Re: [jose] thoughts on header criticality from recent polls

"Jim Schaad" <ietf@augustcellars.com> Tue, 26 February 2013 01:22 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9DCB21E817C for <jose@ietfa.amsl.com>; Mon, 25 Feb 2013 17:22:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.537
X-Spam-Level:
X-Spam-Status: No, score=-3.537 tagged_above=-999 required=5 tests=[AWL=0.061, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7lYNOU8UzVfb for <jose@ietfa.amsl.com>; Mon, 25 Feb 2013 17:22:40 -0800 (PST)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 63C8F21E8127 for <jose@ietf.org>; Mon, 25 Feb 2013 17:22:40 -0800 (PST)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 8CE202CA0C; Mon, 25 Feb 2013 17:22:38 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: 'John Bradley' <ve7jtb@ve7jtb.com>, 'Richard Barnes' <rlb@ipv.sx>
References: <512B4A34.9090305@isoc.org> <4E1F6AAD24975D4BA5B1680429673943674A42FA@TK5EX14MBXC284.redmond.corp.microsoft.com> <E373F270-B4B0-4FCB-8668-2F8719D72DD7@ve7jtb.com> <CAL02cgRHE2hQh-dcgT1MMfXssZo8CXVsKvsRhnkBmdhydvxY2g@mail.gmail.com> <B58D55C9-0082-472D-A704-3917AEA98D2D@ve7jtb.com> <CAL02cgSKzb3w49iUgi2Gmp3uoTyBMmkpFzWo2Z6gwjR2tG=AgA@mail.gmail.com> <178EF53B-5FB4-46E9-BC4C-1C9DDAE47D96@ve7jtb.com>
In-Reply-To: <178EF53B-5FB4-46E9-BC4C-1C9DDAE47D96@ve7jtb.com>
Date: Mon, 25 Feb 2013 17:22:06 -0800
Message-ID: <011d01ce13bf$b1c0b1c0$15421540$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_011E_01CE137C.A3A2A1E0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJ8kI0jOdXnomcJ+W3LOTm4rQQUkQJ8xQSvAbTAcQkBwshjfAJLjFzoAo2WgSgCR+W6iJbFs3Dw
Content-Language: en-us
Cc: 'Mike Jones' <Michael.Jones@microsoft.com>, jose@ietf.org, odonoghue@isoc.org
Subject: Re: [jose] thoughts on header criticality from recent polls
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2013 01:22:48 -0000

This would correspond to my expectation.  That the entire header would be
available to the application.

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of John
Bradley
Sent: Monday, February 25, 2013 3:31 PM
To: Richard Barnes
Cc: Mike Jones; odonoghue@isoc.org; jose@ietf.org
Subject: Re: [jose] thoughts on header criticality from recent polls

 

We are interested in interoperable JOSE libraries.   I don't have any reason
to believe from what we have in the spec that the entire header is passed on
with the body after verification.

 

Is that your interpretation of the expected behaviour for a JOSE lib?   If
that is the expected behaviour then dropping aad may make sense.

 

This is a bit more of a challenge without talking about expected API.

 

John B.

 

On 2013-02-25, at 3:20 PM, Richard Barnes <rlb@ipv.sx> wrote:





You seem to be implying that an implementation is selectively stripping out
header fields.  Why would you do that, instead of just passing on
everything, or nothing?



On Mon, Feb 25, 2013 at 6:09 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

aad allows you to signal to JOSE that the included parameters be passed
through and not just discarded.  

 

I think it helps interoperability, simply saying header x may be ignored is
a problem unless there is a rule to always pass on parameters that are not
understood.. 

 

John B.

 

 

On 2013-02-25, at 2:40 PM, Richard Barnes <rlb@ipv.sx> wrote:





Sorry, John, no agreement on "aad"  :)

 

If you want integrity checking on non-critical stuff, just put it in the
header and mark it as non-critical.  I'm willing to step back on what I said
in my response to "B"; it can be much more easily mitigated by a signer
putting something random (and not subject-controlled) before the unknown
stuff in the header.

 

 

 

On Mon, Feb 25, 2013 at 5:16 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

Karen & Mike,

 

I think an important issue that Jim and others have tried to get at is some
information in the header is intended for the JOSE library, while other
header parameters are essentially additional associated data (meta-data
about the body) and need to be passed on to other software layers for
processing along with the body.   

