Re: [jose] SECDIR review of draft-ietf-jose-json-web-key-31

[Stephen Kent <kent@bbn.com>]

Mike,

Thanks for the reply to my comments.

I've retained your replies and responded to them, below.
>
> **<mailto:kent@bbn.com>
> I agree that "employing countermeasures to" is more accurate than 
> "preventing".  I also agree that the "avoiding mistakes" language is 
> not actionable -- I propose to just remove it.
>
Great.
>
> Actually, it was spoken by then-Security AD Sean Turner. ;-)
>
gee, I thought Sean was wise, but I didn't realize he was a Jedi ;-).
>
> How about changing "data associated with a key" to "data 
> cryptographically secured by a key"?  (And of course, deleting the 
> extraneous "than".)
>
OK.
>
> The wording above is needlessly awkward. Nonetheless, this says that 
> key sets containing symmetric or private keys should be encrypted by 
> embedding them in another JSON crypto format (JWE). It would be nice 
> to add that this implies a that there is secure way to deliver the 
> needed decryption key for the JWE, else this recommendation just adds 
> a layer of indirection, and does not solve the problem.
>
> Fair enough.  I propose that we add something along those lines.
>
OK, I look forward to seeing the revised wording here.
>
> Section 9.3 discusses a countermeasure against a specific attack on 
> RSA key use. This seems unduly narrow, since this spec is intended for 
> use with RSA, DH, DSS, and ECDH keys. Why devote a long paragraph to 
> this one issue, while saying nothing about equally serious concerns 
> that arise for other algorithms?
>
> This particular attack is described both because the countermeasure 
> requires specific key representation actions and because a working 
> group member asked it to be included. For what it's worth, I expect 
> that additional security considerations will be added when resolving 
> Russ Housley's gen-art review of the JWS specification.
>
If comparable alg-specific countermeasures are added based on Russ's 
comments then
this may be OK, but in isolation this RSA-specific attack seem out of place.
>
> These non-goals were agreed to by the working group from the very 
> beginning, while the working group was still being chartered.  The 
> group wanted to build something simple and easily deployable to 
> represent keys in JSON -- not reinvent all the work that the PKIX 
> working group did on certificates and certificate chains, etc.  Do any 
> working group members want to suggest specific wording to try to 
> capture this sentiment?
>
OK.
>
> The example that comprises Section 3 should include an explanation of 
> the parameters, else it's not a great example.
>
> The parameters and values of them are explained in the paragraph 
> preceding the example text.  It says:
>
>     The following example JWK
>     declares that the key is an Elliptic Curve [DSS  <https://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#ref-DSS>] key, it is used with
>     the P-256 Elliptic Curve, and its x and y coordinates are the
>     base64url encoded values shown.  A key identifier is also provided
>     for the key.
>
> Each statement above corresponds to a parameter in the example, and in 
> the same order.
>
OK. I missed that.
>
> I suppose that one option is to be more verbose above and add 
> parenthetical remarks after each statement above saying which 
> parameter does this.  So for instance, the parenthetical phrase 
> "("kty" parameter)" could be added before the first comma.  Do others 
> in the working group think that would make the example easier to read, 
> harder to read, or do any of you have an alternative suggestion?
>
I defer to the WG on this presentation issue.
>
> In addition to the common parameters, each JWK will have members that
>
>   are algorithm-specific.
>
> They're not algorithm-specific -- they're key type-specific.  Another 
> way of eliminating the repeated use of the word "parameters" is to 
> replace the second sentence with "These members represent the key 
> value".  Would that work for you (and the working group)?
>
Yes, I meant key-type specific. But if one were to use that term instead 
of "algorithm specific"
I still think my wording is better.
>
> This topic has been heavily discussed by the working group, and while 
> the specs used to just say that objects with duplicate member names 
> MUST be rejected, working group members, including Tim Bray (the 
> editor of the JSON spec), prevailed on us to weaken this so that 
> parsers that implement the ECMAscript behavior of returning only the 
> last member name may be legally used.  (The argument was made that 
> there was more security downside in effectively requiring people to 
> write and debug their own strict parsers than in using laxer, but 
> well-supported and debugged parsers.)
>
I find that argument unpersuasive, but I defer to the cognizant Ad on this.
>
> However, we also intentionally require that producers use only one 
> instance of each member name, so that legally produced objects will 
> never exercise the ambiguities that are present in real JSON parsers.  
> That seemed to be the most practical solution to the working group.
>
Based on year of experience in PKIX that is not a great solution. If the 
consumer of a data
structure fails to strictly enforce the requirement imposed on the 
producer of the data structure,
the result is that non-conforming producers do not receive "appropriate" 
feedback.
>
>
> The term "Collision-Resistant Name" is already present in the 
> Terminology section.  However, previous reviewers had requested that 
> definitions not be repeated in multiple specs, so it's incorporated by 
> reference, rather than repeating the definition here.  The notion is 
> that of an implementation wants to use a collision-resistant name such 
> as "http://names.example.com/the-name", it can do so without having to 
> create a public specification and register the name with IANA.
>
I found the definition by reading one of the other specs, but I didn't 
see a clear explanation of
why this is a reasonable alternative to using an IANA registry. The text 
above does still does
not provide a rationale.
>
> I agree that the "SHOULD" language is awkward.  Rather than saying 
> "SHOULD be used", we could change it to just say "is used".
OK.
>
> Would the language "The "alg" member can be used to specify the 
> cryptographic operation that the key is intended to be used for" work 
> better for you?  Or would people like to just see the parenthetical 
> remark deleted?
>
How about:

    The "alg" member is used to specify the algorithm with which the key
    is to be used.

