IETF Logo Mail Archive

Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-encryption-33: (with DISCUSS and COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Mon, 03 November 2014 21:40 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E59311A19EA; Mon, 3 Nov 2014 13:40:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id otK8hKRZi8CZ; Mon, 3 Nov 2014 13:40:35 -0800 (PST)
Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF5781A19E3; Mon, 3 Nov 2014 13:40:34 -0800 (PST)
Received: by mail-lb0-f178.google.com with SMTP id f15so11205946lbj.37 for <multiple recipients>; Mon, 03 Nov 2014 13:40:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ybAYXBSavJHdL5SjBApDvOLqj95UtkgQEv9YShdOdmE=; b=lcxN5sfUtC8bhIb6Fkq7PS9DJ+jdEP+o/E0TCPegvwmgWB3uF5bmK/Fr2zUe761YnD 9Mzc1rUzyPNBDpbZKVAkY2Hf9g8Ec7YSxASgll8BwoXxuIBfQMwyNJzHELQ9VOSAD2Cs 2Kl5YOqevsxblFj1XKxSG7bqfRjhyhh71vkiVV1ST8EZX1D1fd3fxqzhwanxLaw2JJto szEqBvgU0mW8Y2qHlCwtFvssdBa3nmcimRRRImf+SztepuvHsTUhmx7xe1CzPGuFdpem jdY8TWdT4SZzfDtVSHCLGWBQN5ZQxCpN31t2omSHA1t8kod5uS88EIQXEr3EbL91MyVf bbTg==
MIME-Version: 1.0
X-Received: by 10.152.29.41 with SMTP id g9mr55022128lah.83.1415050832792; Mon, 03 Nov 2014 13:40:32 -0800 (PST)
Received: by 10.112.95.17 with HTTP; Mon, 3 Nov 2014 13:40:32 -0800 (PST)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BB262B7@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739439BB262B7@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Mon, 03 Nov 2014 16:40:32 -0500
Message-ID: <CAHbuEH7hp2Lk8SaAH+8uQRWeCYWJ4Xj=rstoqoW5NP8b7U_Nmg@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/YdnzgUA48LzAKhDKc8m52ccT06w
Cc: "draft-ietf-jose-json-web-encryption@tools.ietf.org" <draft-ietf-jose-json-web-encryption@tools.ietf.org>, Mike Jones <Michael.Jones@microsoft.com>, "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-encryption-33: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Nov 2014 21:40:38 -0000

Hi Richard,

Can you take a look at this and let me know what you think at this
point.  Can we resolve the discuss or do you have suggestions?

