[jose] Re: Do you need the JWP JSON Serialization?

Orie Steele <orie@transmute.industries> Thu, 08 August 2024 19:44 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D132C151996 for <jose@ietfa.amsl.com>; Thu, 8 Aug 2024 12:44:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ILR3prUpw6Ju for <jose@ietfa.amsl.com>; Thu, 8 Aug 2024 12:44:22 -0700 (PDT)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B31D1C16940F for <jose@ietf.org>; Thu, 8 Aug 2024 12:44:22 -0700 (PDT)
Received: by mail-pf1-x432.google.com with SMTP id d2e1a72fcca58-710d1de6ee5so560475b3a.0 for <jose@ietf.org>; Thu, 08 Aug 2024 12:44:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1723146262; x=1723751062; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NWiq9LI/8J7wWHQDu2B3fGnjRSt+mn06M1FJDXrVw+4=; b=WqcijYa9UlJsixy1Jm6UTUODVuCqCaV9aHU54PzPTb4TVugVTB6iGzy/8IM9FBAa81 CTnq6sTwHbvU22rzm9tORw+5oJtZdhwQhgm0s7XGQnNFE8xfeKNlbq2xuGKveyYkZe// 5k1ISVIne5Md1g9XZVoeTNiINGQ9rNVXNt20Sat0HjzS8letw6cjBY1FjbslOZbc4RI9 Xj/W1j3XYGp3ALXSJKLweCmRRf/umZZRFhSCeFdqJheXlWmZFCpuQ7Poa+L3TSvS0LGA PJ2TbVEJIXDXz29ArgtNpTMmJXWuX73V9pJqt0ptsUsj+2gMsBPupR9bCzJR8YbAbDJ9 h9EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723146262; x=1723751062; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NWiq9LI/8J7wWHQDu2B3fGnjRSt+mn06M1FJDXrVw+4=; b=AlSNyyrZebfJXgWohf1L51YZcYTQqPwTzC5HYZD+2BiAuzKQKSmt33wzCRDXABRO8J RHT5NMqW4p8DD18sbb+v98xaAc4fk3a1YXAKkOMrRTthK+FFGxgxNFEsrI/H92BAJk7z AshmUcmCzc74MtqG5/cYE++7CkPFZNAuiBOXRjQoFsoxAnEPigOdYjQz6mj4582XNLmu JixslTLGMwKNQbE21tOyOEvl1YxGzRTP0E13Z6Z6zGLIs3IG5/fYL0YdUNY9irfgFuQS sMF22NTeT17TT3JYL261ag/Xo3EF7i3IB4N8pt3t4XNPlYD5GenIAg8erx1sqj1PtaeR lLDw==
X-Forwarded-Encrypted: i=1; AJvYcCXACF7GVywMguhqG0g2TyAqNafMQ1TtUVc5ObclTdZw4iwL0H+p9B4fR6P7UjgMi2jTdNjvQFQoPRa1oHBk
X-Gm-Message-State: AOJu0Yye54jTiHEcaqvRe5t84LIHhZ73Va6tXxJv1fSXXsd5tugLnqTu FZytfrsuK0bkB1P7EIAWzcUW7yaMqfb5OE17YPPtf/XiM33jKegxyIb4hRmeRjyDb1OWtcJVBE0 /VEVVIiXaY4wH9Er1EbuEbNorfGVINfJIjEDr1w==
X-Google-Smtp-Source: AGHT+IFdoxdNULuMEbcjnn0VvnZA6x3SdFBl8oOqkOAUUyyH+gqv6TJOrYcMOLyqrh9fijZHLMoY1Ndsuanu22Fo+OE=
X-Received: by 2002:a05:6a21:6d94:b0:1c4:88ce:c996 with SMTP id adf61e73a8af0-1c6fcfada90mr4029931637.46.1723146261856; Thu, 08 Aug 2024 12:44:21 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR02MB74391ECC2D8130E1F0994C1AB7BF2@SJ0PR02MB7439.namprd02.prod.outlook.com> <CA+k3eCQNWURoC=PcgNsmqGNhbd0Vpu9ukSwx+ZzJ7zLLS1hckg@mail.gmail.com> <CAN8C-_LYKz2Vg6gDQv3mRX4KsJnESeyc=Af58V_DBiLGV_Hqpg@mail.gmail.com> <CA+k3eCSw6+C3Hs3ijsUrO1rVNJbHTt8ggAp6AtcLkgRoH6vVFw@mail.gmail.com> <CAN8C-_+fh5UxVjvoQe5+VMZoWufkHM9CYaNbFagkoeN-ZNY4=A@mail.gmail.com> <8EF444AE-9D1C-4A4F-82CF-E91D91C9A237@gmail.com>
In-Reply-To: <8EF444AE-9D1C-4A4F-82CF-E91D91C9A237@gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 08 Aug 2024 14:44:09 -0500
Message-ID: <CAN8C-_L4P=stFigYkoKG9-qEukRFA+2MWnjcYuqGrUCzMGoEaA@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000d59ee7061f3140d3"
Message-ID-Hash: 277T3FFWOW6BFEKQWV2FFQKYSYHEV5LY
X-Message-ID-Hash: 277T3FFWOW6BFEKQWV2FFQKYSYHEV5LY
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Brian Campbell <bcampbell@pingidentity.com>, "jose@ietf.org" <jose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: Do you need the JWP JSON Serialization?
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/WQwRYaJOjZTmGLEvxUlAYCevXzQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

That only applies to "SD-JWT+KB"

Because: ... "kb_jwt MUST be present when using the JWS JSON Serialization,
and the digest in the sd_hash claim MUST be taken over the SD-JWT as
described in Section 5.3.1."...

