Re: [jose] Issue #13 - use AES-GCM for Key Wrapping
Breno de Medeiros <breno@google.com> Thu, 27 June 2013 04:21 UTC
Return-Path: <breno@google.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 195F221F9133 for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 21:21:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B77vqTwA84BZ for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 21:21:54 -0700 (PDT)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id E3BC021F859A for <jose@ietf.org>; Wed, 26 Jun 2013 21:21:47 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id m46so169144wev.16 for <jose@ietf.org>; Wed, 26 Jun 2013 21:21:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=vlDPrQXOM0CAm0gVsV3Cn2G0Rln57/HSKp9mtDxj6EE=; b=VKbKOhiHxs6XuE2C3bQo5GtAByWFbf+DFyCuaITytFlEQTLXIPhpoJ9RPUmMVKHBZC res5rhAw9ryeqaRzg9DEEnKJ2OlIgAuOy1MbZFrz+aa3o1zn+KeoBlWstiCsCjg8kf/I ESI9eKuH1yljXPQSpYsuibQGVxtMkiRQTxZOFkuYxmojlUfQFqGWmvWez/trSj4pf5LX anPnm8P70B8qzPagV9guevPobqAq8Q60PpQYEeU+4FgqeaYBCeqG68U0ee/Vwf11+9M9 vGoahBxAunRidsk0ZX9desqPJDN5ZAV5t8a2yaop9PnaUiyptcH96RrB8YA3gMIYHJs2 RKBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=vlDPrQXOM0CAm0gVsV3Cn2G0Rln57/HSKp9mtDxj6EE=; b=CMKdFShXobTbqegZvnY2YsnLVgFmVSocvB47hQXOABTmJ/RyT1cPojIi5zY7wILjbZ klAVfjPee2UZ7dsND5q/mXt70qk4VFkOHm4oiBraLUIqueczk5FLWZbOrdVZ21saXfcj buo73fwZioZO7mRfJK0PE3ygeBZE8Ge1T60awiVXceMdWFA8qWDZe4hjeK/ESUcEaVM6 fsv8hsWQh7PIqMTR2WyJq5qbih3bSnehHx6yXpWXjvp/pV+5FcVHwX3UR32fxZRtJUzW PdeiYodARKK/ku6JGmKQuBHLT83t31mnYrp6OaANwXRtq2t5aGqCXuIeb3sCDk0PTuxb Z9ag==
MIME-Version: 1.0
X-Received: by 10.180.188.97 with SMTP id fz1mr4638132wic.34.1372306906985; Wed, 26 Jun 2013 21:21:46 -0700 (PDT)
Received: by 10.194.151.72 with HTTP; Wed, 26 Jun 2013 21:21:46 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436789D481@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B168042967394367898761@TK5EX14MBXC283.redmond.corp.microsoft.com> <034101ce729b$27473b00$75d5b100$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436789B458@TK5EX14MBXC283.redmond.corp.microsoft.com> <03b901ce72e5$01248190$036d84b0$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436789D481@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Wed, 26 Jun 2013 21:21:46 -0700
Message-ID: <CAAJ++qGUTLrqT9JmDDw0LJUusYzqorKCH6EpzriLnOeBTs7EuA@mail.gmail.com>
From: Breno de Medeiros <breno@google.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkqYAMxb1+G0kZshncXQ2lh8ju0M7VT+iPXMDgW80alQInivE34/Ht8LYoT5xAJnVdcqQRorA++10c2J3jU7Q1J/ZGaichd7W5KIICWdon0tN3OVkQgyBaSfnohFGi7FarKQyQ2iKo50jZut+zqKuNPNdIE9pgYebOYiytW5DGJlGze1Dcknzx2CSCcxCLuc0IV/sjb
Cc: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Issue #13 - use AES-GCM for Key Wrapping
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 04:21:56 -0000
I also don't believe that supporting the matrix of possible algorithmic combinations satisfies any business need. On Wed, Jun 26, 2013 at 9:01 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > For my part, I consider the fact that people will need to register specific > algorithm combinations that they actually need to be a feature – not a bug. > The smaller the set of algorithm combinations registered, the more likely > that they will be implemented and will interoperate. Trying to claim that > we support the combinatorial explosion of mask generation functions, hash > functions, key derivation functions, key wrapping functions, etc. that are > possible will almost certainly result in less interoperability and more > developer confusion than a small set of registered choices, carefully > considered. I’m glad to have people consider these criteria in their > evaluation of the two choices. > > > > > -- Mike > > > > From: Jim Schaad [mailto:ietf@augustcellars.com] > Sent: Wednesday, June 26, 2013 8:18 PM > To: Mike Jones; jose@ietf.org > > > Subject: RE: [jose] Issue #13 - use AES-GCM for Key Wrapping > > > > My point was that there were some issues that your draft did not fully > address that need to be evaluated as part of your proposal not that these > algorithms would need to be added. The n x m addition of algorithms to the > registry is an issue that is there for your draft that is not present for > Richard’s draft and therefore needs to be considered in the arguments. > > > > From: Mike Jones [mailto:Michael.Jones@microsoft.com] > Sent: Wednesday, June 26, 2013 12:22 PM > To: Jim Schaad; jose@ietf.org > Subject: RE: [jose] Issue #13 - use AES-GCM for Key Wrapping > > > > Yes, we could also propose algorithm combinations for key agreement followed > GCM key wrapping but I didn’t think that was an ask from the working group. > The Denver minutes just recorded my action item as “key wrap draft for > AES-GCM-keywrap”, so that’s what I did. We could have a discussion on > Monday’s call and on the list about whether the working group is also > interested in other algorithms. > > > > Remember, the beauty of having the algorithms registry is that algorithms > can be added “just in time” – as actual need for them is demonstrated. We > don’t have to register all conceivable algorithm combinations up front for > the JWE/JWA specs to be complete. > > > > As for how the AEAD parameters are handled I used a parameter encoding that > doesn’t result in double base64url encoding anything. I could have instead > introduced separate “iv” and “tag” header parameter values, but didn’t do so > for that reason. But if people would prefer that approach because