[jose] Re: draft-ietf-jose-hpke-encrypt-01

Les Hazlewood <lhazlewood@gmail.com> Tue, 09 July 2024 18:11 UTC

Return-Path: <lhazlewood@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF373C14F6A8 for <jose@ietfa.amsl.com>; Tue, 9 Jul 2024 11:11:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p1I6NgIHy_nh for <jose@ietfa.amsl.com>; Tue, 9 Jul 2024 11:11:31 -0700 (PDT)
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C257C14F698 for <jose@ietf.org>; Tue, 9 Jul 2024 11:11:31 -0700 (PDT)
Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-6561850a7bcso28687947b3.3 for <jose@ietf.org>; Tue, 09 Jul 2024 11:11:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720548690; x=1721153490; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZT5vicU0PHlshu+1SMG+locJ3dxikG9CaaNJDRX6pLA=; b=czxFhSb9R8WnQQmi5KJzvc9RX13EdPHsuvZoUI0RhPIwpoDmixSxNpoFlDm3oMBvoY /AazE5I219qPb+Bfc0jbyeUWkanvWU3yN8eu2yide6EOIj9zfwJC7e5RAsWslq9DVAhi i3HyvohoSrTBIjG9Fun+pceD6Adqi+0f5TdoD8dqbez3I2rSeotkn1Kms6bTJm4CpgSj +smKvzuRO+y2jSAvaiNa5TwnRAtD0yrnXf+TmjxwBu9czecePKRUgiP6poIWGiO4aC67 eWUAgkPsSR3XtOser93K/WVhk/7j+X5cbZH9iA+TTctLyBVuimdykiPFf1FEbsF0HCKD 7iNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720548690; x=1721153490; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZT5vicU0PHlshu+1SMG+locJ3dxikG9CaaNJDRX6pLA=; b=VfLJBj5MFYlI0HRYAlOYpZwIj8MYnd+Avdo0zULr4k/hl7boT2VbQ6ODZuTZtB7uQq 2F5oLPEPR3PWAaFqgoi7I3md/bWIr/dxzrdOvuWawWoethbeNJThW0wWQnTcL+RflwK1 RbXM5sXhM71cZ9vk0GycqWDOqMod20Ab0UyHvVXcoWa1Q3MoKiHIGW9srp4NsOFlB6KL J44uKgSALsHr2JIYq/yHFQ7wdlcD4Pkf/hANCpvAK7H0wEniEY3pH8T8D+j4uGSBaN3K wdkvf1FPkNV4YEhREWN+BvONbDhd7dTefDoOOSKEHe4fcwnM7n1CdBHToUMcP6Wwuux3 LmNA==
X-Gm-Message-State: AOJu0Yxus7Ppyfj7qRFx1RptQkqImXMbH7na8NzBKFAqD4jvaPOdadv1 X/5ByoleZ991jFMa1rzh3pEWAmu4LwKBMr6CbBzp4y/b0bwzaNO1tz2kQVdCMKMJdSZOdFJgFV2 9klnBindYCd2QcBb6srzeX1qEMrtEj7tb
X-Google-Smtp-Source: AGHT+IG+H8Ejr0FaYq3AmBTksri4sBSVxLcgBnBul1kq4qJ8Lu6j8Eb9jbjoPn8DN2j7BsoHgqyrwybqpM+3bDo7N2s=
X-Received: by 2002:a81:8d4d:0:b0:643:bbee:be26 with SMTP id 00721157ae682-658ee790b76mr38449107b3.5.1720548690221; Tue, 09 Jul 2024 11:11:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_KMx_M9vL3kwoohkiVrndU_MohxdGC_vLkBo7R_+-6T2g@mail.gmail.com> <CACVbtYOsf7MkHPOzFgE14JhKrSzAd8EkZ0Sr4X0XRMzdCUtbkA@mail.gmail.com> <CACVbtYOOpwTKZt7dH7JV983SmU7gRbsaXY8ru4Ty-+S081oTEQ@mail.gmail.com> <CAN8C-_Kb9ZOec8SXUkqqd3P7VnEYSDukVm56kpdx+fVEw4KHag@mail.gmail.com> <CACVbtYPauBzeSmXPr8Fyb7Jh3u7ydJgX632B0Fwdn4UPgAfQBg@mail.gmail.com> <CAN8C-_JyHsr07FcTMwA01+QTkzjxxqvv0fNpFthytSyyP+MgKQ@mail.gmail.com> <Zo1d2jNRtAjCGC4N@LK-Perkele-VII2.locald>
In-Reply-To: <Zo1d2jNRtAjCGC4N@LK-Perkele-VII2.locald>
From: Les Hazlewood <lhazlewood@gmail.com>
Date: Tue, 09 Jul 2024 11:11:19 -0700
Message-ID: <CACVbtYPOvYCQN85MAbEJJrnU-Hjz2dC3PKgfUfD2M3oDbaVspg@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="0000000000007fe5df061cd475f2"
Message-ID-Hash: 7BCZLNJG4GS5XFWWLL7XINADKC7NRU4Z
X-Message-ID-Hash: 7BCZLNJG4GS5XFWWLL7XINADKC7NRU4Z
X-MailFrom: lhazlewood@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: JOSE WG <jose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: draft-ietf-jose-hpke-encrypt-01
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/VeKzS8IT0sJxtxjrWvKAhosrgYo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

