Re: [jose] New Version Notification for draft-barnes-jose-jsms-00.txt
Anthony Nadalin <tonynad@microsoft.com> Tue, 26 June 2012 22:43 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6837C21F853B for <jose@ietfa.amsl.com>; Tue, 26 Jun 2012 15:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.767
X-Spam-Level:
X-Spam-Status: No, score=-0.767 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c473PmYImKjL for <jose@ietfa.amsl.com>; Tue, 26 Jun 2012 15:43:47 -0700 (PDT)
Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe005.messaging.microsoft.com [216.32.180.188]) by ietfa.amsl.com (Postfix) with ESMTP id 4D72521F8516 for <jose@ietf.org>; Tue, 26 Jun 2012 15:43:47 -0700 (PDT)
Received: from mail175-co1-R.bigfish.com (10.243.78.243) by CO1EHSOBE002.bigfish.com (10.243.66.65) with Microsoft SMTP Server id 14.1.225.23; Tue, 26 Jun 2012 22:42:05 +0000
Received: from mail175-co1 (localhost [127.0.0.1]) by mail175-co1-R.bigfish.com (Postfix) with ESMTP id C6B4FAC0105 for <jose@ietf.org>; Tue, 26 Jun 2012 22:42:04 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC105.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -19
X-BigFish: VS-19(zz98dI9371I936eI168aJ148cI542M1432I1418I41c5N4015Izz1202h1082kzz1033IL8275eh8275bh8275dh5eeeKf73b6ila1495iz2fh2a8h683h839h944hd25hf0ah)
Received-SPF: pass (mail175-co1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC105.redmond.corp.microsoft.com ; icrosoft.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT001.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail175-co1 (localhost.localdomain [127.0.0.1]) by mail175-co1 (MessageSwitch) id 1340750522857219_1329; Tue, 26 Jun 2012 22:42:02 +0000 (UTC)
Received: from CO1EHSMHS015.bigfish.com (unknown [10.243.78.251]) by mail175-co1.bigfish.com (Postfix) with ESMTP id CF738280044 for <jose@ietf.org>; Tue, 26 Jun 2012 22:42:02 +0000 (UTC)
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.8) by CO1EHSMHS015.bigfish.com (10.243.66.25) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 26 Jun 2012 22:42:02 +0000
Received: from va3outboundpool.messaging.microsoft.com (157.54.51.114) by mail.microsoft.com (157.54.80.48) with Microsoft SMTP Server (TLS) id 14.2.309.3; Tue, 26 Jun 2012 22:43:43 +0000
Received: from mail145-va3-R.bigfish.com (10.7.14.243) by VA3EHSOBE008.bigfish.com (10.7.40.28) with Microsoft SMTP Server id 14.1.225.23; Tue, 26 Jun 2012 22:42:00 +0000
Received: from mail145-va3 (localhost [127.0.0.1]) by mail145-va3-R.bigfish.com (Postfix) with ESMTP id 1A64848026E for <jose@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Tue, 26 Jun 2012 22:42:00 +0000 (UTC)
Received: from mail145-va3 (localhost.localdomain [127.0.0.1]) by mail145-va3 (MessageSwitch) id 1340750516375015_31344; Tue, 26 Jun 2012 22:41:56 +0000 (UTC)
Received: from VA3EHSMHS008.bigfish.com (unknown [10.7.14.247]) by mail145-va3.bigfish.com (Postfix) with ESMTP id 562762C0094; Tue, 26 Jun 2012 22:41:56 +0000 (UTC)
Received: from BL2PRD0310HT001.namprd03.prod.outlook.com (157.56.240.21) by VA3EHSMHS008.bigfish.com (10.7.99.18) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 26 Jun 2012 22:41:54 +0000
Received: from BL2PRD0310MB362.namprd03.prod.outlook.com ([169.254.10.205]) by BL2PRD0310HT001.namprd03.prod.outlook.com ([10.255.97.36]) with mapi id 14.16.0164.004; Tue, 26 Jun 2012 22:43:34 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, 'John Bradley' <ve7jtb@ve7jtb.com>
Thread-Topic: [jose] New Version Notification for draft-barnes-jose-jsms-00.txt
Thread-Index: AQHNU+zdnbVDjIKLnEGk4H6pIKPfX5cNMgtw
Date: Tue, 26 Jun 2012 22:43:33 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E74F3B6BAD@BL2PRD0310MB362.namprd03.prod.outlook.com>
References: <4E1F6AAD24975D4BA5B168042967394366560A72@TK5EX14MBXC283.redmond.corp.microsoft.com> <CABzCy2D7tU6=Q30eBmRfLzqR1Dj4XbYJZRFOC7t2OU45CwEa3A@mail.gmail.com> <EC718B8E-F3AE-4CB7-9A23-4AAD1E13C093@bbn.com> <007301cd532c$f4e7f0c0$deb7d240$@augustcellars.com> <CFC0148D-7F8F-4693-8D8F-FCEEF0C028CE@ve7jtb.com> <A33A4456-25E1-4248-903D-602C08C5B931@bbn.com> <706BA894-367C-4AC5-B70A-21F9039C1F78@ve7jtb.com> <B26C1EF377CB694EAB6BDDC8E624B6E74F3B69C4@BL2PRD0310MB362.namprd03.prod.outlook.com> <43B1BD79-7847-45DF-A92A-C9DDC25F762A@ve7jtb.com> <B26C1EF377CB694EAB6BDDC8E624B6E74F3B6A29@BL2PRD0310MB362.namprd03.prod.outlook.com> <00e901cd53ec$944e5040$bceaf0c0$@augustcellars.com>
In-Reply-To: <00e901cd53ec$944e5040$bceaf0c0$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.174.57]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT001.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%AUGUSTCELLARS.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%VE7JTB.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%BBN.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC105.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC105.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
Cc: "'Richard L. Barnes'" <rbarnes@bbn.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] New Version Notification for draft-barnes-jose-jsms-00.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jun 2012 22:43:50 -0000
Used all the time as its quicker than CBC mocde very simple if I have just 1 block of data -----Original Message----- From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad Sent: Tuesday, June 26, 2012 3:40 PM To: Anthony Nadalin; 'John Bradley' Cc: 'Richard L. Barnes'; jose@ietf.org Subject: Re: [jose] New Version Notification for draft-barnes-jose-jsms-00.txt Under what circumstances would people use ECB? > -----Original Message----- > From: Anthony Nadalin [mailto:tonynad@microsoft.com] > Sent: Tuesday, June 26, 2012 2:03 PM > To: John Bradley > Cc: Richard L. Barnes; Jim Schaad; jose@ietf.org > Subject: RE: [jose] New Version Notification for > draft-barnes-jose-jsms- 00.txt > > AES-ECB is also a popular alternative > > -----Original Message----- > From: John Bradley [mailto:ve7jtb@ve7jtb.com] > Sent: Tuesday, June 26, 2012 1:59 PM > To: Anthony Nadalin > Cc: Richard L. Barnes; Jim Schaad; jose@ietf.org > Subject: Re: [jose] New Version Notification for > draft-barnes-jose-jsms- 00.txt > > Yes that is why we added the composite HMAC + AES-CBC. We can debate if > that is an algorithm or mandatory integrity with non AEAD algorithms, > but the > effect of integrity protecting the header remains in both cases. > > John B. > > On 2012-06-26, at 4:30 PM, Anthony Nadalin wrote: > > > Not sure there was a WG decision and what that would mean if there > > was, > as there are many libraries out there that don't support the > encryption with > integrity algorithms, so need to support