Re: [jose] json-web-encryption -02 comments

[Mike Jones <Michael.Jones@microsoft.com>]

[mbj2] Replies inline...

From: Jim Schaad [mailto:ietf@augustcellars.com]
Sent: Wednesday, July 18, 2012 7:48 PM
To: Mike Jones; jose@ietf.org
Subject: RE: json-web-encryption -02 comments


From: Mike Jones [mailto:Michael.Jones@microsoft.com]<mailto:[mailto:Michael.Jones@microsoft.com]>
Sent: Wednesday, July 18, 2012 8:44 AM
To: Jim Schaad; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: json-web-encryption -02 comments

Replies inline...

From: Jim Schaad [mailto:ietf@augustcellars.com]<mailto:[mailto:ietf@augustcellars.com]>
Sent: Monday, July 16, 2012 6:30 PM
To: Mike Jones; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: json-web-encryption -02 comments

In section 4 -
There is an interesting question about the following:
{ alg:"none", enc:"AES128GCM" }

This returns different results depending on which test you are using for determining if the header is a JWE or a JWS.  This belies the last sentence in paragraph #2.

Your example is an invalid input - either invalid as a JWS because it includes the extra "enc" member or invalid as a JWE because "none" is not a valid encryption method.  In either case, the input MUST be rejected.

[JLS2] It is not clear to me that this is a correct statement.  My implementation does understand both alg and enc - I don't see anything that says they must occur only in the correct contexts.  This is also going to be effected by the discussion of permit or deny for unknown headers that is being discussed elsewhere.

[mbj2] Fair enough - I'll make this more explicit so that it's clear that for a JWS only JWS fields must be used and similarly for JWE.  Actually, your example provides good support for the current position that not-understood values must be rejected.

The sentence you are referring to reads:  "Both methods will yield the same result."  I will change this to "Both methods will yield the same result for all valid inputs."

[JLS2] So you are comfortable with the fact that different implementations may respond with different error messages based on how they go about doing the checking of what the structure is going to be.  - Specifically if they think that a signed or an encrypted message is going to come first.

[mbj2] Yes.  First, we're not specifying error messages - only accept/reject behaviors.  And whether the implementation uses "alg":"none" to start JWS processing and rejects the input because of the invalid "enc" member or whether it uses the presence of the "enc" member to start JWE processing and rejects the input because of the invalid "alg" value, the result is still the same - rejecting the input.

(By the way, I suspect you were thinking of the example above in the context of enabling the option of direct symmetric encryption without using a CMK, per Open Issue 6 in JWA, which is good. :)  I plan to make a proposal on syntax for that later today.)

In Section 4.1.1

It is stated that the value of "alg" is case sensitive.  It is stated that it may be a URI.  URIs say that there may be case insensitive portions of the URI value.  This needs to be reconciled.

The intent is still that these fields be compared in a case sensitive manner.  These are not URIs you dereference - they are URIs used as identifiers.  We could add text something to the effect of "When a StringOrURI value is a URI and the URI scheme includes portions that are matched in a case insensitive manner, this specification requires those portions of the URI be expressed using only lowercase characters, so a case-sensitive equality test will be effective."  I'd add similar text to the registry instructions for these fields as well.  Does that clarification work for you?

[JLS2] by itself it does not deal with all of the possible issues.  I don't think it matters that they are for de-reference or not.  The issue is the same in all cases.  However besides the issue of case, there are also questions on using quoting characters, equivalent characters, utf8 encoding, I don't know if there is a problem with doing canonicalization of order of composite characters or not.

[mbj2] I'll clarify this then to indicate that comparison is to be done on the values provided as-is, with no escape processing or canonicalization performed of any kind (other than the escape processing involved in parsing the JSON string itself).

Thanks again for helping to clarify the specs.

                                                          -- Mike

                                                            -- Mike

From: Mike Jones [mailto:Michael.Jones@microsoft.com]<mailto:[mailto:Michael.Jones@microsoft.com]>
Sent: Friday, July 06, 2012 11:13 AM
To: Jim Schaad; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: json-web-encryption -02 comments


Thanks once again.  Responses inline...



-----Original Message-----
From: Jim Schaad [mailto:ietf@augustcellars.com]<mailto:[mailto:ietf@augustcellars.com]>
Sent: Thursday, June 07, 2012 11:56 AM
To: jose@ietf.org<mailto:jose@ietf.org>; draft-ietf-jose-json-web-encryption@tools.ietf.org<mailto:draft-ietf-jose-json-web-encryption@tools.ietf.org>
Subject: json-web-encryption -02 comments



Introduction



1.  I would separate the introduction into two paragraphs.  One to address the general encryption issue and one to address the compact serialization issues.  This will allow for an easier addition/removal to deal with other serialization issues.



