Re: [jose] #15: Broken examples in JWE / JWS
Dick Hardt <dick.hardt@gmail.com> Mon, 25 March 2013 22:58 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C65521F862D for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 15:58:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.99
X-Spam-Level:
X-Spam-Status: No, score=-2.99 tagged_above=-999 required=5 tests=[AWL=0.608, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id plZ0UBU9TW34 for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 15:58:23 -0700 (PDT)
Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com [209.85.220.54]) by ietfa.amsl.com (Postfix) with ESMTP id 518F121F8626 for <jose@ietf.org>; Mon, 25 Mar 2013 15:58:18 -0700 (PDT)
Received: by mail-pa0-f54.google.com with SMTP id fa10so1269611pad.41 for <jose@ietf.org>; Mon, 25 Mar 2013 15:58:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer; bh=L1AmlytddcRgrb2vkeuPNzupjBcPtW2/7q5aeBnKAIU=; b=lI8A170ivj2lN/5EW/TdLzNGVAzfGnllEXnLvGN2OrJDarVHLCd7FZETWz99Ph5afJ tuyA4EHhfhvCDN8+KXibBhsrgARsfGZ6thehZZ+zRTelP86nPeCldv5X9t756H9xdyHa Ypq5jCV94AiBjVSyAF5PAk2tWwJYoNgceZDDsjzMp5YS1+Z/yq6YhxiSbghkcjO4CwNW wjdKfWeRZkjULHcqSyUB1j/Dg2oi5DAtg9AdMJw3cZw42Q2LWGl8lipZ7kdXpoPTtDbH VfI6F5dqhjOlWTbn9NHKJ4xOYsO7cu+uzaQPWXbMc4KLaolSYiqFVkpmtOwfh277+fVy HLBw==
X-Received: by 10.68.212.233 with SMTP id nn9mr19746087pbc.144.1364252298080; Mon, 25 Mar 2013 15:58:18 -0700 (PDT)
Received: from [10.0.0.89] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id ky17sm16420500pab.23.2013.03.25.15.58.15 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 25 Mar 2013 15:58:16 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_D99D1743-0735-42BB-B23B-E186D3CD17D2"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <5D8CF39F-62AC-408B-A85A-1DF3319AD18A@gmail.com>
Date: Mon, 25 Mar 2013 15:58:13 -0700
Message-Id: <89C8B626-2BC9-4E3E-AADA-AD72A9D2F996@gmail.com>
References: <049.dec2e6a11006261f47529bfcdfa8c51d@trac.tools.ietf.org> <064.854734170572ce8e0ba10611390025ce@trac.tools.ietf.org> <012701ce274a$8e17ca30$aa475e90$@augustcellars.com> <CAL02cgQ00JWPph9irvkcyqHi=gOMVt4W9J47e_UMWxdr=1_=MQ@mail.gmail.com> <013c01ce2763$ef72d950$ce588bf0$@augustcellars.com> <CAL02cgRZA8vvXcUjpnPMzjzZYLbNFTbceZ9JyjQwBt5bpuy5Aw@mail.gmail.com> <CA+k3eCR+GGRA_CSRXktGzGqV-8aZuvpYBDAR8UUFeZ0=NiEMAw@mail.gmail.com> <CAL02cgRQF18RPmCOAs-ObF=prVpcTO3q9YpRKE7hUwKPxzROKw@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943675886B8@TK5EX14MBXC283.redmond.corp.microsoft.com> <2D50F89B-5A07-4379-A532-CDC6B5E1BB33@gmail.com> <4E1F6AAD24975D4BA5B168042967394367588A40@TK5EX14MBXC283.redmond.corp.microsoft.com> <5D8CF39F-62AC-408B-A85A-1DF3319AD18A@gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
X-Mailer: Apple Mail (2.1503)
Cc: Richard Barnes <rlb@ipv.sx>, draft-ietf-jose-json-web-encryption@tools.ietf.org, Jim Schaad <ietf@augustcellars.com>, Mike Jones <Michael.Jones@microsoft.com>, jose@ietf.org, Brian Campbell <bcampbell@pingidentity.com>
Subject: Re: [jose] #15: Broken examples in JWE / JWS
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 22:58:24 -0000
btw: good OAuth 2.0 implementations embed KID into the opaque token so that they can give a meaningful error message On Mar 25, 2013, at 3:56 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > I wish we would have put KID into OAuth 2.0. > > Now if someone rotates the key without deploying everywhere they are stored, then the app starts failing without a good error message. Including a key id allows the server to give a more intelligent response beside an authentication failure. > > On Mar 25, 2013, at 3:49 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > >> As I’d already written, I have no problem with some of the examples containing a Key ID. But it’s also the case in many deployment environments that keys are pre-shared and known by both parties in advance of any tokens being exchanged. This is often true when per-client symmetric keys are used with OAuth, for instance. >> >> -- Mike >> >> From: Dick Hardt [mailto:dick.hardt@gmail.com] >> Sent: Monday, March 25, 2013 3:43 PM >> To: Mike Jones >> Cc: Richard Barnes; Brian Campbell; draft-ietf-jose-json-web-encryption@tools.ietf.org; Jim Schaad; jose@ietf.org >> Subject: Re: [jose] #15: Broken examples in JWE / JWS >> >> I think the example should contain the KID as one would expect that to be the common case. >> >> On Mar 25, 2013, at 2:54 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: >> >> >> If you already know that something is going on out of band, the indication in the JOSE object would be unnecessary. >> >> -- Mike >> >> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes >> Sent: Monday, March 25, 2013 2:31 PM >> To: Brian Campbell >> Cc: draft-ietf-jose-json-web-encryption@tools.ietf.org; Jim Schaad; jose@ietf.org >> Subject: Re: [jose] #15: Broken examples in JWE / JWS >> >> I realize that's the common case. But the spec doesn't say that. >> >> All I'm saying is, the spec should REQUIRE that a sender include either a key indicator, or