Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)

Mike Jones <> Sat, 25 October 2014 06:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 48C261A6FB5; Fri, 24 Oct 2014 23:36:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id V1Soalr4vpNZ; Fri, 24 Oct 2014 23:36:25 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AFDA91A7004; Fri, 24 Oct 2014 23:36:24 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Sat, 25 Oct 2014 06:36:21 +0000
Received: from (2a01:111:f400:7c0c::154) by (2a01:111:e400:1414::41) with Microsoft SMTP Server (TLS) id via Frontend Transport; Sat, 25 Oct 2014 06:36:21 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1049.20 via Frontend Transport; Sat, 25 Oct 2014 06:36:21 +0000
Received: from ([]) by ([]) with mapi id 14.03.0210.003; Sat, 25 Oct 2014 06:35:37 +0000
From: Mike Jones <>
To: 'Richard Barnes' <>
Thread-Topic: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
Thread-Index: Ac/wHeBsiPsUYnwtTAKS4rec4f3VcQ==
Date: Sat, 25 Oct 2014 06:35:36 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439BB262F4TK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(189002)(199003)(377454003)(51704005)(52604005)(43784003)(51914003)(24454002)(71186001)(92566001)(85852003)(92726001)(4396001)(50986999)(54356999)(87936001)(77096002)(55846006)(20776003)(66066001)(64706001)(2656002)(86362001)(85806002)(84326002)(86612001)(6806004)(95666004)(19300405004)(512874002)(81156004)(106466001)(76482002)(84676001)(15975445006)(68736004)(69596002)(44976005)(19580405001)(19580395003)(107046002)(15202345003)(21056001)(26826002)(85306004)(19625215002)(80022003)(46102003)(31966008)(16236675004)(230783001)(97736003)(120916001)(33656002)(110136001)(104016003)(99396003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1203;; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1203;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0375972289
Received-SPF: Pass ( domain of designates as permitted sender); client-ip=;;
Authentication-Results: spf=pass (sender IP is;
Cc: "" <>, "" <>, The IESG <>, "" <>
Subject: Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 25 Oct 2014 06:36:29 -0000

Hi Richard,

The normative security considerations text for “alg”:“none” has been moved into the algorithm definition in the -36 draft, per our agreement below.  I also added additional text referencing RFC 3447 in Section 6.3.  Your other DISCUSSes were addressed in previous drafts, including making RSAES-PKCS1-V1_5 “Recommended-”, per our agreement.  I believe that these changes should enable you to clear your remaining DISCUSSes.

                                                            Thanks again,
                                                            -- Mike

From: Richard Barnes []
Sent: Monday, October 20, 2014 8:49 AM
To: Mike Jones
Cc: The IESG;<>;<>;<>
Subject: Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)

On Sat, Oct 18, 2014 at 7:09 PM, Mike Jones <<>> wrote:
> > > Section 3.6.
> > > I'm not going to object to "none", even though I think it's a very dangerous
> > > feature because of the risk of confusion between Secured and Unsecured JWS.
> > > But there needs to be stronger guidance:
> > > 1. An implementation SHOULD NOT support "none" unless the implementer
> > > knows that it will be used in application context s that require it.
> > > 2. If an implementation does support "none", then it MUST NOT accept it as part
> > > of generic JWS validation.  Instead, it should require the application to explicitly
> > > signal that an Unsecured JWS is expected for a given validation operation.
> >
> > As discussed in the working group, your concern about applications inappropriately allowing the use of "none" actually is an instance of a more general concern that applications not allow *any* algorithms to be used that are not appropriate in their application contexts.  This concern is already addressed in the specification at the end of Section 5.2 as follows:
> >
> > "Finally, note that it is an application decision which algorithms are acceptable in a given context. Even if a JWS can be successfully validated, unless the algorithm(s) used in the JWS are acceptable to the application, it SHOULD reject the JWS."
> >
> > Since your specific concern is already handled in a more general way, I would like to request that you withdraw this DISCUSS on that basis.  Also, you were one of the contributing authors to the security considerations on this topic in Section 8.5 of JWA (Unsecured JWS Security Considerations), so it's not clear that there's any cause for you to come back with additional wording change requests on this topic at this point.
> >
> > Thanks for reminding me about Section 8.5.  I think I would be satisfied here if the contents of Section 8.5 were just moved up to this section.  That way all of the requirements for implementing "none" will be together.
> Section 3.6 does end with the sentence "See Section 8.5 for security considerations associated with using this algorithm" so implementers are reminded to also pay attention to the security considerations.  If we were to do what you requested, this would be the only algorithm for which the security considerations were included in the algorithm description, rather than in the security considerations section, which would be fairly weird and non-parallel, editorially.
> Actually, "none" is the only algorithm for which there are additional normative requirements in the Security Considerations.  So it actually seems more sensible to move those requirements up.
> I'm really just asking for a copy/paste here, shouldn't be invasive.  But I do think the level of indirection creates security risk.

I'm OK moving up the three sentences that actually do contain normative requirements.  Those are:

   Implementations that support Unsecured JWS objects MUST NOT accept
   such objects as valid unless the application specifies that it is
   acceptable for a specific object to not be integrity-protected.
   Implementations MUST NOT accept Unsecured JWS objects by default.
   In order to mitigate downgrade attacks, applications MUST NOT signal
   acceptance of Unsecured JWS objects at a global level, and SHOULD
   signal acceptance on a per-object basis.

I'm not OK cluttering up the normative description of the algorithm with the discussion text.  Assuming you're OK leaving the discussion text and "for example" text in 8.5, I think we have a way forward on this one.  Please let me know if that works for you.

Sounds fine to me.  Thanks for the compromise.

> Again, given that you were an author of 8.5 and seemed fine with the resolution after the extensive discussion then, I'd ask you to clear the DISCUSS on that basis and not request that it be reworked again.
                                -- Mike