[jose] Re: Do you need the JWP JSON Serialization?
Orie Steele <orie@transmute.industries> Thu, 08 August 2024 18:18 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E417CC14F61E for <jose@ietfa.amsl.com>; Thu, 8 Aug 2024 11:18:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XjlVE4xx-Ryk for <jose@ietfa.amsl.com>; Thu, 8 Aug 2024 11:18:43 -0700 (PDT)
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF5CDC14F61A for <jose@ietf.org>; Thu, 8 Aug 2024 11:18:43 -0700 (PDT)
Received: by mail-pf1-x429.google.com with SMTP id d2e1a72fcca58-70eb73a9f14so1001426b3a.2 for <jose@ietf.org>; Thu, 08 Aug 2024 11:18:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1723141123; x=1723745923; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=71v/sorF8pEu/E7xPFgObxO7/TGfSIt8Rncz2LA5JMI=; b=bWuupC3uqDbb0UcWXXw9qu61XUKNKJOJ6NJooEE6SJGP3sHXWqPaA77TCa6YsHn0I+ NCJEgKHaHFwzUxZyklHHnEaKTaZR5xowYFRYPPrJriKXagP5/19cuenO/Dvh0WWHcXcY FOjbwxLV7mwUAsQ6Cc3L0LVGzmdSHTWcrkrG3CdsD7UJZ3FuQZ9+koG946CYpTJNWoan DFyTFBK13XUTsrRWHgQ0D0jnTEtJryxnH2f1+3QDwV2k+aBSLzD3dpcrVbR2ZqH4+zux 7LRLAbLIRf16c+8AQ3q9UsjUREQzxiQnoje08+JdllBEV7Th0lWE2pi+xkvH6PZ3mHfu mhvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723141123; x=1723745923; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=71v/sorF8pEu/E7xPFgObxO7/TGfSIt8Rncz2LA5JMI=; b=JyiS2HCX5ABBN+lCccFMX3j7fpcIMHOr8KYUlO1MN+C219DJl4n9Y5S6ini+K86jT3 DyZDdciVZ7wPVt+G/X/e+5C02Sfc6ArhMRmOmu8w9Bi9hWM7+JkLVaG41WKs9OunBEMe 1uWtfBtJ64UbYSxEd4GaOXFoYNT+7u44HYQLbPNmLqJcOBvlw9yUlMmvNWZYOLNyyL8A 77NRSaiBS52muoa66GgR505eoNTWJAesMeVORIaO1mEDqeSqK8naK0OSVMkEO6THghAQ /jRlW8TIZoHEBxXs+7v09HoWspxhk5K0ykNIMz8pX6btun0Mw16XDjGl8kqRbl7JH/B6 YZjg==
X-Gm-Message-State: AOJu0YwnUmu8MPS9MbBjoAQMrXB9n0TkS48D510FjO6UvC6vyHlkmzcJ zPgCpP3jZO0rw0QlR6R/bKkpLezZ2zgXEb/fHKxiovX1Gy7EU0OgQimFSlo8y5Kvvne2ctcjLLY Rje78uQcomGsj9IkO8vLTUN1rdFZzNVQ/FxeXqj9qSO7PsfIiG5Y=
X-Google-Smtp-Source: AGHT+IGGMNtaN3TjE5zo7IQZHz/kbuyjMeX6qc5YIpJJ6KfHZZRiaN9n5itg+6S1b7MLkT5EIbMcj1OK5+/PnVUo2rg=
X-Received: by 2002:a05:6a20:9195:b0:1c6:9f66:a800 with SMTP id adf61e73a8af0-1c6fcfb3d7dmr3529234637.48.1723141123060; Thu, 08 Aug 2024 11:18:43 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR02MB74391ECC2D8130E1F0994C1AB7BF2@SJ0PR02MB7439.namprd02.prod.outlook.com> <CA+k3eCQNWURoC=PcgNsmqGNhbd0Vpu9ukSwx+ZzJ7zLLS1hckg@mail.gmail.com> <CAN8C-_LYKz2Vg6gDQv3mRX4KsJnESeyc=Af58V_DBiLGV_Hqpg@mail.gmail.com> <CA+k3eCSw6+C3Hs3ijsUrO1rVNJbHTt8ggAp6AtcLkgRoH6vVFw@mail.gmail.com>
In-Reply-To: <CA+k3eCSw6+C3Hs3ijsUrO1rVNJbHTt8ggAp6AtcLkgRoH6vVFw@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 08 Aug 2024 13:18:32 -0500
Message-ID: <CAN8C-_+fh5UxVjvoQe5+VMZoWufkHM9CYaNbFagkoeN-ZNY4=A@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="00000000000089d167061f300ef9"
Message-ID-Hash: PVZGGFSGUCHW5N7NFO265NKHQEZCXCP6
X-Message-ID-Hash: PVZGGFSGUCHW5N7NFO265NKHQEZCXCP6
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "jose@ietf.org" <jose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: Do you need the JWP JSON Serialization?