an indication that something is going on out of band. >> >> --Richard >> >> >> >> On Mon, Mar 25, 2013 at 8:15 AM, Brian Campbell <bcampbell@pingidentity.com> wrote: >> /* special magic */ is just some out of band agreement on the key to use or how to infer it. Which isn't really special or magic. But probably pretty common. >> >> >> On Fri, Mar 22, 2013 at 7:37 PM, Richard Barnes <rlb@ipv.sx> wrote: >> I've renamed the issue to try to clarify. >> >> You're right that there are alternative ways to locate a key. But a JOSE object needs to contain at least one of them, or else the /* special magic */ clause applies. >> >> --Richard >> >> >> On Fri, Mar 22, 2013 at 9:15 PM, Jim Schaad <ietf@augustcellars.com> wrote: >> This may or may not be a flaw in the specification. However the item you created in the tracker does not reflect what you have put here. I think you would be better served by saying that there is a flaw in the specifications in that there should be a MUST that some type of key or key reference is required in a JWS or JWE. >> >> I would note that your example code should be more complex in that it does not deal with jku or any of the x* methods of referencing keys. >> >> Jim >> >> >> From: Richard Barnes [mailto:rlb@ipv.sx] >> Sent: Friday, March 22, 2013 4:09 PM >> To: Jim Schaad >> Cc: draft-ietf-jose-json-web-encryption@tools.ietf.org; jose@ietf.org >> >> Subject: Re: [jose] #15: Broken examples in JWE / JWS >> >> I admit that they are not broken according to the current spec. However, I have a lot of trouble figuring out how I would write code to process them. >> >> If "kid" or "jwk" MUST be present to indicate what key I should use, then I can have deterministic code: >> if (/* recognized "kid" or "jwk" value */) { >> /* use it */ >> } else { >> /* FAIL. can't process this object */ >> } >> >> As the spec stands, I have no idea what to put in that "else" clause. I'm clearly not supposed to fail, because the parameters are optional. But what else? >> if (/* recognized "kid" or "jwk" value */) { >> /* use it */ >> } else { >> /* insert special magic here */ >> } >> >> This is actually what SPI is supposed to clear up. SPI would provide an explicit third branch for the special magic to live in. >> if (/* recognized "kid" or "jwk" value */) { >> /* use it */ >> } else if (/* recognized SPI value */) { >> /* process using stored parameters */ >> } else { >> /* FAIL. can't process this object */ >> } >> >> But without the concept of SPI, the spec is broken because of the non-determinism noted above. >> >> --Richard >> >> >> >> >> On Fri, Mar 22, 2013 at 6:13 PM, Jim Schaad <ietf@augustcellars.com> wrote: >> My inclination is that this response is correct. >> >> What make you think that the key or key reference is required and cannot be >> implied? >> >> Jim >> >> >> > -----Original Message----- >> > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of >> > jose issue tracker >> > Sent: Friday, March 22, 2013 2:37 PM >> > To: draft-ietf-jose-json-web-encryption@tools.ietf.org; >> ignisvulpis@gmail.com >> > Cc: jose@ietf.org >> > Subject: Re: [jose] #15: Broken examples in JWE / JWS >> > >> > #15: Broken examples in JWE / JWS >> > >> > >> > Comment (by ignisvulpis@gmail.com): >> > >> > I think this is not an issue. The examples are NOT broken and they do not >> > need a fix. >> > I suggest to close this ticket. >> > The draft should definitely not make these illegal. These objects are >> perfect >> > examples for a valid JWS/JWE. >> > >> > -- >> > -------------------------+---------------------------------------------- >> > -------------------------+--- >> > Reporter: rlb@ipv.sx | Owner: draft-ietf-jose-json-web- >> > Type: defect | encryption@tools.ietf.org >> > Priority: minor | Status: new >> > Component: json-web- | Milestone: >> > encryption | Version: >> > Severity: - | Resolution: >> > Keywords: | >> > -------------------------+---------------------------------------------- >> > -------------------------+--- >> > >> > Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/15#comment:1> >> > jose <http://tools.ietf.org/jose/> >> > >> > _______________________________________________ >> > jose mailing list >> > jose@ietf.org >> > https://www.ietf.org/mailman/listinfo/jose >> >> >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- [jose] #15: Broken examples in JWE / JWS jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Jim Schaad
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS Jim Schaad
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Brian Campbell
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS Mike Jones
- Re: [jose] #15: Broken examples in JWE / JWS Jim Schaad
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS Dick Hardt
- Re: [jose] #15: Broken examples in JWE / JWS Mike Jones
- Re: [jose] #15: Broken examples in JWE / JWS Dick Hardt
- Re: [jose] #15: Broken examples in JWE / JWS Dick Hardt
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: At least one key indicator should… jose issue tracker