[jose] Re: Do you need the JWP JSON Serialization?

Orie Steele <orie@transmute.industries> Thu, 08 August 2024 22:34 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5625C15199B for <jose@ietfa.amsl.com>; Thu, 8 Aug 2024 15:34:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qd6Dk4iTTzFp for <jose@ietfa.amsl.com>; Thu, 8 Aug 2024 15:34:03 -0700 (PDT)
Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58D2AC15199A for <jose@ietf.org>; Thu, 8 Aug 2024 15:34:03 -0700 (PDT)
Received: by mail-pj1-x102c.google.com with SMTP id 98e67ed59e1d1-2cb576db1c5so1184615a91.1 for <jose@ietf.org>; Thu, 08 Aug 2024 15:34:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1723156443; x=1723761243; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fOoQLxC0/O5n1q68dj/l48MycbVky/Q3NIuARRCrFxc=; b=KLyXMSYtu8hSQYjmk2Y3BNSUCG6YcZvHz6/rGpGp9h7nnpxMsdZM2nYMXnUaoiWweW 9X90Mr+rg/HMx/wXaOZfPimqfHLPm3BumhDtHA67rrUPN2Y+o84QpWGkqJiEogc9Chek x7C+cgKX6dErQY42uHY9dwYTHz4d9kN79coM3dYABgDojwm486QMXxHSlel3xMDc3gs5 F12FTJzsOKjBH7UU127BLK8Spg4ixzZdwqSbFDQEQ7l0Sw8aX5oJa557X4XGee1GN1a+ isgpKxxK9+L/aMVSbqrwPRFcM9NLgMCVIgVjfY+fLARdKUU8UAUrGzYVb4XbqEcVuKrW eAJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723156443; x=1723761243; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fOoQLxC0/O5n1q68dj/l48MycbVky/Q3NIuARRCrFxc=; b=MjXC0/2vBmzROYiqUfFPyAOtKZn8NDcmVTzkrwWg6i8UfQBTClf6hmmWg/ArUbTvw1 8Iq1IlJMw2QkneEJEbJgVgr0lvgo+rP/W3Gt2I4LUn3PVEkbst86E01IjoJbz+JyPq2P HVDEjVzKhFrPTglyEgwQV/0jNHW2pXTwxFK14XmgMy1jDnVxgR3Uz7JaNt2k6YVFVElp PXDa3i0wv84jEfAB9fniuCUwDW579DRTHXNPRNqjnYKaWhTH5y4Omh8e+WCyDx1p/k2s JH5pXKuE0KpGjCErD7nvmRmnkeB7loRRjwHPs4PD4QVm9FbQtxfC6sqSh+DLL85XwcFq Xa9g==
X-Forwarded-Encrypted: i=1; AJvYcCX3yKl7uCnHuS2Wuld4sE9LU86FIuZb6062a7HDR8jhEU+SFJ2K+sg6tl5eEfghbq2uqgfkn7HeBXadXIok
X-Gm-Message-State: AOJu0Ywuwk6fI9J0tfKjWEpDzRqCXDov1a4GoiCabSN1bO6KUlMvw1Tk /vqVkiUXBOUTziVKCxhdmAFIIT2IlyMJAYavf4jdzYHnPjBTxfRWNNU2S1RvQE376vZQ8RGtIbg ReeeKPqm3b0PTpKvwcuyZ3wrt/ShSZyPioQtT8Q==
X-Google-Smtp-Source: AGHT+IHxltzo82d5nJZFqFJX/pd+NQpySAXR/bQshdU9u8V/XNtkDXNTD8CP4f0n5GrY07DpJ1XggLXv5sEUMo0YDpY=
X-Received: by 2002:a17:90a:1141:b0:2c9:69cc:3a6a with SMTP id 98e67ed59e1d1-2d1c3374e46mr3972357a91.3.1723156442576; Thu, 08 Aug 2024 15:34:02 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_L4P=stFigYkoKG9-qEukRFA+2MWnjcYuqGrUCzMGoEaA@mail.gmail.com> <53F74ECC-7317-43F7-BDA3-C2B6FBB1CB2D@gmail.com>
In-Reply-To: <53F74ECC-7317-43F7-BDA3-C2B6FBB1CB2D@gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 08 Aug 2024 17:33:51 -0500
Message-ID: <CAN8C-_JeE=RCsw4VhMT85DOVwyxvs4PCDHWQOOh-WENVt=CbPg@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000a71bd1061f339fa1"
Message-ID-Hash: DX5YFMLUV6NGS5XYL6L4MJNGAS6VEOJU
X-Message-ID-Hash: DX5YFMLUV6NGS5XYL6L4MJNGAS6VEOJU
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Brian Campbell <bcampbell@pingidentity.com>, jose@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: Do you need the JWP JSON Serialization?
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/TpqP0u9Wvk3hrPQua2AqYwuwxts>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

On Thu, Aug 8, 2024 at 3:26 PM Neil Madden <neil.e.madden@gmail.com> wrote:

>
>
> On 8 Aug 2024, at 20:44, Orie Steele <orie@transmute.industries> wrote:
>
> 
> That only applies to "SD-JWT+KB"
>
>
> I don’t think so, otherwise SD-JWT would not be secure. The signature
> covers the claims, which includes the hashes of all the disclosures. Thus
> the disclosures are all protected (cannot be altered/forged) and immutable.
>

In SD-JWT (without +KB) the Issuer's signature covers the claims which
include hashes of the disclosures, that is true.

The order of ~ separated stuff is not secured ... because that stuff is not
included in the claims.
There could also be extra stuff that appears to be disclosures, but is
actually not in the issuer SD-JWT.
See:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-5.3.1


>
> [..]
>
> Unless I am mistaken, there is no ordering requirement for the SD-JWT
> without key binding, so the disclosures are mutable, until the holder makes
> them immutable by applying key binding:
>
>
> They are an unordered set, so this “mutability” is irrelevant.
>

Exactly, they are unordered, and unsecured (they are outside of the JWT).

See
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-8.1

"""
If any digest value is encountered more than once in the Issuer-signed JWT
payload (directly or recursively via other Disclosures), the SD-JWT MUST be
rejected.
If any Disclosure was not referenced by digest value in the Issuer-signed
JWT (directly or recursively via other Disclosures), the SD-JWT MUST be
rejected.
"""

This means it is possible for an adversary to cause an SD-JWT without key
binding to be rejected, by dropping or adding properties... in between the
issuer and the holder, before the key binding token is even possible to
produce.

The only way to know if this is the case as a holder is to perform the
validation steps in 8.1 on the issuer signed SD-JWT (without KB) before
considering attempting to use it.
This property is ensured by: "The Holder or the Verifier MUST perform the
following (or equivalent) steps when receiving an SD-JWT..."

See:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-9.3

"""
In case of the General JSON Serialization, there are multiple unprotected
headers (one per signature). If present, disclosures and kb_jwt, MUST be
included in the first unprotected header and MUST NOT be present in any
following unprotected headers.
"""

In SD-JWT JSON Serialization, disclosures and kbt are transmitted in
unprotected headers... You need to process them carefully as described in
section 8.1, in order to be assured that they have not been tampered with.
In SD-JWT Compact serialization, disclosures and kbt are transmitted as
concatenated strings... You need to process them carefully as described in
section 8.1, in order to be assured that they have not been tampered with.

The major difference between these 2 approaches is that there is no ability
to include "other" unprotected material in the jwp compact serialization...
this property is unique to JOSE compact serializations, because they cannot
express unprotected headers.
COSE / CWP will not have this problem... assuming it follows conventions.

I think JOSE / JWP would be improved if support for unprotected headers was
consistent in both compact and json.



>
> […]
>
>
> OS
>
>
> On Thu, Aug 8, 2024 at 2:20 PM Neil Madden <neil.e.madden@gmail.com>
> wrote:
>
>> Maybe I’m missing something, but all of the disclosures are covered by
>> the SD-JWT signature and so (a) are protected, and are (b) immutable.
>>
>> — Neil
>>
>> On 8 Aug 2024, at 19:18, Orie Steele <orie@transmute.industries> wrote:
>>
>> That's fair : )
>>
>> Let's replace "suspicion" with "I would have argued for a different
>> design".
>>
>> In JOSE, ~ is just used as a placeholder for "missing unprotected header".
>>
>> You still need to validate that the correct mutable data was included,
>> and that no "unexpected mutable data" was included.
>>
>> That's a "verifier policy over mutable data".
>>
>> In the context of SD-JWT that means checking disclosures, matching their
>> hash to the kbt and making sure the kbt is signed by the cnf.
>>
>> That is very similar to the kind of unprotected header processing that
>> COSE supports, see:
>>
>> https://www.rfc-editor.org/rfc/rfc9338.html#section-2
>>
>> Sure maybe it's less obvious that jwt (cnf) -> disclosures -> hash -> kbt
>> signed by cnf is a kind of counter signature.
>>
>> But it is a second signature, over a specific set of disclosures that is
>> grouped together with the first signature, which are verified together.
>>
>>
>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-9.1
>>
>> """
>> Unprotected headers other than disclosures are not covered by the digest,
>> and therefore, as usual, are not protected against tampering.
>> """
>>
>> This is similar to how values in unprotected headers in COSE are not
>> protected, unless there is some "verification process" such as checking a
>> counter signature, or merkle tree inclusion proof.
>>
>> Isn't JWP meant to replace SD-JWT in some cases that require stronger
>> unlinkability?
>>
>> IIRC SD-JWT and OAUTH had good reasons to define a JSON Serialization,
>> and if it's used, those users should be able to switch to JWP or CWP in the
>> future.
>>
>> OS
>>
>>
>>
>>
>>
>> On Thu, Aug 8, 2024 at 12:33 PM Brian Campbell <
>> bcampbell@pingidentity.com> wrote:
>>
>>>
>>>
>>> On Thu, Aug 8, 2024 at 11:27 AM Orie Steele <orie@transmute.industries>
>>> wrote:
>>>  <snip>
>>>
>>>>
>>>> If JWTs had unprotected headers, I suspect SD-JWT would have used them
>>>> for the mutable part (disclosures).
>>>>
>>>
>>> That suspicion is entirely incorrect.
>>>
>>> <snip>
>>>
>>>
>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s). Any
>>> review, use, distribution or disclosure by others is strictly prohibited.
>>> If you have received this communication in error, please notify the sender
>>> immediately by e-mail and delete the message and any file attachments from
>>> your computer. Thank you.*
>>
>>
>>
>> --
>>
>> ORIE STEELE
>> Chief Technology Officer
>> www.transmute.industries
>> <https://transmute.industries/>
>> _______________________________________________
>> jose mailing list -- jose@ietf.org
>> To unsubscribe send an email to jose-leave@ietf.org
>>
>>
>>
>
> --
>
>
> ORIE STEELE
> Chief Technology Officer
> www.transmute.industries
>
> <https://transmute.industries>
>
>

-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>