Re: [jose] JWP
Richard Barnes <rlb@ipv.sx> Thu, 28 July 2022 21:12 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4D56C159488 for <jose@ietfa.amsl.com>; Thu, 28 Jul 2022 14:12:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0vfGSuhWBHv for <jose@ietfa.amsl.com>; Thu, 28 Jul 2022 14:12:05 -0700 (PDT)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB1EFC14F74E for <jose@ietf.org>; Thu, 28 Jul 2022 14:12:05 -0700 (PDT)
Received: by mail-qv1-xf2e.google.com with SMTP id y11so2336928qvn.3 for <jose@ietf.org>; Thu, 28 Jul 2022 14:12:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IrYyvuZADu6taG9McypTvnPx86J7ip1EGixFlsuY4N4=; b=FeD+5xiRQwxdUPdnzzYmAbydiAHOuLLZ2e27SCFjvsuxh/QDeCeSkuvH5Cffvy+/eK J8fMgFn2Jaj42lVcNOjjjXXU/pNLvH4Oo3SixmMkJPt+DaIwppA1uOtOTK7fbDeHHs0H FCC9LcNDmTQqRYF5p3LQlsrbcW8w+v2U/Er2r8Qdp9uoG1zvVrdlxRleCtAphf6AVK9G Saz/Jgip7KAw3R8KkBUYNT3HtasJTZegSnrRMTzOiU9C9nQSm9+ub4DKauigQPF90SFS EwGfrt0l2krUwZoCvNu2Bj4xzpVagvbIHnF7EiIZf2HU/XYXsfI0VuVPUYKT1xx7xOKa aPXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IrYyvuZADu6taG9McypTvnPx86J7ip1EGixFlsuY4N4=; b=XR9g7fVayBVBQC06oHAUKUyoRgjAPs5aW6MzbA9rkgZkt+eOp9JM7fMXci+G1CP6we ND3VrIwuu+TXdm1u2GbTLEUQweiFmJzNrjpZ/6GtHed0m6wX8Llc/XIA/kdet+fP6FLL /L5khH4ZmFD4b3rR1wrZWex5wuvmQM+qXb51ImbzRBOqOEZ9QxV5IPU/8OQScoU+Nh96 IVkJjWzbomJOac4jMOgoPe5RGIxbylJ6z4lcAb9KbYs0dw5tKudA9Yh8rPeEMyR/bujT 1UlEnYikmakEwfXtfWoQvB01eIrqfC1Kh0M01aycuKcz/AQ1r+0kJA+JVdKxmJPZhnOA LGKA==
X-Gm-Message-State: ACgBeo2Z3M/Z8yzvIC+HGP0U42q1O29ide3Z7yEhJY6s1ttFbj8mDbVW 12+D2YLnt8HB4PJLhXRzKqBRg1htCu9nrdL4gVuJPQ==
X-Google-Smtp-Source: AA6agR6L2vPoO8SjwyMEaD+2t/XSbLEEcLLZt7LQxDsa2jDPCx7V+pnx5dm/0+98hJm0svdh5EPjBGrd2veQjwo9MDk=
X-Received: by 2002:a05:6214:4015:b0:474:15d9:ce76 with SMTP id kd21-20020a056214401500b0047415d9ce76mr856870qvb.86.1659042724796; Thu, 28 Jul 2022 14:12:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAAFNpxs0bUFKu40QbsKzYBYKjGiMy982mDiDqvGjjdA56ESg2g@mail.gmail.com> <A0CF699F-5F77-4401-92B7-CCEE4340FF5F@forgerock.com> <CO1PR00MB09963C33DDF6C72A82C83DDDF5969@CO1PR00MB0996.namprd00.prod.outlook.com>
In-Reply-To: <CO1PR00MB09963C33DDF6C72A82C83DDDF5969@CO1PR00MB0996.namprd00.prod.outlook.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 28 Jul 2022 17:11:53 -0400
Message-ID: <CAL02cgRjBJtStFzWQL3sTZ0dD+ok=OqJNeaQ-j9UFk79j3g2dA@mail.gmail.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Cc: Neil Madden <neil.madden@forgerock.com>, Jeremie Miller <jeremie.miller@gmail.com>, Tobias Looker <tplooker@gmail.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004769a205e4e3fce5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/WeYyKcdmmMJ9eYwaOBvg6pltwIg>
Subject: Re: [jose] JWP
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 21:12:09 -0000
I'm not sure that clarifies things much, Mike, at least for me. Maybe you could help fill in the analogy for me: JWE represents confidentiality protection JWS represents authenticity/integrity protection JWP represents ...? In other words, it seems like JWE and JWS were straightforward implementations of well-understood cryptographic functions. What is the single, clear cryptographic function that JWP would provide? On Thu, Jul 28, 2022 at 2:43 PM Mike Jones <Michael.Jones= 40microsoft.com@dmarc.ietf.org> wrote: > > But from these discussions it seems that JWP is really its own separate > thing. > > > > They are separate in the same way that JWS and JWE are separate. JWP has > a different syntax than JWS or JWE but reuses many of the design decisions > and