IETF Logo Mail Archive

Re: [jose] SPI proposal

Brian Campbell <bcampbell@pingidentity.com> Thu, 07 February 2013 14:43 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC82621F86C2 for <jose@ietfa.amsl.com>; Thu, 7 Feb 2013 06:43:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.714
X-Spam-Level:
X-Spam-Status: No, score=-5.714 tagged_above=-999 required=5 tests=[AWL=0.262, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3oT55JqkcpAg for <jose@ietfa.amsl.com>; Thu, 7 Feb 2013 06:43:03 -0800 (PST)
Received: from na3sys009aog122.obsmtp.com (na3sys009aog122.obsmtp.com [74.125.149.147]) by ietfa.amsl.com (Postfix) with ESMTP id D699C21F841B for <jose@ietf.org>; Thu, 7 Feb 2013 06:43:02 -0800 (PST)
Received: from mail-oa0-f70.google.com ([209.85.219.70]) (using TLSv1) by na3sys009aob122.postini.com ([74.125.148.12]) with SMTP ID DSNKURO9dvVvcRsF8aIJGJLIkZBSvHpKzjv1@postini.com; Thu, 07 Feb 2013 06:43:02 PST
Received: by mail-oa0-f70.google.com with SMTP id h2so12961948oag.1 for <jose@ietf.org>; Thu, 07 Feb 2013 06:43:02 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=PD7oUGIlGuQFuH+qQjU0cLksZqI9y8YCaeurNbp26d8=; b=jaxh9PnJlOG4udEklkG4lOQcnOiPpN19m8fHskB5N3W5dYV/+J/b7JWtswTHOLDxRG 0la3n6qNpGMBO5AaGlV8PCY4yJNq5tWkWoYWiGtY6WIN9va5qr1DbrRwTEr84oZJ7f7W kYZIvjAb+qlC77O5jIDeLJ0ux1/e6/quwc2qJjqHd3HGF7cm0nDdlgI8J10wAPTFPQFi yvaQDWsI1CABUWpqVUv3x+BncdNFfhLdjqoiCFVufcBjdsMVDePDgGrygF9X2Aouq9Jp smXeWwpLyukACNTPj48lRpLImUYD0szywwlgqzZNVtzcfzbBjdRvY5vJ2wTKcm6/T/2p XD1w==
X-Received: by 10.42.92.72 with SMTP id s8mr2903151icm.0.1360248181952; Thu, 07 Feb 2013 06:43:01 -0800 (PST)
X-Received: by 10.42.92.72 with SMTP id s8mr2903116icm.0.1360248181692; Thu, 07 Feb 2013 06:43:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.139.8 with HTTP; Thu, 7 Feb 2013 06:42:31 -0800 (PST)
In-Reply-To: <CAL02cgSt7w5CrP+DXo7bz_+YsxKsVMoRbZLNWa6EHjnAyScWMg@mail.gmail.com>
References: <CAL02cgSt7w5CrP+DXo7bz_+YsxKsVMoRbZLNWa6EHjnAyScWMg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 07 Feb 2013 07:42:31 -0700
Message-ID: <CA+k3eCQ_bsTxYq6u5BVe_Xk1ycOhAwWe=ebfAwk+66JavJJQfA@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="90e6ba5bba1dad17f404d523752f"
X-Gm-Message-State: ALoCoQl8GNwJfs74kcMGbk4codmcNR4zrzg07RJ4pahBBlbc8RtT6/8m6/VUOvpN5oFI7QNFX/P1BgoTwrkm4cW9fKpSOhKnkzpo8X1+oGTl8tTD9/Hjoq2HPZXtFTOmverWCsC+z9fb
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] SPI proposal
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2013 14:43:03 -0000

Admittedly I'm not really up on this spi issue or the motivation behind it
but a couple questions came to mind when I saw this. How does the receiver
protect against unbounded growth of the cache? And index collision? And for
distributed environments, it seems supporting this could be very cumbersome.








On Wed, Feb 6, 2013 at 3:11 PM, Richard Barnes <rlb@ipv.sx> wrote:

> To move us toward closing Issue #9 [9], here is some proposed text for an
> SPI [1] field.  To recall, SPI stands for "security parameters index",
> borrowing a term from IPsec.  The idea is that in cases where the same
> crypto parameters are being used repeatedly, this would save the parties
> from having to re-send the same parameters.
>
> The below text is designed for the JWE spec, but could be adapted for JWS
> (just keep header, ignore part about key/iv).  Similar text is probably
> needed for the encryption/decryption/signing/verification sections.
>
> Feedback welcome,
> --Richard
>
> -----BEGIN-----
> Section 4.1.X. "spi" Header Parameter
>
> The "spi" (Security Parameters Index) header parameter contains an opaque
> byte string that labels a set of security parameters.  This index is
> designed to enable the use of smaller headers in cases where entities will
> be re-using the same security parameters for several messages.
>
> Entities supporting the use of the "spi" parameter MUST maintain a table
> of cached security parameters.  When an entity receives an object whose
> header contains both "spi" and "alg" values, then it MUST cache the
> following values from the JWE, indexed by the "spi" value:
> -- Contents of the JWE header
> -- Encrypted Key
> -- Initialization Vector
>
> If an object containing an "spi" parameter but no "alg" parameter, then it
> MUST NOT contain an Encrypted Key or Initialization Vector.  That is, it
> will have the form "header.ciphertext.integrity_value".  When a recipient
> receives such an object, it uses the "spi" value to retrieve cached header,
> key, and initialization vector and reconstructs a full JWE.  This full JWE
> can then be further processed according to the normal JWE processing rules.
>  If the recipient has no cached parameters for the "spi" value, the process
> MUST fail.
> -----END-----
>
>
> [9] http://tools.ietf.org/wg/jose/trac/ticket/9
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>

v2.23.0 | Report a Bug | By Email