alternative means of things > like key > wrap that could have an integrity check. > > > > -----Original Message----- > > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf > > Of John Bradley > > Sent: Tuesday, June 26, 2012 12:30 PM > > To: Richard L. Barnes > > Cc: Jim Schaad; jose@ietf.org > > Subject: Re: [jose] New Version Notification for > > draft-barnes-jose-jsms-00.txt > > > > There was a WG decision to not allow encryption without integrity. Jim > and others call that sender verification. > > > > Or on simple terms no AES-CBC without a mandatory MAC integrity. > > > > The JWE/JWS specs don't control the body. That is intended to be arbitrary > content. > > > > We do have s JWT spec that covers the body for security tokens. The idea > was to separate that from signing and encryption so that signing and > encryption can be used for other objects. > > > > John B. > > > > On 2012-06-26, at 1:43 PM, Richard L. Barnes wrote: > > > >>> Now that we are mandating JWE sender verification people will be > >>> using > JWE with symmetric keys or key agreement. > >>> In those cases one can easily argue that the header should be protected > as much as in HMAC. > >> > >> Can you clarify the scope of "we are mandating"? > >> > >> > >>> There may well be signing_time or other elements that would go > >>> into > the header as well for JWE. > >> > >> Why do these need to go into the header rather than the body? > >> > >> --Richard > >> > >> > >> > >> > >>> Regards > >>> John B. > >>> > >>> On 2012-06-25, at 7:48 PM, Jim Schaad wrote: > >>> > >>>> <personal> > >>>> > >>>> Richard, > >>>> > >>>>> -----Original Message----- > >>>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On > >>>>> Behalf Of Richard L. Barnes > >>>>> Sent: Monday, June 25, 2012 2:35 PM > >>>>> To: Nat Sakimura > >>>>> Cc: Mike Jones; jose@ietf.org > >>>>> Subject: Re: [jose] New Version Notification for > >>>>> draft-barnes-jose-jsms- 00.txt > >>>>> > >>>>> Hi Nat, > >>>>> > >>>>> I'm not sure what X.509 fiasco you're referring to. There was a > >>>>> recent > >>>> MD5 > >>>>> fiasco [1], but that's an attack on MD5, not X.509. In fact, > >>>>> there have > >>>> been > >>>>> recommendations for preventing this attack in X.509 since 2005 [2]. > >>>>> As > >>>> was > >>>>> noted on the SAAG list, the real news here is that Microsoft > >>>>> wasn't > >>>> following > >>>>> any of those recommendations. > >>>>> > >>>>> JWS would have had the same problem as X.509. The attack did > >>>>> not modify the cryptographic parameters (anything that would > >>>>> have gone in the header), it would not have been thwarted by the > >>>>> integrity protection we're worrying about. > >>>>> > >>>>> Actually, the header signing that JWS does makes it even nicer > >>>>> for the > >>>>> attacker: Flame used a "chosen prefix" attack, so since the JWS > >>>>> header > >>>> value > >>>>> is entirely static for a given signer, it's easy to use as a > >>>>> fixed prefix. > >>>> If JWS just > >>>>> signed the content, then the application could include a > >>>>> something random up front to prevent such prefix-based attacks. > >>>>> > >>>> > >>>> I don't believe that this is a true statement. If you had a > >>>> prefix or just signed what was given to you (i.e. no prefix), it > >>>> would make no difference in terms of the attack for Flame. Flame > >>>> could always use a fixed prefix of its own design rather than > >>>> using the fixed header that is generated by having JWS sign the > >>>> header > information. > >>>> > >>>>> It's tempting to say that we should just add randomness to the > >>>>> JOSE > >>>> format. > >>>>> But the real lesson of the Flame/MD5 attacks is operational: If > >>>>> you're > >>>> signing > >>>>> something that somebody else gave you, make sure that you're not > >>>>> signing exactly what they gave you. Follow the recommendations > >>>>> of RFC 4270. In other contexts, there's no need of similar > >>>>> random elements; it just adds complexity. > >>>> > >>>> This is definitely a true statement in all events and is > >>>> something that should be added to the Security Considerations section. > >>>> > >>>> That being said, I think that there are valid reasons for wanting > >>>> to protect the header information by some authentication processing. > >>>> PKIX certificates protect the signature algorithm information (by > >>>> copying the data into the to be signed block) and CMS has long > >>>> allowed for information to be included in the signed attributes > >>>> area that identifies the algorithms used, the certificates used > >>>> and so forth. There are also other things that we might find to > >>>> be convenient to be placed in the header information that is > >>>> current not there (a signing time and embedded content type comes > >>>> to mind) that would be a product either of specific types of > >>>> signatures or > becomes a common attribute to be placed there. > >>>> > >>>> In terms of encryption operations, I remember in the past that I > >>>> have had either corrupted encrypted streams or corrupted IVs and > >>>> had a successful decryption that later generated other problems > >>>> when trying to parse. This is less of an issue with AEAD > >>>> algorithms as they have a much stricter rule on when the stream > decrypts correctly. > >>>> > >>>> Jim > >>>> > >>>>> > >>>>> --Richard > >>>>> > >>>>> > >>>>> > >>>>> [1] > >>>>> <http://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf> > >>>>> [2] <http://tools.ietf.org/html/rfc4270#section-5.1> > >>>>> > >>>>> > >>>>> On Jun 21, 2012, at 11:11 AM, Nat Sakimura wrote: > >>>>> > >>>>>> Especially after the X.509 fiasco, I strongly believe that > >>>>>> having > >>>> integrity > >>>>> check over the metadata is a good thing. It is such a little > >>>>> effort that > >>>> gives us > >>>>> much more protection down the road. In this sense, I fully agree > >>>>> with Ben here. We should have integrity protection over the header. > >>>>>> > >>>>>> Nat > >>>>>> > >>>>>> On Thu, Jun 21, 2012 at 8:07 AM, Mike Jones > >>>>> <Michael.Jones@microsoft.com> wrote: > >>>>>> Two years ago when the developer community needing a > >>>>>> JSON-friendly > >>>>> token format was designing the JSON Web Token (JWT), we > >>>>> explicitly asked security experts whether the header parameters > >>>>> should be integrity protected or not. Among them, Ben Laurie > >>>>> was one of the voices saying > >>>> that > >>>>> securing them was the right thing to do. > >>>>>> > >>>>>> > >>>>>> > >>>>>> He argued that if the parameters can be protected in a > >>>>>> practical manner, > >>>>> then they should. Doing so provides an additional hurdle that > >>>>> attackers would have to surmount. For example, if they can try > >>>>> to substitute a > >>>> weaker > >>>>> authentication scheme, then they must figure out how to make it > >>>>> authenticate correctly despite some plaintext they can't control > >>>>> - the > >>>> header > >>>>> parameters. > >>>>>> > >>>>>> > >>>>>> > >>>>>> Ben also took the position that paring security protocols down > >>>>>> to the > >>>> least > >>>>> you can get away with, given attacks you can think of, is not a > >>>>> good > >>>> design > >>>>> principle. If there is not a strong argument against including > >>>>> a feature > >>>> that > >>>>> may make it harder for attackers, then that feature should be > included. > >>>>>> > >>>>>> > >>>>>> > >>>>>> I agree with him. > >>>>>> > >>>>>> > >>>>>> > >>>>>> The decision to provide integrity protection for the headers is > >>>> documented > >>>>> in the session notes at http://self-issued.info/?p=361, which said: > >>>>>> > >>>>>> > >>>>>> > >>>>>> . What to sign (envelope.payload or just payload)? > >>>>>> > >>>>>> Given that the envelope is extensible and therefore may contain > >>>> security- > >>>>> sensitive information, we reached a consensus (with input from > >>>>> Ben Laurie via IM) that the combination envelope.payload must be signed. > >>>>>> > >>>>>> > >>>>>> I believe that logic is as sound today as it was then. > >>>>>> > >>>>>> > >>>>>> > >>>>>> For all these reasons, I therefore personally stand by the > >>>>>> community's > >>>>> decision to provide integrity protection for the headers. > >>>>>> > >>>>>> > >>>>>> > >>>>>> Best > >>>>>> wishes, > >>>>>> > >>>>>> -- Mike > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> -----Original Message----- > >>>>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On > >>>>>> Behalf Of > >>>>> John Bradley > >>>>>> Sent: Wednesday, June 20, 2012 3:57 PM > >>>>>> To: Richard L.Barnes > >>>>>> Cc: jose@ietf.org > >>>>>> Subject: Re: [jose] New Version Notification for > >>>>>> draft-barnes-jose-jsms- > >>>>> 00.txt > >>>>>> > >>>>>> > >>>>>> > >>>>>> Hi Richard, > >>>>>> > >>>>>> > >>>>>> > >>>>>> While for PKCS 1.5 the hash algorithm is baked into the padding > >>>>>> and not > >>>>> susceptible to modification with ECDH or RSA-PSS it is not. > >>>>>> > >>>>>> There are possible hash truncation attacks by shortening SHA256 > >>>>>> to > >>>> SHA224 > >>>>> as an example (I know we preclude truncated hashes at the > moment). > >>>>>> > >>>>>> > >>>>>> > >>>>>> The bad feeling I get around this is that if there is a > >>>>>> scenario where > >>>> the > >>>>> attacker controls the plaintext to be signed and there is no > >>>>> signer > >>>> controlled > >>>>> text contributed there are potential bad things that could > >>>>> happen down the road. > >>>>>> > >>>>>> > >>>>>> > >>>>>> This bit us with x509 certs not that long ago (yes with MD5 > >>>>>> admittedly) > >>>>> where the attacker could use a certificate extension to include > >>>>> extra data > >>>> and > >>>>> cause a pre collided hash to be generated. > >>>>>> > >>>>>> Having part of the signed data outside the control of an > >>>>>> attacker is a > >>>> good > >>>>> thing. (having a nonce or message ID in the envelope is > >>>>> possible though > >>>> not > >>>>> yet required in JWS.) > >>>>>> > >>>>>> > >>>>>> > >>>>>> I am still of the opinion that putting the base64 encoded > >>>>>> envelope > >>>> inside > >>>>> the hash calculation is a valid way to allow additional attributes. > >>>>>> > >>>>>> Another structure to hold the attributes adds more complexity, > >>>>>> as would > >>>>> saying that they need to be inside the signed object. > >>>>>> > >>>>>> > >>>>>> > >>>>>> I think part of this is that as one of the openID Connect > >>>>>> authors I look > >>>> at this > >>>>> as a necessary security token format, for OAuth and Connect. > >>>>>> > >>>>>> For that simple processing with one signature is a high > >>>>>> priority for > >>>> adoption. > >>>>>> > >>>>>> > >>>>>> > >>>>>> From a general signing/encrypting of documents point of view > >>>>>> you > >>>>> legitimately have different priorities. > >>>>>> > >>>>>> > >>>>>> > >>>>>> I know it is hard to prove a negative but It is also going to > >>>>>> be > >>>> difficult for me > >>>>> to go back to security people at google Facebook and other > >>>>> places and explain how not integrity protecting the header could > >>>>> be better than integrity protecting it. > >>>>>> > >>>>>> > >>>>>> > >>>>>> It seems that I would be reduced to arguing that this is no > >>>>>> worse than > >>>> CMS > >>>>> and that hasn't been proven insecure yet. > >>>>>> > >>>>>> > >>>>>> > >>>>>> Allowing a possible attacker to control the hash output, and > >>>>>> not > >>>> integrity > >>>>> protecting the additional data, seems like something I am bound > >>>>> to regret > >>>> in > >>>>> the future. > >>>>>> > >>>>>> > >>>>>> > >>>>>> Regards > >>>>>> > >>>>>> John B. > >>>>>> > >>>>>> > >>>>>> > >>>>>> On 2012-06-19, at 7:00 PM, Richard L. Barnes wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>> Hey John, > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> Interesting points, but I don't think they actually apply here. > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> With regard to downgrade attacks: > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> The attack that RFC 5752 is concerned with is when an attacker > >>>>>>> strips > >>>>> signatures from a signed message, so that the only ones left are > >>>>> ones he > >>>> can > >>>>> tamper with. So the integrity protection here is "horizontal"; > >>>>> it goes > >>>> across > >>>>> signatures. The integrity protection in JWS/JWE is "vertical" > >>>>> -- it only > >>>> protects > >>>>> one signer's parameters -- so it is, so to speak, orthogonal. > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> With regard to "brown bag" attacks: > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> The root of this attack is ambiguity about what content is > >>>>>>> *signed* > >>>>>> > >>>>>>> vs. what content is *used*. If an application doesn't verify > >>>>>>> that > >>>>>> > >>>>>>> it's actually using the stuff that's signed, then it can be > >>>>>>> tricked > >>>>>> > >>>>>>> into accepting something unsigned. (Cf. > >>>>>> > >>>>>>> <http://en.wikipedia.org/wiki/Confused_Deputy>) > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> However, I don't think any of the current proposals have that > problem. > >>>>> In JWE/JWS, the signed content is right there between the dots, > >>>>> and in > >>>> JSMS, > >>>>> it's in the "content" element. The current JSMS draft does > >>>>> allow detached signatures, but with a "voids your warranty" sticker on it. > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> In any case, these attacks have nothing to do with whether the > >>>>> cryptographic parameters are integrity-protected with the content. > >>>>> The example attacks in the IBM still work regardless -- the > >>>>> whole point of the attack is that the cryptographic processing > >>>>> is the same, only the > >>>> (non-crypto) > >>>>> matching of content is flawed. > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> With regard to "arbitrary attributes": > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> We can have that here, too, but you need canonicalization. > >>>>>>> And > >>>> base64- > >>>>> encoding is not not canonicalization -- it just waves its hands > >>>>> over the question of equivalence. In my opinion, we should keep > >>>>> the cryptographic object simple by disallowing attributes, and > >>>>> push the attributes you would sign inside of the thing being > >>>>> signed. If people really do want > >>>> attributes, it > >>>>> doesn't seem to me like JSON canonicalization is very hard. I > >>>>> can do it > >>>> in 19 > >>>>> lines of python: > >>>>>> > >>>>>>> <http://pastebin.com/ptUfn0c3> > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> With regard too "meta-data in the body": > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> It seems to me like if we're trying to define a general format > >>>>>>> for > >>>> applying > >>>>> security protections, then we ought to keep out things that > >>>>> aren't > >>>> strictly > >>>>> security relevant. Those things can go in application-specific > >>>>> content > >>>> types > >>>>> (e.g., SAML) without polluting the general purpose header. > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> With regard to "defense in depth" and selling this to > >>>>>>> government > >>>>> agencies: > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> CMS, via S/MIME, is in broad use across multiple federal > >>>>>>> agencies and > >>>>> large enterprises. JSMS is essentially a profile of CMS (see > >>>>> Section 7), > >>>> and > >>>>> has the same security properties. > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> Cheers, > >>>>>> > >>>>>>> --Richard > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> On Jun 19, 2012, at 5:10 PM, John Bradley wrote: > >>>>>> > >>>>>>> > >>>>>> > >>>>>>>> Hi Richard, > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> Originally we only integrity protected the header for signing. > >>>>>>>> We > >>>> added > >>>>> the integrity protection to encryption as part of AEAD, as > >>>>> encryption can > >>>> also > >>>>> be used for sender verification. > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> I understand the argument that it makes things simpler if we > >>>>>>>> don't > >>>>> integrity protect the header information. > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> However xmldsig, provides integrity over those elements to > >>>>>>>> prevent > >>>>> possible downgrade attacks by manipulating the algorithms. > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> CMS may not typically provide that integrity protection but I > >>>>>>>> think > >>>> Jim > >>>>> Schaad and Sean Terner created RFC5752 to address downgrade > attacks. > >>>>>> > >>>>>>>> Given they are on this list they can speak to their view on > >>>>>>>> integrity > >>>> over > >>>>> the crypto parameters. > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> I also recall when working on InfoCards there was a Monte > >>>>>>>> Carlo/Brown > >>>>> Bag attack that needs to be considered if we move to something > >>>>> more like a detached signature. > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> The other design consideration is that we wanted to be able > >>>>>>>> to sign > >>>>> arbitrary byte strings not just JSON. You could sign XML if you > wanted. > >>>>>> > >>>>>>>> That prevented us from including meta-data in the body as we > >>>>>>>> didn't > >>>>> want to touch it. That left us with the header to include additional > >>>> elements > >>>>> in. > >>>>>> > >>>>>>>> Not integrity protecting those elements as well would be a > problem. > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> I am not a CMS expert but I believe it allows for signing of > >>>> arbitrary > >>>>> attributes not unlike the current JOSE spec. > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> Especially for something that will be used with JWT security > >>>>>>>> tokens I > >>>> will > >>>>> have a hard time making the argument to NIST and others that > >>>>> need to approve this format that not integrity protecting the > >>>>> header parameters is appropriate defence in depth, for something > >>>>> that might be replacing signed SAML assertions in some applications. > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> I do understand how not integrity protecting the header will > >>>>>>>> make > >>>> some > >>>>> things easier, however I can't agree that the benefit outweighs > >>>>> the disadvantages. > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> Regards > >>>>>> > >>>>>>>> John B. > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> On 2012-06-18, at 10:02 PM, Richard L. Barnes wrote: > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>>> Hey Mike, > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> Thanks for having some back-and-forth with me on this. I > >>>>>>>>> think this > >>>> is a > >>>>> good discussion to have right now. I would like to discuss some > >>>> high-level > >>>>> points, and then I'll respond inline to your precise points. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> tl;dr: In order to meet its deliverables, the WG needs to > >>>>>>>>> define > >>>> JSON- > >>>>> based formats for integrity and confidentiality protections. > >>>>> JWE and JWS don't fit that requirement, so we should re-consider > >>>>> their adoption and > >>>> call > >>>>> for new candidates. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> Major points: > >>>>>> > >>>>>>>>> 1. JOSE is JSON > >>>>>> > >>>>>>>>> 2. JSON does not imply canonicalization 3. Compactness and > >>>>>> > >>>>>>>>> URL-safeness are still OK, as derivatives > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> Part 1: JOSE is JSON > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> The JOSE WG charter calls out four deliverables, three of > >>>>>>>>> which are > >>>>> explicitly required to be JSON: > >>>>>> > >>>>>>>>> -- "JSON-structured integrity protection" > >>>>>> > >>>>>>>>> -- "JSON-structured encryption" > >>>>>> > >>>>>>>>> -- "public keys as JSON-structured objects" > >>>>>> > >>>>>>>>> (The fourth is just a list of algorithms, which should be > >>>>>>>>> JSON as > >>>>>> > >>>>>>>>> well, just as RFC 3370 is ASN.1.) > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> In light of these requirements, JWE and JWS are clearly not > >>>>>>>>> suitable > >>>>>> > >>>>>>>>> candidates to fulfill the working group's milestones. (At > >>>>>>>>> least in > >>>>>> > >>>>>>>>> their current form.) So ISTM that we need to step back and > >>>>>> > >>>>>>>>> re-evaluate alternatives for the three above milestones, > >>>>>>>>> especially > >>>>>> > >>>>>>>>> the first two. (JWK is not as far off.) > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> As JSON-based mechanisms, though, the "JSON serialization" > >>>>>>>>> drafts > >>>>> are pretty half-hearted. Because JWS and JWE include the > >>>>> cryptographic parameters within the integrity protection, they > >>>>> have to have the headers included as base64-encoded strings. > >>>>> That obviously adds a lot of > >>>> complexity > >>>>> to encoding and decoding -- for example, you have to keep the > >>>>> encoded header around even after you've decoded it! -- and just > plain more octets. > >>>>> The support for multiple recipients and multiple signatures is > >>>>> both > >>>> unweildy > >>>>> (matching up parallel indices for headers and signatures) and > >>>>> inefficient (multiple integrity check values in encrypted objects). > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> By contrast, JSMS takes advantage of the cryptographic > >>>>>>>>> wisdom that > >>>>> went into CMS, while making the syntax pure JSON and as simple > >>>>> as > >>>> possible. > >>>>> Multiple signatures and multiple recipients are supported with > >>>>> absolute minimum overhead. So I think it's worth consideration > >>>>> by the working > >>>> group. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> Part 2: JSON !=> canonicalization > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> I would like to dispel the myth that a JSON-based format > >>>>>>>>> requires > >>>>>> > >>>>>>>>> canonicalization. In JWE/JWS, the JSON header requires > >>>>>> > >>>>>>>>> "canonicalization" (via base64url encoding) because it's > >>>>>>>>> included > >>>>>> > >>>>>>>>> within the integrity protection. I'm not aware of any > >>>>>>>>> reason for > >>>>>> > >>>>>>>>> including the cryptographic parameters in the integrity > >>>>>>>>> check, > >>>>>> > >>>>>>>>> instead of only integrity-protecting the content itself. > >>>>>>>>> Indeed, if > >>>>>> > >>>>>>>>> there were an attack based on non-integrity-protected > >>>>>>>>> cryptographic > >>>>>> > >>>>>>>>> parameters, it would be a pretty big deal, since neither CMS > >>>>>>>>> nor IKE > >>>>>> > >>>>>>>>> nor provides this protection. (TLS does provide a signature > >>>>>>>>> over > >>>>>> > >>>>>>>>> the algorithms, but only as a way to bind the public key to > >>>>>>>>> the > >>>>>> > >>>>>>>>> session.) > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> Indeed CMS doesn't require canonicalization at all, except > >>>>>>>>> for > >>>>> attributes that are included in the protected content > >>>>> (signedAttrs / authenticatedAttrs), which need to be > >>>>> DER-encoded. In JSMS, we don't allow those parameters, so there > >>>>> is no need for canonicalization > at all. > >>>> All the > >>>>> "canonicalization" that's needed is to base64url-encode the > >>>>> protected content. In that regard, JSMS is even simpler than > JWE/JWS. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> Part 3: Compactness and URL-safeness are still OK, as > >>>>>>>>> derivatives > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> I have absolutely no objection to defining a compact, > >>>>>>>>> URL-safe > >>>> format. > >>>>> Indeed, I did so in the JSMS draft, in Section 5. Encoding the > >>>>> example > >>>> from > >>>>> Section 3.1 of the JWS spec, we get the following JSMS object: > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> { > >>>>>> > >>>>>>>>> "v":1, > >>>>>> > >>>>>>>>> "t":"au", > >>>>>> > >>>>>>>>> "a":"hs256", > >>>>>> > >>>>>>>>> "c":"eyJpc3MiOiJqb2...0cnVlfQ", > >>>>>> > >>>>>>>>> "mac":"pwM0gJNMLFxn8G1- > juQFLrJtMEOR8_FeKIH3wIM_OAo", > >>>>>> > >>>>>>>>> "ki":"rSIilRk8Ego" > >>>>>> > >>>>>>>>> } > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> If we remove the decorative spaces and base64url-encode, we > >>>>>>>>> only > >>>>> use > >>>>>> > >>>>>>>>> 88 octets more than JWS (267 vs. 179). If we take this a > >>>>>>>>> step > >>>>>> > >>>>>>>>> further and define an explicit compact format for > >>>>>>>>> AuthenticatedData, > >>>>>> > >>>>>>>>> we can emulate JWS by moving the content and MAC fields > >>>>>>>>> outside > >>>>> and > >>>>>> > >>>>>>>>> dot-combining. That avoids double-base64url-encoding, and > >>>>>>>>> only > >>>>>> > >>>>>>>>> takes up 11 more octets than a JWS (190 vs 179). (I've put > >>>>>>>>> the code > >>>>>> > >>>>>>>>> to generate these in the Github project linked earlier.) > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> So it's fine to have a compact, URL-safe format for an > >>>>>>>>> objective, > >>>> but it > >>>>> makes *much* more sense to derive that from a full-size, usable, > >>>>> JSON format than the other way around. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> Responses to specific points inline below. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>>> Fair enough. I'll briefly respond to each in turn. Before > >>>>>>>>>> doing > >>>> so, I'll > >>>>> say that I'm writing in the spirit of trying to increase mutual > >>>> understanding > >>>>> and consensus, rather than taking the point of view that the > >>>>> status quo is > >>>> the > >>>>> only reasonable outcome. > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> -- Not being JSON > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> This was by design, so that the results are URL-safe. This > >>>>>>>>>> is > >>>> required, > >>>>> for instance, for them to be used as OAuth Bearer Tokens. At > >>>>> the request > >>>> of > >>>>> the working group, closely related pure-JSON drafts were also > published. > >>>>> See: > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> http://tools.ietf.org/html/draft-jones-json-web-signature-j > >>>>>>>>>> so > >>>>>>>>>> n > >>>>>>>>>> -seri > >>>>>> > >>>>>>>>>> alization-01 and > >>>>>> > >>>>>>>>>> http://tools.ietf.org/html/draft-jones-json-web-encryption- > >>>>>>>>>> js > >>>>>>>>>> o > >>>>>>>>>> n-ser > >>>>>> > >>>>>>>>>> ialization-01 > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> Use them if you prefer if they better suit your use cases. > >>>>>>>>>> They > >>>> could > >>>>> be adopted as working group documents, if there's interest. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> See above. These are super-clunky, and the need to be the > >>>>>>>>> main > >>>>> focus of the WG, not an afterthought. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>>> -- Not supporting multiple recipients > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> The JSON serialization drafts above do, again, in response > >>>>>>>>>> to use > >>>>> cases presented by the working group. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> See above. Because of the unnecessary inclusion of the > >>>>>>>>> header in > >>>> the > >>>>> integrity check, this is far less efficient than it should be. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>>> -- Lacking clear distinctions between signing and MAC > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> Functionally, these are very similar operations, at least > >>>>>>>>>> from an > >>>>> implementation perspective, so it's not clear that making a > >>>>> clear > >>>> distinction > >>>>> would help either developers or adoption in any practical way. > >>>>> They > >>>> achieve > >>>>> overlapping, but admittedly sometimes different goals. I > >>>>> believe that developers can be trusted to use the algorithms > >>>>> that achieve their applications' goals without making a hard > >>>>> distinction between > the two. > >>>> But > >>>>> I'd be interested in hearing your thoughts on why you believe a > >>>> brighter-line > >>>>> distinction might be useful or necessary. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> It's important if you want to do MACs with anything other > >>>>>>>>> than > >>>>>>>>> pre- > >>>>> shared keys. If you want to do anything more advanced, you need > >>>>> to have wrapped keys, in which case an object with a MAC starts > >>>>> to look a lot more like a JWE than a JWS. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>>> -- Lacking clear processing instructions for different key > >>>>>> > >>>>>>>>>> establishment modalities > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> This seems like an area where the existing drafts could be > >>>>>>>>>> refined > >>>> to > >>>>> add descriptions for additional establishment modalities, > >>>>> possibly based upon your ideas and descriptions, should the > >>>>> working group decide to do > >>>> so. > >>>>> What additional modalities do you have use cases for that you > >>>>> believe are not achievable or straightforward with the existing > >>>>> drafts? The existing modalities supported are largely those > >>>>> that existing developers had told > >>>> us > >>>>> they needed and draw both from the precursor > >>>>> draft-jones-json-web-* documents and draft-rescorla-jsms. > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> Bear in mind that the balance that the current drafts try > >>>>>>>>>> to strike > >>>> is > >>>>> keeping the Mandatory to Implement (MTI) feature footprint small > >>>>> enough that developers, including Web developers, are likely to > >>>>> adopt the specs, while still providing enough functionality to > >>>>> make > them generally useful. > >>>> As > >>>>> in any balance, it's often possible to shift things a bit and > >>>>> still > >>>> maintain the > >>>>> balance, but I'd like people to keep the ubiquitous adoption > >>>>> goal > >>>> front-and- > >>>>> center when proposing additional functionality. > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> Ubiquitous deployment and usefulness trump theoretical > >>>>>> > >>>>>>>>>> completeness. (Just look at XMLDSIG and XMLENC to > understand > >>>>>> > >>>>>>>>>> that!) > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> I agree that we need to find a reasonable MTI. The current > >>>>>>>>> JSMS > >>>> draft > >>>>> doesn't really specify which parts are MTI, beyond basic things > >>>>> like > >>>> base64url > >>>>> encoding and ignoring unknown fields. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> My main concern is that JWS and JWE don't really tell me > >>>>>>>>> which > >>>> fields > >>>>> need to be present for which use case. If I'm putting a MAC on > >>>>> a JWS > vs. > >>>> a > >>>>> signature, do I need "jwk" or "jku" fields to be populated? > >>>>> Whereas in > >>>> JSMS, > >>>>> I think these things are much clearer due to the separation of > >>>>> the use > >>>> cases > >>>>> (Signed/Authenticated/Encrypted) and the isolation of signatures > >>>>> and wrapped keys into sub-objects. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>>> -- Lack of clear typing of objects > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> Most JSON documents aren't clearly typed; instead, > >>>>>>>>>> developers and > >>>>> implementations understand from context what the meaning of each > field is. > >>>>> XML is clearly typed, but developers are voting with their feet > >>>>> by moving > >>>> to > >>>>> JSON. > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> What practical advantages resulting from overlaying a > >>>>>>>>>> typing > >>>>> infrastructure on JSON do you believe are worth the potential > >>>>> costs of > >>>> doing > >>>>> so? BTW, I'm not opposed to having a JSON schema description of > >>>>> the JOSE JSON data structures like JSMS did in > >>>>> http://tools.ietf.org/html/draft- rescorla-jsms-00#appendix-A, > >>>>> but I'll remark that this an informative > >>>> tool, not > >>>>> a normative one. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> I actualy don't have a hugely urgent requirement here either. > >>>>>>>>> It's > >>>>> something that others in the WG had requested, which is trivial > >>>>> to add in JSMS, but not in JWE/JWS -- again because of the > >>>>> unnecessary integrity protection of the header. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>>> -- Lack of versioning for future extensibility > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> An optional version field could be added if the working > >>>>>>>>>> group > >>>>>> > >>>>>>>>>> desires, however the last time the working group discussed > >>>>>>>>>> it, they > >>>>>> > >>>>>>>>>> decided not to do so. Rather, specs like this effectively > >>>>>>>>>> become > >>>>>> > >>>>>>>>>> "versioned" when revised in a way that new fields are added. > >>>>>>>>>> If > >>>>>> > >>>>>>>>>> you understand the new fields, you support that new version. > >>>>>>>>>> (Note > >>>>>> > >>>>>>>>>> that this is independent of whether there is a version > >>>>>>>>>> number > >>>>>> > >>>>>>>>>> field, which according to some participants in the previous > >>>>>> > >>>>>>>>>> discussion, they regarded as therefore being redundant > >>>>>> > >>>>>>>>>> information.) > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> I'm not religious about not having a version number field, > >>>>>>>>>> but > >>>> often > >>>>> "less is more". > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> Indeed, I'm not religious either. It just seems like a > >>>>>>>>> general good > >>>> idea > >>>>> to state this directly as opposed to having parsers divine it > >>>>> based on > >>>> which > >>>>> fields are present. To quote RFC 5652: > >>>>>> > >>>>>>>>> " > >>>>>> > >>>>>>>>> Each of the major data structures includes a version number > >>>>>>>>> as the > >>>>>> > >>>>>>>>> first item in the data structure. The version numbers are > >>>>>>>>> intended > >>>>>> > >>>>>>>>> to avoid ASN.1 decode errors. Some implementations do not > >>>>>>>>> check > >>>>> the > >>>>>> > >>>>>>>>> version number prior to attempting a decode, and if a decode > >>>>>>>>> error > >>>>>> > >>>>>>>>> occurs, then the version number is checked as part of the > >>>>>>>>> error > >>>>>> > >>>>>>>>> handling routine. This is a reasonable approach; it places > >>>>>>>>> error > >>>>>> > >>>>>>>>> processing outside of the fast path. This approach is also > >>>>>> > >>>>>>>>> forgiving when an incorrect version number is used by the > sender. > >>>>>> > >>>>>>>>> " > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> Best, > >>>>>> > >>>>>>>>> --Richard > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> Best wishes, > >>>>>> > >>>>>>>>>> -- Mike > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> -----Original Message----- > >>>>>> > >>>>>>>>>> From: Richard L. Barnes [mailto:rbarnes@bbn.com] > >>>>>> > >>>>>>>>>> Sent: Friday, June 15, 2012 3:00 PM > >>>>>> > >>>>>>>>>> To: Mike Jones > >>>>>> > >>>>>>>>>> Cc: jose@ietf.org > >>>>>> > >>>>>>>>>> Subject: Re: [jose] Fwd: New Version Notification for > >>>>>> > >>>>>>>>>> draft-barnes-jose-jsms-00.txt > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> Ok, so maybe I should have phrased my lead-in differently. > >>>>>>>>>> IMO, > >>>> the > >>>>> current JW* specs are deficient in several ways, e.g.: > >>>>>> > >>>>>>>>>> -- Not being JSON > >>>>>> > >>>>>>>>>> -- Not supporting multiple recipients > >>>>>> > >>>>>>>>>> -- Lacking clear distinctions between signing and MAC > >>>>>> > >>>>>>>>>> -- Lacking clear processing instructions for different key > >>>>>> > >>>>>>>>>> establishment modalities > >>>>>> > >>>>>>>>>> -- Lack of clear typing of objects > >>>>>> > >>>>>>>>>> -- Lack of versioning for future extensibility > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> Looking at the current specs, it didn't seem to me that it > >>>>>>>>>> would be > >>>>> simple to adapt them to address these deficiencies. So I just > >>>>> did a > >>>> re-write. > >>>>> If you think they can be addressed within the current framework, > >>>>> please explain. I just found it simpler to start from whole cloth. > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> Cheers, > >>>>>> > >>>>>>>>>> --Richard > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> On Jun 15, 2012, at 5:43 PM, Mike Jones wrote: > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>>> Hi Richard, > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> If you're puzzled by specific design decisions in the JOSE > >>>> documents, > >>>>> I encourage you to ask about them on the list. The documents > >>>>> have significant history going back to mid-2010 when convergence > >>>>> discussions started among people with four different JSON > >>>>> signing & encryption proposals. JWT and the current JOSE specs > >>>>> and implementations are the result. I realize that not all the > >>>>> JOSE participants were part of those discussions from the > >>>>> beginning (although many were) and so teasing out the rationale > >>>>> for specific decisions might help people better understand the > >>>>> choices made, and hopefully thereby increase consensus behind > >>>>> the eventual > working group choices. > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> If the list that you're puzzled by is the bulleted list > >>>>>>>>>>> below, > >>>> maybe we > >>>>> can start a discussion on that basis. > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> Best wishes, > >>>>>> > >>>>>>>>>>> -- Mike > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> -----Original Message----- > >>>>>> > >>>>>>>>>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] > >>>>>>>>>>> On > >>>>>> > >>>>>>>>>>> Behalf Of Richard L. Barnes > >>>>>> > >>>>>>>>>>> Sent: Friday, June 15, 2012 2:08 PM > >>>>>> > >>>>>>>>>>> To: jose@ietf.org > >>>>>> > >>>>>>>>>>> Subject: [jose] Fwd: New Version Notification for > >>>>>> > >>>>>>>>>>> draft-barnes-jose-jsms-00.txt > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> Dear JOSE WG, > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> Like Mr. Manger, once I finally got around to doing a > >>>>>>>>>>> thorough > >>>>> review of the JW* specs, I was kind of puzzled by some of the > >>>>> design decisions. So I also went through and wrote an > >>>>> alternative format, this > >>>> time > >>>>> taking a more of a cue from CMS. A link to the document is below. > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> Summary of differences: > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> o JSMS is pure JSON, whereas in JWE and JWS only the > header > >>>>>> > >>>>>>>>>>> parameters are represented in JSON. > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> o JSMS allows for full algorithm agility in key > >>>>>>>>>>> agreement, while > >>>> JWE > >>>>>> > >>>>>>>>>>> only allows ECDH-ES. > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> o JSMS supports multiple recipients for EncryptedData and > >>>>>> > >>>>>>>>>>> AuthenticatedData objects via the inclusion of multiple > >>>>> WrappedKey > >>>>>> > >>>>>>>>>>> objects. Sending a JWE to multiple recipients requires > >>>>>>>>>>> re- > >>>>>> > >>>>>>>>>>> encryption of the entire object for each recipient. > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> o The signature and MAC functions of the JWS object are > >>>>>>>>>>> separated > >>>>>> > >>>>>>>>>>> into SignedData and AuthenticatedData JSMS objects. > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> o JSMS parameters