IETF Logo Mail Archive

Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

Tim Bray <tbray@textuality.com> Tue, 16 September 2014 15:47 UTC

Return-Path: <tbray@textuality.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 875DA1A0B78 for <jose@ietfa.amsl.com>; Tue, 16 Sep 2014 08:47:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJ-I5eznCV2M for <jose@ietfa.amsl.com>; Tue, 16 Sep 2014 08:47:54 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 305C11A0B77 for <jose@ietf.org>; Tue, 16 Sep 2014 08:47:54 -0700 (PDT)
Received: by mail-vc0-f172.google.com with SMTP id hy10so45059vcb.3 for <jose@ietf.org>; Tue, 16 Sep 2014 08:47:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=evPn7b9Wxh4eUG4x4s7bgbkHiBwU/vlVzDrMF6u4ahc=; b=bLaE71N33EWBg3mdXjP21CE5vzgHUu1Pa6O9o5zmq4602vzElsbDoI8owMc0TNU8Xl YOXHfDHXBbxFrLvjEPxh8xmwN7ipwPc5zCxRxuQpfJFQp6tQ7u++ftjioOqu6ZHJtANE cs4ZBjbO/QmsNCKFGw8ithoR2MZgeJzP00uTFg81lamle8xMc/Vl4ZNAr8B1tHcjfoDK iVKAyI/a7dNcNV9fUFzeehpf9xwGTTjF3g+TM2NS5XFtlXaSf5PPBDPL2cYOc2MEZj/L Fc9TxO12cZCNrHwZ4gYoKJjgR83PDuqXso1QIevebZY8EjU2GXemLvVROQfyUY6CYBoU X0mw==
X-Gm-Message-State: ALoCoQnCtHlSQPIzlIU+Xr5vAFBwDE+pf2C+68S0pfi592A5nVQEMh+m7Xn3R/StgA3OcHQWOqlE
X-Received: by 10.220.2.133 with SMTP id 5mr21383448vcj.48.1410882473188; Tue, 16 Sep 2014 08:47:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.214.4 with HTTP; Tue, 16 Sep 2014 08:47:32 -0700 (PDT)
X-Originating-IP: [24.84.235.32]
In-Reply-To: <54184DB4.2050708@bbn.com>
References: <CAHbuEH4Ccn2Z=8kEECzvgjmtshwsFoa-EH_NpkJPos7zirGeaQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AEC00DB@TK5EX14MBXC292.redmond.corp.microsoft.com> <5416FE10.3060608@bbn.com> <CAHBU6iu3GfsLCAint3z7risZUnVW4EK0WrGVW6Dv=gvppiHSxQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AECCCDD@TK5EX14MBXC292.redmond.corp.microsoft.com> <54173546.5000400@bbn.com> <CAHBU6ivb3BeEufcnJB+eSk8wgETMx+qzH3miE6Z1jtrQkXNR3w@mail.gmail.com> <54184DB4.2050708@bbn.com>
From: Tim Bray <tbray@textuality.com>
Date: Tue, 16 Sep 2014 08:47:32 -0700
Message-ID: <CAHBU6ivBgYjMGAXu6g8rAhb=WJt5t2KFUnRKzD89qUOOJSGgJQ@mail.gmail.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="001a11c3dbe4a2b6ec050330ac20"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/ciU0Twv7fLpIbgJe9P9gkzSdVlA
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-jose-json-web-key.all@tools.ietf.org" <draft-ietf-jose-json-web-key.all@tools.ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2014 15:47:56 -0000

On Tue, Sep 16, 2014 at 7:48 AM, Stephen Kent <kent@bbn.com> wrote:

Thanks for the clarifying comments. I am still a bit puzzled, though. I
> thought JWK was
> a proposal to establish JSON formats for key transport. Are you saying
> that the formats we are
> about to standardize have been in use in JSON for a while and that's why
> parsers are not
> prepared to reject dupe keys?  Or is this a lower layer, JS issue re
> partsing?
>

​I’m not clear on the history, but I have heard that dupe keys are
sometimes generated by software that’s producing output on a streaming
basis, that can’t afford to keep track of every key it’s already generated.
 It is also my impression that for essentially all software that receives
and parses JSON, dupe keys are useless and perhaps damaging, since JSON
objects are invariably stuffed into hash-table-flavored things that don’t
support dupe keys.

It’s just that in the JOSE context, there is (justified) concern​ that
there are attack vectors based on the use of dupe keys.  Everyone agrees (I
think) that it would be desirable for such messages to be rejected.  It’s
just that current production software doesn’t make this easy.



>
> Steve
>



-- 
- Tim Bray (If you’d like to send me a private message, see
https://keybase.io/timbray)

v2.23.0 | Report a Bug | By Email