Re: [jose] Issue #13 - use AES-GCM for Key Wrapping
"Jim Schaad" <ietf@augustcellars.com> Thu, 27 June 2013 03:19 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0786E21F964C for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 20:19:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.948
X-Spam-Level:
X-Spam-Status: No, score=-2.948 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f4jjLm4LRP-c for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 20:19:32 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6466A21F94DC for <jose@ietf.org>; Wed, 26 Jun 2013 20:19:29 -0700 (PDT)
Received: from Philemon (ip-64-134-233-240.public.wayport.net [64.134.233.240]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id D1E892CA15; Wed, 26 Jun 2013 20:19:27 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>, jose@ietf.org
References: <4E1F6AAD24975D4BA5B168042967394367898761@TK5EX14MBXC283.redmond.corp.microsoft.com> <034101ce729b$27473b00$75d5b100$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436789B458@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436789B458@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Wed, 26 Jun 2013 20:18:29 -0700
Message-ID: <03b901ce72e5$01248190$036d84b0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_03BA_01CE72AA.54F767F0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQH9pEpqg6SA+ykRJHySAR3RzJ5mhAI1BH/RAavUVGWYy0uIcA==
Content-Language: en-us
Subject: Re: [jose] Issue #13 - use AES-GCM for Key Wrapping
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 03:19:38 -0000
My point was that there were some issues that your draft did not fully address that need to be evaluated as part of your proposal not that these algorithms would need to be added. The n x m addition of algorithms to the registry is an issue that is there for your draft that is not present for Richard's draft and therefore needs to be considered in the arguments. From: Mike Jones [mailto:Michael.Jones@microsoft.com] Sent: Wednesday, June 26, 2013 12:22 PM To: Jim Schaad; jose@ietf.org Subject: RE: [jose] Issue #13 - use AES-GCM for Key Wrapping Yes, we could also propose algorithm combinations for key agreement followed GCM key wrapping but I didn't think that was an ask from the working group. The Denver minutes just recorded my action item as "key wrap draft for AES-GCM-keywrap", so that's what I did. We could have a discussion on Monday's call and on the list about whether the working group is also interested in other algorithms. Remember, the beauty of having the algorithms registry is that algorithms can be added "just in time" - as actual need for them is demonstrated. We don't have to register all conceivable algorithm combinations up front for the JWE/JWA specs to be complete. As for how the AEAD parameters are handled I used a parameter encoding that doesn't result in double base64url encoding anything. I could have instead introduced separate "iv" and "tag" header parameter values, but didn't do so for that reason. But if people would prefer that approach because it's more parallel to the use of GCM for plaintext encryption, I have no problem with that. I do believe that the objective of my draft was met - demonstrating that AEAD key wrapping can be easily done with the current drafts. The details of how the algorithm parameters are encoded is secondary to that and algorithm-specific; several reasonable choices are possible within the current JWE framework - one of which was described in my draft. -- Mike From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad Sent: Wednesday, June 26, 2013 11:30 AM To: Mike Jones; jose@ietf.org Subject: Re: [jose] Issue #13 - use AES-GCM for Key Wrapping <no hat> <sarcasm level="heavy"> I am shocked that you would possibly support this proposal. It provides for two ways of dealing with something. It is my understanding that you never support anything that has two ways of doing something. How the AEAD algorithm parameters is handled completely differently for this proposal and for the same algorithms being used in a CEK context. This is going to lead to confusion. </sarcasm> Your specification is missing some items that still need to be registered Thus you also need to have ECDH-ES+A128GCMKW and ECDH-ES+A256GCMKW defined in your document as well. Your document ends up with a registration complexity that needs to be thought about and dealt with as well. For every new key wrap algorithm added, you will need to register not only it alone but also it with every different key agreement algorithm that is supported. Thus adding a single key wrap algorithm becomes a slight issue in terms of adding in all of the different ways that it might be used. This is a complexity issue that is not discussed in the current draft. I have not necessarily found that document size equals code size. I have implemented some very simple documents that were very difficult to code and implemented some very long documents that were very easy to code. So I would not use that fact as a deciding factor. (Once again I regret the fact that the group did not go with an object descriptor for algorithms as this would have made all of this much simpler. I actually immediately map from the string to an object description in my JOSE implementation for simplicity reasons. Not to mention that this is way it needs to be done for the WebCrypto specficiation.) Jim From: Mike Jones [mailto:Michael.Jones@microsoft.com] Sent: Tuesday, June 25, 2013 4:18 PM To: 'Jim Schaad'; jose@ietf.org Subject: RE: [jose] Issue #13 - use AES-GCM for Key Wrapping http://tools.ietf.org/html/draft-jones-jose-aes-gcm-key-wrap-00 seems like a substantially simpler approach than http://tools.ietf.org/html/draft-barnes-jose-key-wrapping-01. This is evident by several metrics: . Number of proposed changes: The Jones draft proposes no changes to any of the current specs. It simply defines an encoding for GCM and adds registry entries for it. Whereas the Barnes draft proposes a major restructuring - listing 4 major changes in the introduction and 4 smaller changes. . Normative text size: The Jones GCM key wrap approach requires only 7 normative sentences in 1/2 page of text. The Barnes draft has four pages of normative text, along with an extensive introduction describing the proposed complete restructuring of JWS and JWE. We don't need to boil the ocean with a total redesign to enable AEAD key wrapping. It can already easily be done with the current specs simply by defining new algorithms. The approach taken in http://tools.ietf.org/html/draft-jones-jose-aes-gcm-key-wrap-00 would work for any AEAD algorithm. -- Mike From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad Sent: Tuesday, June 25, 2013 9:53 AM To: jose@ietf.org Subject: [jose] Issue #13 - use AES-GCM for Key Wrapping We now have two documents - one from Richard and one from Mike - which provide the two different ways that have been proposed for doing key wrapping with an AEAD algorithm. Please review the two documents and provide comments to the list. Jim
- [jose] Issue #13 - use AES-GCM for Key Wrapping Jim Schaad
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Mike Jones
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… John Bradley
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Roland Hedberg
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Edmund Jay
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Jim Schaad
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Mike Jones
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Manger, James H
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Jim Schaad
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Mike Jones
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Breno de Medeiros
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Jim Schaad
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Jim Schaad
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Peck, Michael A
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Matias Woloski
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Carsten Bormann
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Nat Sakimura