are not integrity-protected, as they > >>>>>>>>>>> are in JWE > >>>>>> > >>>>>>>>>>> and JWS. > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> o The "typ" and "zip" parameters are not defined in JSMS, > >>>>>>>>>>> but > >>>> could > >>>>>> > >>>>>>>>>>> be added without significant change. > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> o JSMS requires that recipients MUST ignore unknown > header > >>>>>> > >>>>>>>>>>> parameters, in order to facilitate extensibility. > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> I've also thrown together an initial JavaScript > >>>>>>>>>>> implementation > >>>> (based > >>>>> on NodeJS for some python crypto glue), which is on github: > >>>>>> > >>>>>>>>>>> <https://github.com/bifurcation/jsms> > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> Comments are very welcome. > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> Thanks, > >>>>>> > >>>>>>>>>>> --Richard > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> Begin forwarded message: > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> From: internet-drafts@ietf.org > >>>>>> > >>>>>>>>>>>> Subject: New Version Notification for > >>>>>> > >>>>>>>>>>>> draft-barnes-jose-jsms-00.txt > >>>>>> > >>>>>>>>>>>> Date: June 15, 2012 4:56:09 PM EDT > >>>>>> > >>>>>>>>>>>> To: rbarnes@bbn.com > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> A new version of I-D, draft-barnes-jose-jsms-00.txt has > >>>>>>>>>>>> been > >>>>>> > >>>>>>>>>>>> successfully submitted by Richard Barnes and posted to > >>>>>>>>>>>> the IETF > >>>>>> > >>>>>>>>>>>> repository. > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> Filename: draft-barnes-jose-jsms > >>>>>> > >>>>>>>>>>>> Revision: 00 > >>>>>> > >>>>>>>>>>>> Title: JavaScript Message Security Format > >>>>>> > >>>>>>>>>>>> Creation date: 2012-06-15 > >>>>>> > >>>>>>>>>>>> WG ID: Individual Submission > >>>>>> > >>>>>>>>>>>> Number of pages: 25 > >>>>>> > >>>>>>>>>>>> URL: > >>>> http://www.ietf.org/internet-drafts/draft-barnes-jose- > >>>>> jsms-00.txt > >>>>>> > >>>>>>>>>>>> Status: > >>>> http://datatracker.ietf.org/doc/draft-barnes-jose-jsms > >>>>>> > >>>>>>>>>>>> Htmlized: > >>>> http://tools.ietf.org/html/draft-barnes-jose-jsms-00 > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> Abstract: > >>>>>> > >>>>>>>>>>>> Many applications require the ability to send > >>>>>>>>>>>> cryptographically > >>>>>> > >>>>>>>>>>>> secured messages. While the IETF has defined a number of > >>>>> formats > >>>>>> > >>>>>>>>>>>> for such messages (e.g. CMS) those formats use encodings > >>>>>>>>>>>> which > >>>>>> > >>>>>>>>>>>> are not easy to use in modern applications. This > >>>>>>>>>>>> document > >>>>>> > >>>>>>>>>>>> describes the JavaScript Message Security format (JSMS), > >>>>>>>>>>>> a new > >>>>>> > >>>>>>>>>>>> cryptographic message format which is based on JavaScript > >>>>>>>>>>>> Object > >>>>>> > >>>>>>>>>>>> Notation (JSON) and thus is easy for many applications to > >>>> generate > >>>>> and parse. > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> The IETF Secretariat > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> _______________________________________________ > >>>>>> > >>>>>>>>>>> jose mailing list > >>>>>> > >>>>>>>>>>> jose@ietf.org > >>>>>> > >>>>>>>>>>> https://www.ietf.org/mailman/listinfo/jose > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> _______________________________________________ > >>>>>> > >>>>>>>>>>> jose mailing list > >>>>>> > >>>>>>>>>>> jose@ietf.org > >>>>>> > >>>>>>>>>>> https://www.ietf.org/mailman/listinfo/jose > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> _______________________________________________ > >>>>>> > >>>>>>>>>> jose mailing list > >>>>>> > >>>>>>>>>> jose@ietf.org > >>>>>> > >>>>>>>>>> https://www.ietf.org/mailman/listinfo/jose > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> _______________________________________________ > >>>>>> > >>>>>>>>> jose mailing list > >>>>>> > >>>>>>>>> jose@ietf.org > >>>>>> > >>>>>>>>> https://www.ietf.org/mailman/listinfo/jose > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> jose mailing list > >>>>>> jose@ietf.org > >>>>>> https://www.ietf.org/mailman/listinfo/jose > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Nat Sakimura (=nat) > >>>>>> Chairman, OpenID Foundation > >>>>>> http://nat.sakimura.org/ > >>>>>> @_nat_en > >>>>>> > >>>>>> _______________________________________________ > >>>>>> jose mailing list > >>>>>> jose@ietf.org > >>>>>> https://www.ietf.org/mailman/listinfo/jose > >>>>> > >>>>> _______________________________________________ > >>>>> jose mailing list > >>>>> jose@ietf.org > >>>>> https://www.ietf.org/mailman/listinfo/jose > >>>> > >>>> _______________________________________________ > >>>> jose mailing list > >>>> jose@ietf.org > >>>> https://www.ietf.org/mailman/listinfo/jose > >>> > >>> _______________________________________________ > >>> jose mailing list > >>> jose@ietf.org > >>> https://www.ietf.org/mailman/listinfo/jose > >> > > > > > > > _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
- [jose] Fwd: New Version Notification for draft-ba… Richard L. Barnes
- Re: [jose] Fwd: New Version Notification for draf… Mike Jones
- Re: [jose] Fwd: New Version Notification for draf… Mike Jones
- Re: [jose] Fwd: New Version Notification for draf… Richard L. Barnes
- Re: [jose] Fwd: New Version Notification for draf… Mike Jones
- Re: [jose] Fwd: New Version Notification for draf… Mike Jones
- Re: [jose] Fwd: New Version Notification for draf… Breno de Medeiros
- Re: [jose] Fwd: New Version Notification for draf… Nat Sakimura
- Re: [jose] Fwd: New Version Notification for draf… John Bradley
- Re: [jose] Fwd: New Version Notification for draf… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Breno de Medeiros
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Mike Jones
- Re: [jose] New Version Notification for draft-bar… Nat Sakimura
- Re: [jose] New Version Notification for draft-bar… Brian Campbell
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Brian Campbell
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Mike Jones
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Matt Miller
- [jose] protected attributes Manger, James H
- Re: [jose] protected attributes Richard L. Barnes
- Re: [jose] protected attributes Jim Schaad
- Re: [jose] protected attributes Manger, James H
- Re: [jose] protected attributes Richard L. Barnes
- Re: [jose] protected attributes Manger, James H
- Re: [jose] protected attributes Stephen Kent
- Re: [jose] protected attributes Richard L. Barnes