Re: [jose] Ted Lemon's No Objection on draft-ietf-jose-json-web-encryption-33: (with COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Tue, 14 October 2014 12:51 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D95B1A87CA; Tue, 14 Oct 2014 05:51:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.302
X-Spam-Level:
X-Spam-Status: No, score=-1.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id soj4i7rlKTST; Tue, 14 Oct 2014 05:51:54 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0116.outbound.protection.outlook.com [65.55.169.116]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8006D1A87C1; Tue, 14 Oct 2014 05:51:54 -0700 (PDT)
Received: from DM2PR03CA0031.namprd03.prod.outlook.com (10.141.96.30) by BN3PR0301MB1202.namprd03.prod.outlook.com (25.161.207.155) with Microsoft SMTP Server (TLS) id 15.0.1049.19; Tue, 14 Oct 2014 12:51:53 +0000
Received: from BN1AFFO11FD007.protection.gbl (2a01:111:f400:7c10::100) by DM2PR03CA0031.outlook.office365.com (2a01:111:e400:2428::30) with Microsoft SMTP Server (TLS) id 15.0.1049.19 via Frontend Transport; Tue, 14 Oct 2014 12:51:52 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD007.mail.protection.outlook.com (10.58.52.67) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Tue, 14 Oct 2014 12:51:51 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.193]) with mapi id 14.03.0210.003; Tue, 14 Oct 2014 12:51:13 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Ted Lemon <ted.lemon@nominum.com>, The IESG <iesg@ietf.org>
Thread-Topic: Ted Lemon's No Objection on draft-ietf-jose-json-web-encryption-33: (with COMMENT)
Thread-Index: Ac/nrYd6TsiyQ5y0R0SWyhgjJZG/Ew==
Date: Tue, 14 Oct 2014 12:51:13 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB0D452@TK5EX14MBXC286.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(43784003)(377454003)(52044002)(51704005)(13464003)(199003)(189002)(50466002)(54356999)(76482002)(19580395003)(97736003)(50986999)(120916001)(6806004)(87936001)(44976005)(230783001)(19580405001)(86612001)(26826002)(92566001)(15975445006)(69596002)(68736004)(92726001)(86362001)(4396001)(85306004)(23676002)(33656002)(85852003)(104016003)(55846006)(21056001)(15202345003)(81156004)(77096002)(106466001)(66066001)(84676001)(31966008)(2656002)(85806002)(95666004)(99396003)(46102003)(47776003)(20776003)(80022003)(64706001)(107046002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1202; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1202;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03648EFF89
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/VI8gO8Kg7mPk5YT73eksp17bobw
Cc: "draft-ietf-jose-json-web-encryption@tools.ietf.org" <draft-ietf-jose-json-web-encryption@tools.ietf.org>, "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Ted Lemon's No Objection on draft-ietf-jose-json-web-encryption-33: (with COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 12:51:57 -0000

No changes have been made as a result of these comments in the -34 draft.  If you believe that I've missed something, please feel free to point it out!

				Thanks again,
				-- Mike

> -----Original Message-----
> From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> Sent: Monday, October 06, 2014 12:54 AM
> To: Ted Lemon; The IESG
> Cc: jose-chairs@tools.ietf.org; draft-ietf-jose-json-web-
> encryption@tools.ietf.org; jose@ietf.org
> Subject: RE: Ted Lemon's No Objection on draft-ietf-jose-json-web-encryption-
> 33: (with COMMENT)
> 
> Thanks for your review, Ted.  I'm adding the working group to the thread so
> they're aware of your comment.
> 
> > -----Original Message-----
> > From: Ted Lemon [mailto:ted.lemon@nominum.com]
> > Sent: Thursday, October 02, 2014 4:14 AM
> > To: The IESG
> > Cc: jose-chairs@tools.ietf.org; draft-ietf-jose-json-web-
> > encryption@tools.ietf.org
> > Subject: Ted Lemon's No Objection on draft-ietf-jose-json-web-encryption-33:
> > (with COMMENT)
> >
> > Ted Lemon has entered the following ballot position for
> > draft-ietf-jose-json-web-encryption-33: No Objection
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut
> > this introductory paragraph, however.)
> >
> >
> > Please refer to
> > http://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-encryption/
> >
> >
> >
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > This question is almost certainly due to my thick-headedness with
> > respect to authentication algorithms, but:
> >
> >    16.  Let the Additional Authenticated Data encryption parameter be
> >         ASCII(Encoded Protected Header).  However if a JWE AAD value is
> >         present (which can only be the case when using the JWE JSON
> >         Serialization), instead let the Additional Authenticated Data
> >         encryption parameter be ASCII(Encoded Protected Header || '.' ||
> >         BASE64URL(JWE AAD)).
> >
> >    17.  Decrypt the JWE Ciphertext using the CEK, the JWE Initialization
> >         Vector, the Additional Authenticated Data value, and the JWE
> >         Authentication Tag (which is the Authentication Tag input to the
> >         calculation) using the specified content encryption algorithm,
> >         returning the decrypted plaintext and validating the JWE
> >         Authentication Tag in the manner specified for the algorithm,
> >         rejecting the input without emitting any decrypted output if the
> >         JWE Authentication Tag is incorrect.
> >
> > How does it make sense for the AAD encryption parameter to consist of
> > ASCII and BASE64 text?  How would a decryption algorithm use this?   I
> > know nothing about AAD parameters in encryption algorithms, so I
> > realize this is probably a very naive question.
> 
> When doing authenticated encryption, an Additional Authenticated Data
> parameter can be included that will be integrity-protected as part of the
> authenticated encryption operation.  This means that if it is tampered with, the
> decryption will fail.
> 
> JWE uses this authenticated encryption feature to integrity-protect some header
> fields.  It also makes this feature available to applications using the JWE JSON
> Serialization.
> 
> Answering your specific question, all of these three values are strings consisting
> of ASCII characters, so their concatenation is also a string consisting of ASCII
> characters:
>     ASCII(Encoded Protected Header)
>     '.'
>     BASE64URL(JWE AAD))
> 
> The "ASCII(...)" around the string denotes that the string is to be represented in a
> sequence of ASCII octets (rather than, for instance, a series of UTF-32 octets,
> which would be four times as long).
> 
> 					Best wishes,
> 					-- Mike