Re: [jose] JWK glitches in deployment
Chuck Mortimore <cmortimore@salesforce.com> Tue, 26 August 2014 16:56 UTC
Return-Path: <cmortimore@salesforce.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DABBE1A01D8 for <jose@ietfa.amsl.com>; Tue, 26 Aug 2014 09:56:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.722
X-Spam-Level:
X-Spam-Status: No, score=0.722 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nvHZCRqljBhe for <jose@ietfa.amsl.com>; Tue, 26 Aug 2014 09:56:44 -0700 (PDT)
Received: from mail-ob0-f175.google.com (mail-ob0-f175.google.com [209.85.214.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0D551A017D for <jose@ietf.org>; Tue, 26 Aug 2014 09:56:43 -0700 (PDT)
Received: by mail-ob0-f175.google.com with SMTP id wp18so11897191obc.20 for <jose@ietf.org>; Tue, 26 Aug 2014 09:56:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=e5CJlinfOuVXUqEzZU0msczmjY8ho/lgR4mKTcgAwyc=; b=FxUQq4JLVLIwZHgo0DjxUrud99dLa5DEHEANu9gJ2pWYy8b//I/xLNwyewZi17TjQL CgI6UwyRe2hDB+BvKLVoIM/JBSqMu5c7iYRD5QeuJzAAgacbCLiFvHGNvi4hc/xWDj7W v85Dd8pbZAJnXnM/QFnWIpz59gaZ2Ds4Oqwk/av3ovP0rwBLsXW7bp+BS/f+0NlTkUQ0 0L5q9U9C/gEzcpb1qPGB4G6fvmRvdsLu91zVbkd18LAZMwMKUAiofwmQJafzuIT/lyev MbvpvSz/AknSzkSXfJlfnM09Zfxs4qgmJEBa7N8vyCdacsOxpPwUlppkaGWFuGQ0u4Z1 dNeQ==
X-Gm-Message-State: ALoCoQmMpk8mw9d7+ZGITDavX72z0btecIb4Xkh7bQUYuxLr/ZOVuysECaXflaEYq5OTZiaeIhpR
MIME-Version: 1.0
X-Received: by 10.182.236.225 with SMTP id ux1mr14827378obc.57.1409072203183; Tue, 26 Aug 2014 09:56:43 -0700 (PDT)
Received: by 10.76.175.234 with HTTP; Tue, 26 Aug 2014 09:56:43 -0700 (PDT)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E127C6DE46FD@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E127C6DE46FD@WSMSG3153V.srv.dir.telstra.com>
Date: Tue, 26 Aug 2014 09:56:43 -0700
Message-ID: <CA+wnMn_PO5i-A4AK2CYG-XHOgUti5R6yMPMiTH4yoH7M=iXdEA@mail.gmail.com>
From: Chuck Mortimore <cmortimore@salesforce.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary="001a11c2fad0224bba05018b3030"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/XCFE9shztF1HK7fTj8TAeX44mho
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] JWK glitches in deployment
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 16:56:46 -0000
We probably could have benefited from language in the spec calling out the leading zero byte as an area of concern. That said our ecosystem detected it pretty quickly and after some collaborate with Microsoft, we have a fix due out this week, so the growing pains are sorting themselves out rather quickly. -cmort On Mon, Aug 25, 2014 at 11:49 PM, Manger, James < James.H.Manger@team.telstra.com> wrote: > In March, Google’s JWK file https://www.googleapis.com/oauth2/v2/certs > (used for OpenID Connect) had 3 bugs: base64 instead of base64url; 1024-bit > instead of >=2048-bit; leading zero byte on moduli. > > Today Google’s JWK file has 1 different bug: the base64url encoding has a > trailing “=”. > > Salesforce’s JWK file https://login.salesforce.com/id/keys has 1 bug: a > leading zero byte on the RSA moduli. > > > > Are these just teething problems, or do we need a stronger warning in the > spec. These bugs also change the JWK’s thumbprint (another reminder not to > base security on thumbprints being unique for a given key). > > > > -- > > James Manger > > >
- [jose] JWK glitches in deployment Manger, James
- Re: [jose] JWK glitches in deployment Chuck Mortimore
- Re: [jose] JWK glitches in deployment Mike Jones
- Re: [jose] JWK glitches in deployment Mike Jones