it’s more > parallel to the use of GCM for plaintext encryption, I have no problem with > that. > > > > I do believe that the objective of my draft was met – demonstrating that > AEAD key wrapping can be easily done with the current drafts. The details > of how the algorithm parameters are encoded is secondary to that and > algorithm-specific; several reasonable choices are possible within the > current JWE framework – one of which was described in my draft. > > > > -- Mike > > > > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim > Schaad > Sent: Wednesday, June 26, 2013 11:30 AM > To: Mike Jones; jose@ietf.org > Subject: Re: [jose] Issue #13 - use AES-GCM for Key Wrapping > > > > <no hat> > > <sarcasm level=”heavy”> > > > > I am shocked that you would possibly support this proposal. It provides for > two ways of dealing with something. It is my understanding that you never > support anything that has two ways of doing something. > > > > How the AEAD algorithm parameters is handled completely differently for this > proposal and for the same algorithms being used in a CEK context. This is > going to lead to confusion. > > > > </sarcasm> > > > > Your specification is missing some items that still need to be registered > Thus you also need to have ECDH-ES+A128GCMKW and ECDH-ES+A256GCMKW defined > in your document as well. > > > > Your document ends up with a registration complexity that needs to be > thought about and dealt with as well. For every new key wrap algorithm > added, you will need to register not only it alone but also it with every > different key agreement algorithm that is supported. Thus adding a single > key wrap algorithm becomes a slight issue in terms of adding in all of the > different ways that it might be used. This is a complexity issue that is > not discussed in the current draft. > > > > I have not necessarily found that document size equals code size. I have > implemented some very simple documents that were very difficult to code and > implemented some very long documents that were very easy to code. So I > would not use that fact as a deciding factor. > > > > (Once again I regret the fact that the group did not go with an object > descriptor for algorithms as this would have made all of this much simpler. > I actually immediately map from the string to an object description in my > JOSE implementation for simplicity reasons. Not to mention that this is way > it needs to be done for the WebCrypto specficiation.) > > > > Jim > > > > > > > > From: Mike Jones [mailto:Michael.Jones@microsoft.com] > Sent: Tuesday, June 25, 2013 4:18 PM > To: 'Jim Schaad'; jose@ietf.org > Subject: RE: [jose] Issue #13 - use AES-GCM for Key Wrapping > > > > http://tools.ietf.org/html/draft-jones-jose-aes-gcm-key-wrap-00 seems like a > substantially simpler approach than > http://tools.ietf.org/html/draft-barnes-jose-key-wrapping-01. This is > evident by several metrics: > > · Number of proposed changes: The Jones draft proposes no changes to > any of the current specs. It simply defines an encoding for GCM and adds > registry entries for it. Whereas the Barnes draft proposes a major > restructuring – listing 4 major changes in the introduction and 4 smaller > changes. > > · Normative text size: The Jones GCM key wrap approach requires only > 7 normative sentences in 1/2 page of text. The Barnes draft has four pages > of normative text, along with an extensive introduction describing the > proposed complete restructuring of JWS and JWE. > > > > We don’t need to boil the ocean with a total redesign to enable AEAD key > wrapping. It can already easily be done with the current specs simply by > defining new algorithms. The approach taken in > http://tools.ietf.org/html/draft-jones-jose-aes-gcm-key-wrap-00 would work > for any AEAD algorithm. > > > > -- Mike > > > > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim > Schaad > Sent: Tuesday, June 25, 2013 9:53 AM > To: jose@ietf.org > Subject: [jose] Issue #13 - use AES-GCM for Key Wrapping > > > > We now have two documents – one from Richard and one from Mike – which > provide the two different ways that have been proposed for doing key > wrapping with an AEAD algorithm. > > > > Please review the two documents and provide comments to the list. > > > > Jim > > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > -- --Breno
- [jose] Issue #13 - use AES-GCM for Key Wrapping Jim Schaad
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Mike Jones
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… John Bradley
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Roland Hedberg
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Edmund Jay
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Jim Schaad
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Mike Jones
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Manger, James H
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Jim Schaad
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Mike Jones
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Breno de Medeiros
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Jim Schaad
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Jim Schaad
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Peck, Michael A
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Matias Woloski
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Carsten Bormann
- Re: [jose] Issue #13 - use AES-GCM for Key Wrappi… Nat Sakimura