I'm somewhat confused by this comment, as the introduction doesn't discuss serialization.  That concept isn't introduced until the "JWE Compact Serialization" term definition in Section 2 and the presentation of the compact serialization in Section 3.



[JLS] And I am suggesting that the introduction SHOULD address the fact that a serialization method is presented in this document.  The process of encryption and the process of serialization are separate things and both are covered in this document.  This should be documented in the abstract.



This should also be picked up in the abstract as well.



2.  I find sentence #2 confusing since this document is defining how to do the encryption process so we are not really dealing with pre-encrypted content which is what this appears to me to say.



Like JWS, this sentence has been clarified to:  It represents this content using JavaScript Object Notation (JSON) <xref target="RFC4627"/> data structures.



[JLS] I think that I find the concept that it represents the content as JSON to be weird, since the final formatting is actually dotted notation if you are looking at the "compact encryption format" that was covered in this document.



3.  What do you mean by the type of content being encrypted?  This could either mean the format of the content (i.e. JSON vs Mime) or the type of content (i.e. a JSON token vs a JSON signature object).



This now reads:  The JWE cryptographic mechanisms encrypt and provide integrity protection for arbitrary sequences of bytes.



[JLS] I find this confusing.  A MAC also provides integrity protection and that is in a different document.





Section 3



1.  Simple clarity s/confidentiality of the contents of the Plaintext/confidentiality of the Plaintext/



Done



Section 4 - JWE Header



1.  Do we think parsers can enforce the uniqueness requirement?



See my response in the JWK comments



2.  What does it mean to reject a JWE?  Should it decrypt and say it is a bad decrypt or should it fail to decrypt?



It should return an error and return no decrypted data



[JLS] This response would eliminate that ability to do a stream based decode.  That would return decrypted data and then return the error.



Section 4.1.1



1.  You should be constant about what  you call the encryption key, master key or JWE Encrypted key.  A search and replace should be done to make them constant.



Now using the term Content Master Key (CMK) here.  Note that the Content Encryption Key (CMK) is distinct from (and derived from) the CMK.



2.  Refer to the registry not to the document for the list of algorithms.



Moved the document reference to be adjacent to the registry reference, saying that both apply



Section 4.1.2



1. See comment 2 above



Ditto



2.  the encryption algorithm is not used to secure the cipher text.  It is used to produce the cipher text



Corrected



3.  Why does the enc algorithm not require the existence of a key for it's use?



Because the CEK is derived from the CMK, and so always exists



[JLS] and how is that key known?  Is a wrapped key always required in this case.



Section 4.1.4





2.  The presence of this parameter MUST be specified for all content encryption algorithms.



It is, in JWA.  Also clarified that it is REQUIRED with some "enc" algorithms.



Section 4.1.5



1.  See comment 2 above - alternate language would be say MUST be absent unless otherwise specified by the algorithm.



It is, in JWA.  Also clarified that it is REQUIRED with some "alg" algorithms.



[JLS] Then I assume that the following is legal

{ alg:"RSA1_5", epk:{...}, ...}



2.  epk should talk about key agreement algorithms not a specific algorithm.



Done



3.  Content of the key should be specified by the algorithm and not by this document.



Done



Section 4.1.6



1.  Should specify the use the "alg" registry for the zip parameter (in case a new one comes into existence) and this algorithm should be registered as the only algorithm.



This could be done, but it is counter to an explicit working group decision to support only one compression algorithm.  I'd be glad to do this if the WG decides to open the door to the possibility of additional algorithms.



[JLS]  I do not feel that this means that it should not be registered.  It merely means that we will only register one, and we will make the bar very high for the ability to register a second one.  Otherwise this should be a Boolean with a value of true.  It either is or is not compressed.



Section 4.1.7



1.  Should make clear that this is the way of identifying what private key is needed to decrypt the content.



Added: this can be used to determine the private key needed to decrypt the JWE



2.  Should this be used?  It implies that the decryptor needs to do the

following:

a) Get the keys

b) For each key -

   i) Do I have the private key for this?

   ii) Does it match the algorithm?

   iii) Does it work?

c) if no function keys found then ---???



Also, the decryptor might use "kid" and/or "use" parameters for deciding which key(s) to use.  Obviously, if no applicable key can be located, the decryption will fail.



Section 4.1.8



1.  See comment 1 above.



Ditto



Section 4.1.9



1.  I would eliminate the (implicit) requirement that the certificate be validated before decryption.  There is no reason that a client should not be able to decrypt a message to themselves if their certificate has been revoked or is expired.  This is just a requirement at send time.



