Re: [jose] Ted Lemon's No Objection on draft-ietf-jose-json-web-encryption-33: (with COMMENT)
Mike Jones <Michael.Jones@microsoft.com> Tue, 14 October 2014 12:51 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D95B1A87CA; Tue, 14 Oct 2014 05:51:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.302
X-Spam-Level:
X-Spam-Status: No, score=-1.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id soj4i7rlKTST; Tue, 14 Oct 2014 05:51:54 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0116.outbound.protection.outlook.com [65.55.169.116]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8006D1A87C1; Tue, 14 Oct 2014 05:51:54 -0700 (PDT)
Received: from DM2PR03CA0031.namprd03.prod.outlook.com (10.141.96.30) by BN3PR0301MB1202.namprd03.prod.outlook.com (25.161.207.155) with Microsoft SMTP Server (TLS) id 15.0.1049.19; Tue, 14 Oct 2014 12:51:53 +0000
Received: from BN1AFFO11FD007.protection.gbl (2a01:111:f400:7c10::100) by DM2PR03CA0031.outlook.office365.com (2a01:111:e400:2428::30) with Microsoft SMTP Server (TLS) id 15.0.1049.19 via Frontend Transport; Tue, 14 Oct 2014 12:51:52 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD007.mail.protection.outlook.com (10.58.52.67) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Tue, 14 Oct 2014 12:51:51 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.193]) with mapi id 14.03.0210.003; Tue, 14 Oct 2014 12:51:13 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Ted Lemon <ted.lemon@nominum.com>, The IESG <iesg@ietf.org>
Thread-Topic: Ted Lemon's No Objection on draft-ietf-jose-json-web-encryption-33: (with COMMENT)
Thread-Index: Ac/nrYd6TsiyQ5y0R0SWyhgjJZG/Ew==
Date: Tue, 14 Oct 2014 12:51:13 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB0D452@TK5EX14MBXC286.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(43784003)(377454003)(52044002)(51704005)(13464003)(199003)(189002)(50466002)(54356999)(76482002)(19580395003)(97736003)(50986999)(120916001)(6806004)(87936001)(44976005)(230783001)(19580405001)(86612001)(26826002)(92566001)(15975445006)(69596002)(68736004)(92726001)(86362001)(4396001)(85306004)(23676002)(33656002)(85852003)(104016003)(55846006)(21056001)(15202345003)(81156004)(77096002)(106466001)(66066001)(84676001)(31966008)(2656002)(85806002)(95666004)(99396003)(46102003)(47776003)(20776003)(80022003)(64706001)(107046002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1202; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1202;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03648EFF89
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/VI8gO8Kg7mPk5YT73eksp17bobw
Cc: "draft-ietf-jose-json-web-encryption@tools.ietf.org" <draft-ietf-jose-json-web-encryption@tools.ietf.org>, "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Ted Lemon's No Objection on draft-ietf-jose-json-web-encryption-33: (with COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 12:51:57 -0000
No changes have been made as a result of these comments in the -34 draft. If you believe that I've missed something, please feel free to point it out! Thanks again, -- Mike > -----Original Message----- > From: Mike Jones [mailto:Michael.Jones@microsoft.com] > Sent: Monday, October 06, 2014 12:54 AM > To: Ted Lemon; The IESG > Cc: jose-chairs@tools.ietf.org; draft-ietf-jose-json-web- > encryption@tools.ietf.org; jose@ietf.org > Subject: RE: Ted Lemon's No Objection on draft-ietf-jose-json-web-encryption- > 33: (with COMMENT) > > Thanks for your review, Ted. I'm adding the working group to the thread so > they're aware of your comment. > > > -----Original Message----- > > From: Ted Lemon [mailto:ted.lemon@nominum.com] > > Sent: Thursday, October 02, 2014 4:14 AM > > To: The IESG > > Cc: jose-chairs@tools.ietf.org; draft-ietf-jose-json-web- > > encryption@tools.ietf.org > > Subject: Ted Lemon's No Objection on draft-ietf-jose-json-web-encryption-33: > > (with COMMENT) > > > > Ted Lemon has entered the following ballot position for > > draft-ietf-jose-json-web-encryption-33: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut > > this introductory paragraph, however.) > > > > > > Please refer to > > http://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-encryption/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > This question is almost certainly due to my thick-headedness with > > respect to authentication algorithms, but: > > > > 16. Let the Additional Authenticated Data encryption parameter be > > ASCII(Encoded Protected Header). However if a JWE AAD value is > > present (which can only be the case when using the JWE JSON > > Serialization), instead let the Additional Authenticated Data > > encryption parameter be ASCII(Encoded Protected Header || '.' || > > BASE64URL(JWE AAD)). > > > > 17. Decrypt the JWE Ciphertext using the CEK, the JWE Initialization > > Vector, the Additional Authenticated Data value, and the JWE > > Authentication Tag (which is the Authentication Tag input to the > > calculation) using the specified content encryption algorithm, > > returning the decrypted plaintext and validating the JWE > > Authentication Tag in the manner specified for the algorithm, > > rejecting the input without emitting any decrypted output if the > > JWE Authentication Tag is incorrect. > > > > How does it make sense for the AAD encryption parameter to consist of > > ASCII and BASE64 text? How would a decryption algorithm use this? I > > know nothing about AAD parameters in encryption algorithms, so I > > realize this is probably a very naive question. > > When doing authenticated encryption, an Additional Authenticated Data > parameter can be included that will be integrity-protected as part of the > authenticated encryption operation. This means that if it is tampered with, the > decryption will fail. > > JWE uses this authenticated encryption feature to integrity-protect some header > fields. It also makes this feature available to applications using the JWE JSON > Serialization. > > Answering your specific question, all of these three values are strings consisting > of ASCII characters, so their concatenation is also a string consisting of ASCII > characters: > ASCII(Encoded Protected Header) > '.' > BASE64URL(JWE AAD)) > > The "ASCII(...)" around the string denotes that the string is to be represented in a > sequence of ASCII octets (rather than, for instance, a series of UTF-32 octets, > which would be four times as long). > > Best wishes, > -- Mike