If we are talking about just the SD-JWT without any key binding... the
order of disclosures could change / does not matter, and there is only the
integrity protection afforded by checking that they are all present per:

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-8.2

Before the holder secures the disclosures with kbt, the holder controls
their order, and the eventual sd_hash.

Unless I am mistaken, there is no ordering requirement for the SD-JWT
without key binding, so the disclosures are mutable, until the holder makes
them immutable by applying key binding:

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-5.3.1

As I noted before, when you don't build in an ability to bucket related
objects, they get grouped together and through string concatenation.

In SD-JWT: <Issuer-signed JWT>~<Disclosure 1>~<Disclosure
2>~...~<Disclosure N>~ (order of disclosures can change).
In SD-JWT+KB: <Issuer-signed JWT>~<Disclosure 1>~<Disclosure
2>~...~<Disclosure N>~<KB-JWT> (order cannot change)

In JSON Serializations, there can be other unprotected header parameters,
which is why the draft has this text:

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-9.1-4

In Compact Serialization, it is not possible to include any "other
unprotected headers"... this is the point that I am trying to make.

As Brian noted, JWE has similar behavior with single / multiple
recipients... because only JSON serialization supports multiple recipients
and unprotected headers.

Before SD-JWT, a JWT was only compact... that's still true after SD-JWT
since SD-JWT is not a JWT, it's a JWT that can have a ~ in it, and possibly
another JWT at the end.

After SD-JWT, you can have a "SD-JWT that is JSON Serialized"... even
though you can't really have a "JWT that is JSON Serialized"... technically
what JADES produces is just JWS in JSON Serialization... it's not a "token".

All of this is more confusing than having a text and object representation
that support the same set of features... which is what COSE has.

SD-JWT is an improvement over JWT in this regard.

OS


On Thu, Aug 8, 2024 at 2:20 PM Neil Madden <neil.e.madden@gmail.com> wrote:

> Maybe I’m missing something, but all of the disclosures are covered by the
> SD-JWT signature and so (a) are protected, and are (b) immutable.
>
> — Neil
>
> On 8 Aug 2024, at 19:18, Orie Steele <orie@transmute.industries> wrote:
>
> That's fair : )
>
> Let's replace "suspicion" with "I would have argued for a different
> design".
>
> In JOSE, ~ is just used as a placeholder for "missing unprotected header".
>
> You still need to validate that the correct mutable data was included, and
> that no "unexpected mutable data" was included.
>
> That's a "verifier policy over mutable data".
>
> In the context of SD-JWT that means checking disclosures, matching their
> hash to the kbt and making sure the kbt is signed by the cnf.
>
> That is very similar to the kind of unprotected header processing that
> COSE supports, see:
>
> https://www.rfc-editor.org/rfc/rfc9338.html#section-2
>
> Sure maybe it's less obvious that jwt (cnf) -> disclosures -> hash -> kbt
> signed by cnf is a kind of counter signature.
>
> But it is a second signature, over a specific set of disclosures that is
> grouped together with the first signature, which are verified together.
>
>
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-9.1
>
> """
> Unprotected headers other than disclosures are not covered by the digest,
> and therefore, as usual, are not protected against tampering.
> """
>
> This is similar to how values in unprotected headers in COSE are not
> protected, unless there is some "verification process" such as checking a
> counter signature, or merkle tree inclusion proof.
>
> Isn't JWP meant to replace SD-JWT in some cases that require stronger
> unlinkability?
>
> IIRC SD-JWT and OAUTH had good reasons to define a JSON Serialization, and
> if it's used, those users should be able to switch to JWP or CWP in the
> future.
>
> OS
>
>
>
>
>
> On Thu, Aug 8, 2024 at 12:33 PM Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>>
>>
>> On Thu, Aug 8, 2024 at 11:27 AM Orie Steele <orie@transmute.industries>
>> wrote:
>>  <snip>
>>
>>>
>>> If JWTs had unprotected headers, I suspect SD-JWT would have used them
>>> for the mutable part (disclosures).
>>>
>>
>> That suspicion is entirely incorrect.
>>
>> <snip>
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>
>
> --
>
> ORIE STEELE
> Chief Technology Officer
> www.transmute.industries
> <https://transmute.industries/>
> _______________________________________________
> jose mailing list -- jose@ietf.org
> To unsubscribe send an email to jose-leave@ietf.org
>
>
>

-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>