components, when applicable – just like JWE reused many of the design > decisions and components from JWS. > > > > Also, per my presentation at the BoF > <https://datatracker.ietf.org/meeting/114/materials/slides-114-jwp-the-need-standards-for-selective-disclosure-and-zero-knowledge-proofs-00>, > the JOSE working group members have experience creating simple and > widely-adopted JSON-based representations for cryptographic objects. The > simplest way to ensure that that expertise is brought to bear is to, in > fact, do the work in the JOSE working group. > > > > -- Mike > > > > *From:* jose <jose-bounces@ietf.org> *On Behalf Of * Neil Madden > *Sent:* Thursday, July 28, 2022 1:13 PM > *To:* Jeremie Miller <jeremie.miller@gmail.com> > *Cc:* Tobias Looker <tplooker@gmail.com>; Torsten Lodderstedt < > torsten@lodderstedt.net>; jose@ietf.org > *Subject:* Re: [jose] JWP > > > > > > On 28 Jul 2022, at 16:47, Jeremie Miller <jeremie.miller@gmail.com> wrote: > > > > No, to prevent this the issuer simply puts these sorts of claims in the > header, which is not subject to selective disclosure, e.g the prover cannot > create a valid proof/presentation without disclosing the original > un-modified header. > > That is a very non-standard use of the header. AFAICT such usage is not > compatible with RFC 7800, and I would guess that it may well lead to > security issues as implementations won’t be looking for these claims in the > header but rather in the claims set. > > > > That's one of the reasons we're proposing JWP as another specification, it > is not compatible with existing JWTs+PoP. > > > > Also, a current security assumption baked into the JWP draft is that all > presentations are not replayable. While this can be accomplished with a > proof-of-possession it is not the only mechanism an algorithm could use, > BBS for example supports this without requiring a traditional PoP. > > > > > > So I guess then why do this in the JOSE working group if the work has > little in common with existing JOSE specs and semantics? Different > algorithms, different formats, different processing rules. It’s not clear > if JWP could even reuse the IANA JWT Claims registry if you’re saying that > it’s not compatible with some of them (eg cnf). > > > > The proposed new charter says: > > > > “The current JOSE and JWT specifications are not sufficiently general to > enable use of these newer techniques. The reconstituted JSON Object Signing > and Encryption (JOSE) working group will build on what came before but also > rectify these shortcomings.” > > > > But from these discussions it seems that JWP is really its own separate > thing. (Indeed the JOSE specs are already criticised for trying to be too > general). > > > > — Neil > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- [jose] JWP Richard Barnes
- Re: [jose] JWP Tobias Looker
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Tobias Looker
- [jose] Fwd: JWP Orie Steele
- Re: [jose] JWP Mike Prorock
- Re: [jose] JWP David Waite
- Re: [jose] JWP Jeremie Miller
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Torsten Lodderstedt
- Re: [jose] JWP Anders Rundgren
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Tobias Looker
- Re: [jose] JWP Zundel, Brent
- Re: [jose] JWP Jeremie Miller
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Jeremie Miller
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Mike Jones
- Re: [jose] JWP Zundel, Brent
- Re: [jose] JWP Richard Barnes
- Re: [jose] [EXTERNAL] Re: JWP Christian Paquin