 

An example of that was the proposed "iat" (issued at) element, which needs
to be processed outside of the JOSE crypto processing to be useful.

 

I suspect a point of agreement might be having an "aad" header parameter
that is a JSON object that MUST be ignored by the JOSE library and passed on
with the body.  This would provide applications a way to pass meta-data
through JOSE that is integrity protected, without JOSE having to parse it.

 

Once we remove a large number of the possible extension header parameters
from JOSE processing, the problem gets smaller.

 

There is however, still the requirement that extensions for the header
parameters JOSE processes be possible.

 

For that the list of non-critical header parameters is the best solution.
That enables a header parameter to be migrated from non-critical to critical
without changing its JSON element name.

 

I think that a large number of people on the list favoured the single
element with an array of element names that are non-critical.

 

My proposal is to add two new top level elements that MUST be understood:

 

1 "ign":  Ignore - an array of top level elements in the envelope that an
application MUST ignore if it cannot process them.

2 "aad": Additional Associated Data - a JSON object that MUST be provided to
applications along with the body if present in a JOSE header.

 

All other top level header parameters MUST be understood by a JOSE library
or produce a processing fault resulting in an error.

 

I would also not want elements listed in "ign" to be passed on to
applications.  I think that would cause interoperability issues.   That is
what "aad" is intended to provide.

 

I know James has legitimate concerns about allowing potentially user
provided data to be included in the header (Or anywhere likely).  I think
this is a separate issue that needs to be addressed by security
considerations to add entropy to the header if such data is included.   That
may require a new "ent" Entropy element that MUST be ignored.  This should
be a separate discussion.

 

Finally, for JWK, I believe that we should just state that not-understand
elements should be ignored. When including a JWK header parameter this is
also allows for extension to the JWK parameter, as the MUST understand in
JWE/JWS only allies to the top level parameter's, and not the sub parameters
they may contain.

 

My proposal doesn't neatly fit into fit into one of the poll answers, but I
think it may address the majority of concerns.

 

Regards

John B.

On 2013-02-25, at 7:41 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:

 

Thanks for sending this, Karen.  Hopefully your analysis will help the
working group reach a resolution on this issue soon.  I'm writing this note
primarily as an editor to help inform the working group's discussions,
rather than as an individual contributor.

 

First, I want to point out that while we've been discussing criticality of
header parameters, the specs actually currently have the "MUST be
understood" language in the JWK specification as well, as that's another
potential extension point.  The JWK description says "Additional members MAY
be present in the JWK.  If present, they MUST be understood by
implementations using them."  The same language is present for the JWK Set.
For our resolution of the issue to be complete, it should address those uses
too.  Given that a number of additional JWK fields are being discussed, I
expect that extensions will occur there.

 

Second, if we do decide to go with your approach (1), I'll summarize for the
list what I believe the two syntax proposals on the table are for doing
this.  One proposal is 2A in
<http://www.ietf.org/mail-archive/web/jose/current/msg01353.html>
http://www.ietf.org/mail-archive/web/jose/current/msg01353.html (which I'll
call the FLAT SYNTAX) and the other is the syntax that Dick Hardt proposed
in  <http://www.ietf.org/mail-archive/web/jose/current/msg01457.html>
http://www.ietf.org/mail-archive/web/jose/current/msg01457.html (which I'll
call the STRUCTURED SYNTAX).  I believe that it would be useful for the
working group to discuss which of those they would prefer in parallel to
discussing the questions that you asked, so that if we do go with approach
(1) or something like it, we'll know which to use.

 

FLAT SYNTAX:

    {"alg":"ES256",

     "ign":["notes"],

     "notes":"This header field can be safely ignored"

    }

 

STRUCTURED SYNTAX:

    {"alg":"ES256",

     "ign":{

       "notes":"This header field can be safely ignored"

      }

    }

 

As I see it, the advantage of the flat syntax is all header fields are in
the same place.  This makes processing header fields easier and is more
regular.  The disadvantage is that the list of fields that may be safely
ignored repeats those field names.

 

As I see it, the advantage of the structured syntax is that nothing is
repeated, resulting in cleaner JSON syntax.  The disadvantage is that then
some header fields are in one place and some are in another, making the
processing rules for header fields more complicated.