>
> This is also prohibited by draft-ietf-jose-fully-specified-algorithms
> (It requires what alg to be independent of enc).
>

Hi Illari,


Thanks for the explanation, I appreciate it.


However, I think this is a huge mistake.


The entire purpose of JOSE is to have a JSON-compatible metadata format for
message sending and receiving; with all the flexibility, convenience,
expressiveness and human-readability that implies, which is a really good
thing, and solidifies the ability to be flexible over time, which is ideal
for an RFC.


But then to have a new specification that constrains the most important
security aspect of this down to a single string?  For a few downstream
specifications that don’t represent the bulk of JOSE/JWT use cases?


It’s saying “all the reasons we’ve chosen JOSE headers parameters, and all
that implies - we’re going to ignore that and force-stuff it all into a
single value for the convenience of *some* downstream specifications, all
the while imposing this new inconvenient reality on ALL JOSE/JWT scenarios.”


Respectfully, this is incredibly regressive.  Data models *should* reflect
the best-case modeling scenario, with rich expression, modularity, etc.  If
a new “single string alg” concept needs to exist for downstream
specifications and/or convenience, *those* specification working groups
should define such and not impose this on the JOSE/COSE specifications at
large.  It’s crippling and will forever impact how any algorithms and their
potential parameters are defined in the future, and just doesn't make sense
to be forced on a general-purpose messaging format.


Additionally, such an initiative breaks the concepts of `alg` and `enc` as
they are defined today.  They are and always have been separate
concepts.  `alg`
is a *key* management algorithm, it is not an encryption algorithm.  That
HPKE is composed of both operations isn’t a reason to force it into the
existing `alg` construct - that's trying to do too much and force things
that don’t make sense in a single header parameter that has been
well-defined for a decade.


Any new specification that defines a single string cipher suite definition
should be *additive*, not regressive.  A new header could be defined (e.g.
`csuite`) and that can have that string for the times when it may be needed.
Although anecdotal, I will say that not once in 10 years of maintaining
probably the most-used JOSE/JWT library for the JVM and Android has anyone
ever had a problem with separate `alg` and `enc` headers, and that includes
all the OpenID Connect scenarios I’ve supported both professionally and as
an open-source maintainer.


Or if a new header isn’t desired, there’s no reason an additive
specification can’t say “If you want a single string, combine the `alg` and
`enc` header with a hyphen, and that’s your cipher suite”.   To say that an
implementation - which *must* parse the JSON header and lookup at least one
parameter (`alg`) anyway - cannot lookup another header and concatenate the
two before processing that value doesn’t seem to hold water in any scenario
I can think of.  That’s all that’s needed for cipher suite negotiation for
protocols that need a single string.


I’m not saying that cipher suite negotiation isn’t valuable.  I’m saying
it’s 1) only valuable to a relatively small set of use cases and 2) is
easily obtainable by looking at existing headers and 3) it’s fundamentally
regressive to a) shoehorn a new composite algorithm into a header that was
never designed as such and b) force *all* JOSE implementations to operate
with this concept when it’s not needed most of the time.


Implementations do not need to be forced this concept on a general-purpose
messaging format which has many more implications than OpenID Connect and a
few other downstream specifications.


Most respectfully, and gratefully,


Les