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/QxzEAX10g6qXZBDYjkCYNPbKXms>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
That's fair : ) Let's replace "suspicion" with "I would have argued for a different design". In JOSE, ~ is just used as a placeholder for "missing unprotected header". You still need to validate that the correct mutable data was included, and that no "unexpected mutable data" was included. That's a "verifier policy over mutable data". In the context of SD-JWT that means checking disclosures, matching their hash to the kbt and making sure the kbt is signed by the cnf. That is very similar to the kind of unprotected header processing that COSE supports, see: https://www.rfc-editor.org/rfc/rfc9338.html#section-2 Sure maybe it's less obvious that jwt (cnf) -> disclosures -> hash -> kbt signed by cnf is a kind of counter signature. But it is a second signature, over a specific set of disclosures that is grouped together with the first signature, which are verified together. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-9.1 """ Unprotected headers other than disclosures are not covered by the digest, and therefore, as usual, are not protected against tampering. """ This is similar to how values in unprotected headers in COSE are not protected, unless there is some "verification process" such as checking a counter signature, or merkle tree inclusion proof. Isn't JWP meant to replace SD-JWT in some cases that require stronger unlinkability? IIRC SD-JWT and OAUTH had good reasons to define a JSON Serialization, and if it's used, those users should be able to switch to JWP or CWP in the future. OS On Thu, Aug 8, 2024 at 12:33 PM Brian Campbell <bcampbell@pingidentity.com> wrote: > > > On Thu, Aug 8, 2024 at 11:27 AM Orie Steele <orie@transmute.industries> > wrote: > <snip> > >> >> If JWTs had unprotected headers, I suspect SD-JWT would have used them >> for the mutable part (disclosures). >> > > That suspicion is entirely incorrect. > > <snip> > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [jose] Do you need the JWP JSON Serialization? Michael Jones
- [jose] Re: Do you need the JWP JSON Serialization? Bret Jordan
- [jose] Re: Do you need the JWP JSON Serialization? Michael Jones
- [jose] Re: Do you need the JWP JSON Serialization? Orie Steele
- [jose] Re: Do you need the JWP JSON Serialization? Carsten Bormann
- [jose] Re: Do you need the JWP JSON Serialization? David Waite
- [jose] Re: Do you need the JWP JSON Serialization? Carsten Bormann
- [jose] Re: Do you need the JWP JSON Serialization? Brian Campbell
- [jose] Re: Do you need the JWP JSON Serialization? Orie Steele
- [jose] Re: Do you need the JWP JSON Serialization? Brian Campbell
- [jose] Re: Do you need the JWP JSON Serialization? Orie Steele
- [jose] Re: Do you need the JWP JSON Serialization? Neil Madden
- [jose] Re: Do you need the JWP JSON Serialization? Orie Steele
- [jose] Re: Do you need the JWP JSON Serialization? Neil Madden
- [jose] Re: Do you need the JWP JSON Serialization? Orie Steele
- [jose] Re: Do you need the JWP JSON Serialization? Neil Madden
- [jose] Re: Do you need the JWP JSON Serialization? Orie Steele
- [jose] Re: Do you need the JWP JSON Serialization? Brian Campbell
- [jose] Re: Do you need the JWP JSON Serialization? David Waite