> Section 4.5 defines the key_ops parameter. It's not clear how this 
> parameters and "use" relate. There is also an odd sentence at the end 
> of the first paragraph:
>
>    The "key_ops" parameter is intended for use cases in which public,
>
>    private, or symmetric keys may be present.
>
> This seems to encompass all of the types of keys that JWK carries, so 
> the sentence seems to add no useful qualification for when this 
> parameter is intended to be used.
>
> This is in contrast to the related statement in the "use" definition:
>
>    The "use" parameter is intended for use cases in which
>
>    it is useful to distinguish between public signing keys and public
>
>    encryption keys.
>
Too subtle for me, and the language above seems a bit wimpy. Why not say:

    The "use" parameter is employed to indicate whether a public key is
    for encrypting
    data or verifying the signature on data.

> If you want to see this parameter name changed, you'll need to file a 
> bug against the WebCrypto spec and get it changed there.  Then I'm 
> sure that JOSE will gladly follow.
>
My request is directed to the IESG, suggesting that they take this action.
>
>
> This specification will be used both in open environments, in which 
> multiple organizations will need to have a common understanding of any 
> extensions used, and closed environments, which the producing and 
> consuming organization will always be the same and private values 
> could be safely used.  IANA registration is definitely the right thing 
> to do for open environments.  It's probably unnecessary for 
> deployments in closed environments.
Then say this.
>
> Same answer as for Section 4.
>
ibid.
>
> "Can" is being used as a non-2119 synonym for "MAY" here.  That being 
> said, we could just change "can be" to "is", since it's explicitly 
> said that its use is optional at the end of the paragraph.
please revise accordingly.
>
> It's the inclusion of other metadata about the key that might improve 
> interoperability that's being referred to -- not the inclusion of the 
> cert reference.  For instance, including "use" or "alg" parameters 
> might be useful to applications that can't process the certificate.
that's not what the text said, hence my confusion.
>
> As for the cert vs. cert chain question, in the general case, a chain 
> may be required to establish trust.  However, a chain of length one (a 
> single certificate) will also be sufficient in some use cases.  We're 
> not inventing anything new here. The data format is specified in RFC 1421.
>
could you point specifically to where 1421 uses two names to identify 
equivalent data structures
for transport of certs/cert chains? I trued a quick search of the text 
and didn't locate the
text to which you appear to refer.
>
> I had thought there were uses of RSA keys where the same key is used 
> both for signing and encryption (even though this is a deprecated 
> practice).
>
Yes, that practice is frowned upon, and we prefer that certs use an OID 
that makes it clear
how a key is to be used. How about the following text:

    Similarly, if the "alg" member is present, it MUST be consistent with

the algorithm specified in the certificate.


> But we could change this to "Similarly, if the "alg" member is 
> present, it SHOULD correspond to the algorithm specified in the 
> certificate."  Or is that overly strong for some certificates and uses 
> of them?
>
I prefer this text.
>
> Also, the name seems misleading since the chain MAY contain additional 
> certs, and hence may not be a chain at all!
>
> I'm not sure if I'm following you here.  Are you suggesting the 
> possibility of having multiple certificates not chaining to one 
> another in the representation?  This isn't allowed by the 
> specification, as written.  Are you suggesting that it needs to be 
> allowed?
>

> Thumbprint is the term used in the Windows libraries, such as 
> http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.thumbprint(v=vs.110).aspx 
> <http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.thumbprint%28v=vs.110%29.aspx>. 
> Whereas OpenSSL uses fingerprint 
> http://www.openssl.org/docs/apps/x509.html. I know that there would be 
> an uproar if we tried to make a breaking change to the "x5t" name at 
> this point, because it's in widespread production use.  However, we 
> could add language saying that certificate thumbprints are also known 
> as certificate fingerprints, so people familiar with either term will 
> know what this is.
>
Yes, do add that explanatory text.
>
> The term "base64url" is incorporated by reference in the terminology 
> section (Section 2).
>
> Actually, Appendix C in JWS is not normative.  It's just example 
> code.  The normative definition of the encoding is in Section 5 of RFC 
> 4648.
>
Then 4648 should be cited.
>
> It used to be a "SHOULD" but the working group felt that the "MUST ... 
> unless" wording was a more accurate statement of the requirement.
>
I defer to the cognizant AD here, but the notion of SHOULD is really 
MUST ... unless ...
>
> Section 8 (IANA Considerations) establishes a two-week review period 
> for creating new (IANA) registry items. This seems too short; some 
> people take multi-week vacations. I note that the same text appears in 
> the JWS and JWE documents.
>
> This text was taken from RFC 6749.
>
I didn't review that RFC. My comment still stands.
>
> Aren't appendices normally informative?
>
normally, but not always.
>
> We could be more explicit and talk about performing authenticated 
> encryption.
>
please do.

Steve