Re: [jose] Stephen Farrell's Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)

John Bradley <> Mon, 06 October 2014 22:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D96C51A9049 for <>; Mon, 6 Oct 2014 15:36:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.831
X-Spam-Status: No, score=-1.831 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=unavailable
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id K-Jqt83baVYs for <>; Mon, 6 Oct 2014 15:35:57 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0441F1A9044 for <>; Mon, 6 Oct 2014 15:35:56 -0700 (PDT)
Received: by with SMTP id v10so4251514qac.12 for <>; Mon, 06 Oct 2014 15:35:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=jWLvBBms3cLnV1UOIzaEgrz6WUerlWVT3Mo+M+d2b9I=; b=JmhUO4V1BX0oyDBm6o82OIM4FAvtFNXz7SfE+Ph+LbPyqjpBy5AUYvdJlrg907aN57 IBM4PULZVbjKw/V4+cNLwcrvmUrcAyHLJeroXaZe1MrMcmekp32Y1UCRZhh2fq6M0B8o SnEEjtZlymQYHRze97/y8bhjnbCrxg0LApTBIlQj1QkPHVcFMr+7aHYv6zUgIAos46bI N5XklJrKE0fruMi29T6h9/ckFdceBvT22Xbo59jkhXsWGoNlJggLN85e66w6aekjNx3w YPgjS9z4fBZUf7YIRSbVpyjxr3HIxT/UNjks2XFyDOZ1AWlDjtpLiANrDnSb+1PsmKwu NyVQ==
X-Gm-Message-State: ALoCoQmRdK4+Jp55XvoDWB4d6gZV1osSdg2hWp12aQ199QgE99PhHi8IzEUg7iYl+MrrWmgf6D++
X-Received: by with SMTP id h3mr29254266qcf.4.1412634956171; Mon, 06 Oct 2014 15:35:56 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id b102sm4631508qge.37.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 06 Oct 2014 15:35:55 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <>
In-Reply-To: <>
Date: Mon, 06 Oct 2014 19:35:52 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Michael Jones <>
X-Mailer: Apple Mail (2.1878.6)
Cc: "" <>, "" <>, The IESG <>, "" <>, Stephen Farrell <>
Subject: Re: [jose] Stephen Farrell's Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 Oct 2014 22:36:02 -0000

The reference for key lengths is SP-800-57

Note table 2 lists 80 bits of security for RSA k=1025 and ECC f=160-233  and 112 bits for RSA k=2048 and ECC f=224-255

Table 4 lists 80 bits as being disallowed for applying while it may still be used for legacy use processing.
112 bits is acceptable to 2030 (if we are lucky).

There is no real legacy use of JOSE so starting at 112 bits seemed reasonable.  
(Depending on a number of factors this should be a minimum depending on how long you want to have integrity over verifying the signatures.)

John B.

On Oct 6, 2014, at 4:54 AM, Mike Jones <> wrote:

> Thanks for your review, Stephen.  I've included the working group on the thread so they're aware of your comments.
>> -----Original Message-----
>> From: Stephen Farrell []
>> Sent: Thursday, October 02, 2014 3:37 AM
>> To: The IESG
>> Cc:; draft-ietf-jose-json-web-
>> Subject: Stephen Farrell's Discuss on draft-ietf-jose-json-web-algorithms-33:
>> (with DISCUSS and COMMENT)
>> Stephen Farrell has entered the following ballot position for
>> draft-ietf-jose-json-web-algorithms-33: Discuss
>> When responding, please keep the subject line intact and reply to all email
>> addresses included in the To and CC lines. (Feel free to cut this introductory
>> paragraph, however.)
>> Please refer to
>> for more information about IESG DISCUSS and COMMENT positions.
>> The document, along with other ballot positions, can be found here:
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> Sorry to pile on, but I guess such a detailed and broad piece of work is likely to
>> attract many comments and discusses.
>> Mine should be cleared up easily enough I hope.
>> (1) Hmm, where was that discussed on the list?  I think it'd be better if >2
>> prime RSA was considered a separate algorithm. (I vaguely recall some IPR with
>> such moduli for some uses too, but not sure.) I'd recommend dropping the
>> whole "oth" parameter entirely.  (I'll clear this discuss once its clear that this was
>> discussed by the WG, I just want to check as I don't recall it.)
> This was discussed in the thread "private keys, leading zeros" initiated by James Manger on August 15, 2012.  (Sorry, I can't get you the archive URL reference at present because I'm writing this offline on an airplane over the Pacific.)  It was also discussed as issue #153.  This feature was directly modelled on RFC 3447.  Applications are free to profile the JWK spec to prohibit the use of such keys, so I don't see a compelling case to remove it.
>> (2) Instructions to DEs: would registering DES be considered ok or not? What
>> about myJustInventedPrivateAlg?  What about a request for 10 ccTLD specific
>> Algs? I think these need a bit more clarity wrt cryptographic "goodness." As a nit,
>> "makes sense" isn't going to help too much, we've seen that reasonable folks
>> can differ on that here. Again I don't recall that discussion on the list, but please
>> point me at it if it happened.
> Registering DES with the Implementation Requirements value "Prohibited" would be permitted.  The instructions on the "JOSE Implementation Requirements" registry field include:
>    Any identifiers registered for non-authenticated encryption algorithms
>    or other algorithms that are otherwise unsuitable for direct use
>    as JWS or JWE algorithms must be registered as "Prohibited".
> Note that this capability was added at the request of the W3C WebCrypto WG.  (WebCrypto is choosing to support some algorithms that JOSE explicitly chose not to, including some non-authenticated encryption algorithms.)  "Deprecated" is also a value available to registrants and the DEs.
> If you want to supply additional proposed language to the DEs, that would be welcomed.
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> - Unlike others, I do think implementation requirements are needed. The WG did
>> specifically discuss this (a lot) and landed where it did. I don't think the IESG
>> should second guess that without specific evidence that it'd cause damage.
>> (Richard's points were made previously I believe.)
> I concur with your synopsis of the discussion that occurred in the working group and the conclusions reached.
>> - 3.3 (and elsewhere) says 2048 bits or larger. I guess that
>> 2049 bit keys might not work for many implementations and are not a great idea
>> (as Bleichenbacher works quicker against such lengths if I recall correctly). Could
>> be worth a note somewhere even though I guess most folks know what's what.
> Rather than us inventing new text, is there an RFC or other doc we can reference that provides appropriate guidance on acceptable RSA key lengths?  I know that the 2048 came from NIST key usage requirements that I believe ekr pointed us to.
>> - 4.1 (and elsewhere): adding table captions with numbers would be good.
> I don't feel strongly about this, but each table is in its own section, and so can be referenced by section number.  I'd experimented with adding captions at one point and it just seemed to take up additional vertical space without making the spec clearer.  But I could be convinced otherwise.  Why do you want captions?
>> Col 1 of the final 3 rows are unfortunate.
> I don't know how to teach xml2rfc to not do what it did to the final 3 rows, but I can make a note to have the RFC editor manually address this if the tool can't.
>> - Surprised there was no need for integer DH. Can be added later I guess.
> No one has previously asked about it.  But there registry will be there for it to be added, if wanted/needed.
>> - 6.2.1: Given that the point compression IPR is now expired
>> (right?) did the WG consider now allowing that? I wondered how much work it
>> would be to add now, vs to add later. If "later" would cause a lot of duplication,
>> then maybe "now"
>> would actually be worth it. ("Later" might also be fine considering the current
>> work in CFRG on additional curves.)
> I recall that in the discussions, people were happier having a single representation than multiple representations.  Given the curve discussions, that's also another reason I'd opt for "later".
>> - allowing the extra 0x00 would be a better choice IMO, but whatever.
>> Those were historically added so that buggy decoders wouldn't wrongly think
>> numbers negative, which could still happen maybe.
> Yeah, I realize why the Java library does this.  This was another case where we decided that having a single representation would create less interop problems down the road than allowing multiple representations.
>> - 7.1, 2nd para: why not RSA2048 earlier then?
> I don’t actually recall.  I think the two choices reasonably available to us at this point are to either keep or delete this paragraph.  Which would you prefer?
>> - 7.1.1: It might help the DE if the template here required references to well
>> know academic crypto conference publications that consider cryptanalysis of
>> the alg in question, e.g. from crypto, or eurocrypt etc. One good rule of thumb
>> here is that if there are no such references then you really should not register
>> the thing.
> Good idea.
>> - 8.3: Is 65537 considered a "low" e?  "Low" is too vague there.
> No, it's not "low", but I can't back that up with a reference off the top of my head.  Working group, what are the relevant documents here that we could reference for this information?
>> - 8.5: I'd prefer there was no none. The WG did discuss it though, so I'll hold my
>> nose.
> Understood.
>> - 8.6: suggesting a CA as a cure for oversized keys is odd, I think those are
>> separable things and e.g. TOFU might be just as or more effective then X.509
>> here.
> Sean Turner suggested adding that text on July 6, 2012.  Proposed edits would be welcomed.
>> - Appendix A:  Thanks for that! It'll save folks a lot of time. Might be better
>> presented as a set of records and not as a fixed width table.
> You're welcome!
> I'll plan to work with the RFC Editor to figure out how to best present it and how to achieve that.  I agree that the presentation is screwed up right now.
>> - I think most of the secdir stuff has been handled (and thanks for that) so I'm
>> fine that the authors and AD are on top of that.
> Thanks again for your review and your participation in the working group.
> 				-- Mike
> _______________________________________________
> jose mailing list