[jose] Re: draft-ietf-jose-hpke-encrypt-01

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 10 July 2024 08:09 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B64E0C14F5EA for <jose@ietfa.amsl.com>; Wed, 10 Jul 2024 01:09:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cc4TZFkrfyZy for <jose@ietfa.amsl.com>; Wed, 10 Jul 2024 01:09:16 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD9A1C14E515 for <jose@ietf.org>; Wed, 10 Jul 2024 01:09:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id D5D6520811 for <jose@ietf.org>; Wed, 10 Jul 2024 11:09:11 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id hGNhoptj_H7K for <jose@ietf.org>; Wed, 10 Jul 2024 11:09:11 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 961ED2309 for <jose@ietf.org>; Wed, 10 Jul 2024 11:09:10 +0300 (EEST)
Date: Wed, 10 Jul 2024 11:09:10 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>
Message-ID: <Zo5Bpib-sll_7MAF@LK-Perkele-VII2.locald>
References: <CAN8C-_KMx_M9vL3kwoohkiVrndU_MohxdGC_vLkBo7R_+-6T2g@mail.gmail.com> <CACVbtYOsf7MkHPOzFgE14JhKrSzAd8EkZ0Sr4X0XRMzdCUtbkA@mail.gmail.com> <CACVbtYOOpwTKZt7dH7JV983SmU7gRbsaXY8ru4Ty-+S081oTEQ@mail.gmail.com> <CAN8C-_Kb9ZOec8SXUkqqd3P7VnEYSDukVm56kpdx+fVEw4KHag@mail.gmail.com> <CACVbtYPauBzeSmXPr8Fyb7Jh3u7ydJgX632B0Fwdn4UPgAfQBg@mail.gmail.com> <CAN8C-_JyHsr07FcTMwA01+QTkzjxxqvv0fNpFthytSyyP+MgKQ@mail.gmail.com> <Zo1d2jNRtAjCGC4N@LK-Perkele-VII2.locald> <CACVbtYPOvYCQN85MAbEJJrnU-Hjz2dC3PKgfUfD2M3oDbaVspg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CACVbtYPOvYCQN85MAbEJJrnU-Hjz2dC3PKgfUfD2M3oDbaVspg@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: UMDWZUWN7LDMR7FZIESCOA3ZZH2XTCVB
X-Message-ID-Hash: UMDWZUWN7LDMR7FZIESCOA3ZZH2XTCVB
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: draft-ietf-jose-hpke-encrypt-01
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/ar5-UFh2DhLwMzG0D8o8I1aHjos>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

On Tue, Jul 09, 2024 at 11:11:19AM -0700, Les Hazlewood wrote:
> >
> > This is also prohibited by draft-ietf-jose-fully-specified-algorithms
> > (It requires what alg to be independent of enc).
> >
> 
> Hi Illari,
> 
> 
> Thanks for the explanation, I appreciate it.
> 
> 
> However, I think this is a huge mistake.
 
I consider any strong coupling between enc and alg to be a huge mistake.


> The entire purpose of JOSE is to have a JSON-compatible metadata format for
> message sending and receiving; with all the flexibility, convenience,
> expressiveness and human-readability that implies, which is a really good
> thing, and solidifies the ability to be flexible over time, which is ideal
> for an RFC.

Unfortunately, here one runs into limitations of JOSE: One would want to
delegate bulk encryption, which is not something JOSE (or any trivial
extension thereof) supports.


> Respectfully, this is incredibly regressive.  Data models *should* reflect
> the best-case modeling scenario, with rich expression, modularity, etc.  If
> a new “single string alg” concept needs to exist for downstream
> specifications and/or convenience, *those* specification working groups
> should define such and not impose this on the JOSE/COSE specifications at
> large.  It’s crippling and will forever impact how any algorithms and their
> potential parameters are defined in the future, and just doesn't make sense
> to be forced on a general-purpose messaging format.

Unfortunately here delegating bulk encryption does impose chagnes on JOSE
specifications at large.

(COSE is much more flexible, so no changes to COSE are needed.)
 
 
> Additionally, such an initiative breaks the concepts of `alg` and `enc` as
> they are defined today.  They are and always have been separate
> concepts.  `alg`
> is a *key* management algorithm, it is not an encryption algorithm.  That
> HPKE is composed of both operations isn’t a reason to force it into the
> existing `alg` construct - that's trying to do too much and force things
> that don’t make sense in a single header parameter that has been
> well-defined for a decade.

This is all manmifestation of the way JOSE is designed.

 
> Any new specification that defines a single string cipher suite definition
> should be *additive*, not regressive.  A new header could be defined (e.g.
> `csuite`) and that can have that string for the times when it may be needed.

Or have "enc":"dir" and have that call into new algorithm operations.


> Although anecdotal, I will say that not once in 10 years of maintaining
> probably the most-used JOSE/JWT library for the JVM and Android has anyone
> ever had a problem with separate `alg` and `enc` headers, and that includes
> all the OpenID Connect scenarios I’ve supported both professionally and as
> an open-source maintainer.

JOSE is designed to work that way, so not really surprising nobody had
problems.

 
> 
> Or if a new header isn’t desired, there’s no reason an additive
> specification can’t say “If you want a single string, combine the `alg` and
> `enc` header with a hyphen, and that’s your cipher suite”.   To say that an
> implementation - which *must* parse the JSON header and lookup at least one
> parameter (`alg`) anyway - cannot lookup another header and concatenate the
> two before processing that value doesn’t seem to hold water in any scenario
> I can think of.  That’s all that’s needed for cipher suite negotiation for
> protocols that need a single string.

That is not injective.


> I’m not saying that cipher suite negotiation isn’t valuable.  I’m saying
> it’s 1) only valuable to a relatively small set of use cases and 2) is
> easily obtainable by looking at existing headers and 3) it’s fundamentally
> regressive to a) shoehorn a new composite algorithm into a header that was
> never designed as such and b) force *all* JOSE implementations to operate
> with this concept when it’s not needed most of the time.

The only constraint on negotiation from "enc":"dir" would be that 
Integrated Encryption must be supported for all or none of the supported
algorithms (that allow IE).




-Ilari