What do others in the working group think of potentially relaxing this requirement?  If we do relax it, what alternative language should be used?



Section 4.1.11



1.  I don't understand the format used here.  The data could be either encoded as a string or an array of strings or something else that is a concatenated string form.



I've added an example to clarify this.  See http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-03#appendix-B



[JLS] That is nice that you have added an example.  However this does not mean that the text should not be clarified.  I think that you really want to say that this field is an array of strings, each element in the array being a base64url encoded certificate.  The certificates are ordered such that certificate i is issued by certificate i+1.



Is it legal for a partial chain to be presented or must the full chain always be presented?



Is there a reason that you are not just using the PEM encoding in this location as well?



If there is a requirement for having a chain of certificates in this location, why is there not a requirement for having an array of certificates in the x5t case?



As a recipient I should never need more than the EE certificate in order to map from a public key to a private key.   Other than letting me know what the chain was that the sender used to validate my certificate, I don't know what the reasoning behind sending the chain would be.



2.  Why is this not base64url encoded given that all other locations are?



So we're using a standard encoding for certificate chains



[JLS] A standard encoding would be using the PEM string or using a CMS certs only.   Changing the base64url to remove trailing characters is not really an issue.   Unless the new JavaScript CryptoAPIs (as an example) take a base64 encoded certificate as input the user code is going to deal with the encoding/decoding question anyway.



3. See comment 1 above



Ditto



Section 4.1.12



1.  This is so underspecified that I would know how to go about using it.

Any code that I wrote would therefore ignore it.



Added:     When used with a JWK, the "kid" value MAY be used to match a JWK "kid" parameter value.



[JLS] This does nothing to change my statement above.  In fact it enforces it.



Section 4.1.13



1.  The list of possible typ values should apparently include the mime registry as well.  This is neither in the value registry (which should probably be setup to avoid collisions with mime types) or a URI.



See the new Section 7.2 in JWS



[JLS] I do not believe that mime types and subtypes are case insensitive values in MIME itself.  This needs to be resolved.



Section 4.2



1.  Should re-iterate the "if you don't know it then reject it" sentence here - it has been a long time since we have seen it.



(Ditto for section 4.3)



I understand why you're saying this, but we did say "Implementations MUST understand the entire contents of the header; otherwise, the JWE MUST be rejected" in the enclosing section introduction (Section 4), so I'm reluctant to repeat it in 4.2 and especially reluctant to repeat it again so soon in 4.3.



Section 5



1.  I disagree with the concept of using a key agree algorithm to create the

CMK.   Look at CMS to see how they handle key agree algorithms to create a

key wrap key



The key wrap key is unnecessary, as far as I can tell, at least when there's a single recipient.  It results in an additional encryption step that seems to me to add no additional security.



However, per James Manger's note and my response to it, I do understand that value of having a CMK in the multiple recipients case.  I've added this topic to the list of open issues for the working group to discuss.



2.  In step 8 - when did you create the encoded JWE header?



In step 9. :-)  Yes, I'd already seen this and fixed it.



3.  Separate the serialization format from the encryption algorithm.  This may just affect step 14.



Done



4.  Note previous discussion on only documenting AEAD algorithms



I'm not sure what change you're asking for here?



[JLS] I am asking that there only be one set of steps for doing this, and it is for AEAD algorithms.



Section 6



1.  Separate serialization from message decryption.  If alternate serializations are used then step 1 fails.



Done



2.  Note that you have imposed some additional restrictions on the JSE header in step three - specifically that no duplicate fields exist.  This is not in the decryption process.



It's input validation for the decryption process, just like step 2 was



Section 7



1.  If you are using the NIST KDF function, then the length of the output key should really be included in the OtherInfo



Again, per my earlier responses to you and Sean on this topic from your JWA comments, since the CMK is randomly generated for each encryption, I believe that the additional parameters add no security value.  Adding a key length would only make sense if we were going to use this same CMK to generate other keys using the same Label ("Encryption" or "Integrity") but with a different key length.  But we never will, so I believe that the parameter is superfluous.



Section 8.1



1.  Refer to the registry not to the document (ditto for section 8.2)



Done



Section 11.1



1.  Should there be an optional parameter which describes which serialization method is being used?



This could be introduced if the working group adopts a second serialization method, such as the JSON Serialization defined in draft-jones-json-web-encryption-json-serialization, or one of the other candidates.  However, a better approach might be to define a different media type value, such as application/jwe-js for the different serialization.



Of course, if we have a pure JSON serialization, one could argue for just using the application/json media type.



2.  Check with IANA if you or the IESG should be listed under the contact section.



Will do