Thanks,
Kathleen

On Sat, Oct 25, 2014 at 2:34 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> The simplified single-recipient JSON Serialization syntax has been added to
> draft -36.  Hopefully this will enable you to clear your remaining DISCUSS
> on this draft.
>
>
>
>                                                             Thanks again,
>
>                                                             -- Mike
>
>
>
> From: Richard Barnes [mailto:rlb@ipv.sx]
> Sent: Monday, October 20, 2014 9:21 AM
> To: Mike Jones
> Cc: The IESG; draft-ietf-jose-json-web-encryption@tools.ietf.org;
> jose-chairs@tools.ietf.org; jose@ietf.org
> Subject: Re: [jose] Richard Barnes' Discuss on
> draft-ietf-jose-json-web-encryption-33: (with DISCUSS and COMMENT)
>
>
>
>
>
>
>
> On Sat, Oct 11, 2014 at 6:19 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> Thanks for your review, Richard.  Responses are inline below...
>
>
>> -----Original Message-----
>> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes
>> Sent: Wednesday, October 01, 2014 8:37 PM
>> To: The IESG
>
>> Cc: draft-ietf-jose-json-web-encryption@tools.ietf.org; jose-
>> chairs@tools.ietf.org; jose@ietf.org
>> Subject: [jose] Richard Barnes' Discuss on
>> draft-ietf-jose-json-web-encryption-
>> 33: (with DISCUSS and COMMENT)
>>
>> Richard Barnes has entered the following ballot position for
>> draft-ietf-jose-json-web-encryption-33: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email
>> addresses included in the To and CC lines. (Feel free to cut this
>> introductory
>> paragraph, however.)
>>
>>
>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-encryption/
>>
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>> Overall, this document is in much more solid shape than when it began.
>> Thanks to the WG for a lot of hard work.  I only have one remaining
>> concern,
>> that should hopefully be easy to address.
>>
>> Section 7.2.
>> I've had several implementors trying to use JWE in the JSON serialization
>> ask
>> why it was necessary to include a "recipients" array in cases where
>> there's only
>> one recipient.  It seems like this is going to be a major barrier to
>> deployment and
>> re-use, so I would propose including the following text:
>> """
>> In cases where the JWE is encrypted for only one recipient, the
>> "recipients" array
>> will contain a single object.  In such cases, the elements of the
>> "recipients" array
>> MAY be included at the top level of the JWE object.  If the generator of a
>> JWE
>> chooses to use this representation then all unprotected header parameters
>> MUST be carried in the "header" field, and the "unprotected" field MUST be
>> absent.  A JSON-formatted JWE that contains a "recipients" field MUST NOT
>> contain a "header" or "encrypted_key" field, and vice versa.
>> """
>> This may also require some other changes where "recipients" is relied on,
>> e.g., in
>> Section 9.
>
> My response to this parallels that to the similar DISCUSS about JWS.
>
> That said, I actually have marginally *more* concerns about this proposal
> than the JWS one, because you're making an arbitrary choice between the
> multi-recipient "unprotected" parameter and the per-recipient "header"
> parameter, and dictating that one be used in preference to another in the
> proposed case where "recipients" array is not present.  This adds an
> additional level of non-parallelism that isn't present in the JWS case.
>
> For those following along, here are the two mostly equivalent syntaxes that
> implementations would have to support in Richard's proposal:
>
>   {"protected":"<integrity-protected shared header contents>",
>    "unprotected":<non-integrity-protected shared header contents>,
>    "recipients":[
>     {"header":<per-recipient unprotected header 1 contents>,
>      "encrypted_key":"<encrypted key 1 contents>"}],
>    "aad":"<additional authenticated data contents>",
>    "iv":"<initialization vector contents>",
>    "ciphertext":"<ciphertext contents>",
>    "tag":"<authentication tag contents>"
>   }
>
> and
>
>   {"protected":"<integrity-protected shared header contents>",
>    "header":<per-recipient unprotected header 1 contents>,
>    "encrypted_key":"<encrypted key 1 contents>",
>    "aad":"<additional authenticated data contents>",
>    "iv":"<initialization vector contents>",
>    "ciphertext":"<ciphertext contents>",
>    "tag":"<authentication tag contents>"
>   }
>
> Plus, there would be a third syntax if use of the "unprotected" parameter
> were not arbitrarily ruled out, as his proposal does:
>
>   {"protected":"<integrity-protected shared header contents>",
>    "unprotected":<non-integrity-protected shared header contents>,
>    "header":<per-recipient unprotected header 1 contents>,
>    "encrypted_key":"<encrypted key 1 contents>",
>    "aad":"<additional authenticated data contents>",
>    "iv":"<initialization vector contents>",
>    "ciphertext":"<ciphertext contents>",
>    "tag":"<authentication tag contents>"
>   }
>
> During the Denver interim meeting in April 2013 and subsequent working group
> decisions we all agreed to a specific syntax for the JWE JSON Serialization.
> We explicitly agreed to have a "recipients" array, since this serialization
> enables multiple recipients.  This syntax was incorporated in draft -11 in
> May 2013 and has been stable since then.  Given you were an inventor of this
> syntax, Richard, I'm surprised to see you questioning it now, this late in
> the process.
>
> I'll therefore ask you to withdraw this DISCUSS, since having multiple
> syntaxes to represent the same semantics can only hurt interoperability.
>
>
>
> FWIW, I'm not necessarily proposing multiple syntaxes.  I would be A-OK with
> requiring that single-recipient JWEs follow the simplified syntax.
>
> My comments on the JWS thread about the multiple-recipient case reducing to
> the single-recipient case also apply here.  An implementor is going to have
> to build a single-recipient version *anyway*, since that's how the crypto
> works, so we might as well make the syntax match.
>
> --Richard
>
>
>
>
>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> Section 3.3.
>> Why doesn't this example include the JSON encoding?
>
> Same answer as to your parallel question on JWS.
>
>> Section 4.1.3.
>> "This Header Parameter MUST be integrity protected"
>> Why is this the case?  There is no security reason that "zip" must be
>> integrity-
>> protected, and this requirement isn't made for any other parameter.
>
> ekr and others stated reasons for this when the compromise about allowing
> some non-integrity-protected parameters was reached.  I believe that they
> boiled down to ensuring that an attacker couldn't vary the contents of the
> plaintext by changing the "zip" parameter value as part of an attack.  Given
> the effectiveness of the CRIME attack against compression in SPDY since
> then, this advice seems all the more sound in retrospect.
>
>> Section 7.2.
>> The requirement that the "recipients" field MUST be present seems odd.
>> What's the justification for this?
>
> Simplicity.  The structure of a JWE using the JSON Serialization is always
> the same that way, simplifying generators and parsers.  If this weren't the
> case, they'd have to have a special case for the situation where the
> "recipients" array was omitted.
>
>> Appendix A seems kind of unnecessary given draft-ietf-jose-cookbook.
>
> Developers have found the examples to be useful in practice.  Having more in
> the cookbook just adds value, without detracting from the value of the
> examples in the JWE spec.
>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>
>                                 Thanks again,
>                                 -- Mike
>
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email