 

Between these two, it seems to come down to a choice between cleaner syntax
or cleaner semantics.  (I'd personally lean towards the simpler processing
rules resulting from the flat syntax, but I would be fine with this coming
out either way.)

 

Finally, I'll point out that I don't believe that your approaches (1) and
(2) are mutually exclusive.  We could conceivably leave it up to application
specifications using the JOSE specs whether they require header fields to be
understood by default AND provide a syntax for declaring which fields may be
safely ignored for use in those application contexts where the application
spec does require that header fields be normally understood.  In fact, one
might consider this to fall under the "(possibly providing guidance directed
to those applications in the JOSE specs)" that you suggested below.

 

I hope the points above help further a productive discussion of this topic.

 

                                                            -- Mike

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
Karen O'Donoghue
Sent: Monday, February 25, 2013 3:26 AM
To: jose@ietf.org
Subject: [jose] thoughts on header criticality from recent polls

 

Folks,

Thank you for your patience with me regarding the recent polls on header
criticality. I realize I have taken too long to respond from a chairs
perspective with some results and direction. I had hoped to provide either a
decision or a clear set of choices, but after analyzing the poll results,
rereading all the email traffic (multiple times), and talking to a few
working group members, I find I am not quite able to do so. So, what next...


First, what I do believe...

I think it is clear that the working group remains divided on this issue
with a significant number of members feeling that an approach must be
defined that safely allows for some header fields to be considered
non-critical. I think there is general consensus that there must be
reasonable mechanisms for extensibility, and that the approach must be
generic. Based on that, I would like to ask the working group to move
forward with the strategy that all headers cannot be considered critical and
move on to the discussion of how to approach non-critical headers. 

In my review of the mailing list traffic (and my apologies if I missed
something), I have seen a number of basic approaches proposed (summarized by
Jim Schaad on 9 Oct 2012 with the response by James Manager on 10 Oct 2012).
In particular, I found James' list of requirements to be very helpful, and I
have repeated it here...

A. Want to be able to define messages with new semantics in future, without
any risk that old implementations will misinterpret them with old semantics.

B. Want to be able to *redefine* (or constrain) the semantics of *existing*
fields in future, without any risk that old implementations will
misinterpret them with old semantics (or without the constraints).

C. Want to prevent large blobs of ignored data appearing in messages, as
similar blobs have been used to create hash collisions between legitimate &
malicious certificates that use weak algorithms (eg MD5).

D. Want to strongly discourage future extensions (feature-creep), under the
philosophy that even well-intentioned extensions tend to do more harm (by
adding complexity that is only deployed sporadically) than the good of any
new functionality they bring.

E. Loosely coupling clients and servers is generally considered a good
thing; but strongly coupling them is more appropriate for a secure message
format for [insert a reason here]. A possible reason is that people are too
likely to choose to make an extension non-critical for short-term ease of
interoperability, instead of making it critical for better long-term
security.

>From this list, I believe A is definitely a requirement. I am unclear
regarding working group consensus on B, C, and E, and I believe D is not a
requirement. 

QUESTION: Is there working group consensus on the requirements we are trying
to address? Perhaps a short discussion clarifying these would help drive
consensus on the overall approach. 

As for possible solutions, we appear to have evolved to the point where we
are of two minds: 

1) Define a header field that explicitly lists the fields that may be safely
ignored if not understood. (Here I am assuming that we aren't going to
define a separate header for non-critical elements.) 

2) Remain silent on header criticality in the JOSE specifications and leave
it up to the various application specifications (possibly providing guidance
directed to those applications in the JOSE specs). 

I sense that there is more support for the first approach, but I am
concerned that there is a significant minority that favor the second
approach. 

QUESTION: Can the working group agree on whether to work on approach 1 or
approach 2? 

In conclusion, I am asking three things in this missive: 
1. I am asking the working group to move forward based on a non-critical
headers approach.  
2. I am asking the working group to clarify the requirements driving the
non-critical header discussion (A, B, C, D, E, or ?). 
3. I am asking the working group to decide whether the right approach is to
develop a specific syntax (if so, what?) or to defer to the applications
with appropriate guidance (if so, what level of guidance)? To address this
item, I welcome concise proposals of text. 

I realize this message is long and not as specific or prescriptive as some
would like, and I apologize in advance for any mistakes and
misunderstandings on my part. 

Regards,
Karen O'Donoghue

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

 


_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose