:
> 
> ·https://www.ietf.org/archive/id/draft-jones-jose-fully-specified-algorithms-00.html <https://www.ietf.org/archive/id/draft-jones-jose-fully-specified-algorithms-00.html>
> 
>                                                         -- Mike
> 
> P.S.  This note was also published at https://self-issued.info/?p=2401 <https://self-issued.info/?p=2401> and was referenced from https://twitter.com/selfissued/status/1696693714008322088 <https://twitter.com/selfissued/status/1696693714008322088>.
> 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email