IETF Logo Mail Archive

[jose] Re: Review of draft-ietf-jose-deprecate-none-rsa15-02

Orie <orie@or13.io> Tue, 23 September 2025 19:14 UTC

Return-Path: <orie@or13.io>
X-Original-To: jose@mail2.ietf.org
Delivered-To: jose@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A881667AE9AA for <jose@mail2.ietf.org>; Tue, 23 Sep 2025 12:14:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=or13.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xyRX7jOFPntZ for <jose@mail2.ietf.org>; Tue, 23 Sep 2025 12:14:50 -0700 (PDT)
Received: from mail-vs1-xe34.google.com (mail-vs1-xe34.google.com [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3CD6A67AE99D for <jose@ietf.org>; Tue, 23 Sep 2025 12:14:50 -0700 (PDT)
Received: by mail-vs1-xe34.google.com with SMTP id ada2fe7eead31-556f7e21432so4098363137.2 for <jose@ietf.org>; Tue, 23 Sep 2025 12:14:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=or13.io; s=google; t=1758654884; x=1759259684; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=o/I67W9I7bsEaa9zx/vsS9KgsxmquHFbk+cqDbDjsfU=; b=Obn+f2sF0JyO8B9RYNjUv2cxv8fDVL+2+SiJBfjvG0b+ix/zbJYVwBDjqTYb4haMdf SBJkUBZfYJDKh9GhrG3vV9aaUzlobDjag06dr6XgzOq/rT3p77V1jbGCKa+SJFZXBVKs LV2bKp/7R8QU9uP1K3pD9C4ULD/TmU/jVCMTyOFidtYqmQuvLoQKTuvp+AEuv5kD/pEI ztw7G6Q7muDXUbP8QZfboTXRg9QuA10wMlImJAoSQJHTLCYdKxYILfRI9x2UZtF/0alc tqUGfaAjj1shqbf6Km7AXhvSp6BPU3Lb4roxfEDuoYQHIFoY0g07eKarrDX33PgvQB/d eqxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758654884; x=1759259684; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=o/I67W9I7bsEaa9zx/vsS9KgsxmquHFbk+cqDbDjsfU=; b=DCaMK3fy51InI9PeffzXz48Jd2POvb0lGsL47iaATkBBvRwgDR9pM1D6mKxkc1+xzn Ig06c4DRzmS9qvnqX6ZO7sZDtk/CZ8ILOh0qbPyoJ1WuQAP4kgmTkdxe1UQEh5hzG3+F VjFASWDTyjpYwXZU1n91ifoQuC23QF2Afcr+jpPrHeov2asaK2bbKZ2UHoMax2GAcHcL h/Jvpre+Um+h2ad/VPlWVChtVjJ8l8tMpgGIAfvG8rfP3EaaIlSdj775Vk5GTj1+dEVt Ds7+t8wZNqRWnRV/ix0dQWrR5fl4QHw1Q2qs6eBL+vn8c0igxRqEyRRbGIXyLRW35L+e 5prg==
X-Forwarded-Encrypted: i=1; AJvYcCWB9LBDaal53WrB8uIldbW+ZmCpX1kPT4n5sPLyZ+cNTySk5AH19pxBrCwMtpwp93bbmx6w@ietf.org
X-Gm-Message-State: AOJu0YyBIa5qW/gyNMOVQib5mNQx82QyuSC5R0TUkcR0QcX0iqkwqjAW sINzJQV9gAPbIQqIsRdX9+Lz0MF++6AdwEnZBO7plcYHTPJSuE7ga3+26SnoBiSgyMEZ0dec3Bq VSAi7P96aTlTLe4OZyVCnb3YcKlfhCde8twrf0ESmfw==
X-Gm-Gg: ASbGncthWhM76VLoS8K53JJuWDs0yegfobMPGZwkzGyal2UBPlGOQh+GrBIAdwhW53f S1mIp6TrzhLX6dwcmnKpxO3lN4ZQ519vGef60DfQsuRirNBDY8LDMMb4QfhT7xtbXOgZ2ZWqnrp RfYXpEJpDyh0KLw5ywEEZVWDpchh+f0wDNr6v1glJFfVreI/WWALBPnXVdzYswAd8zgMMP+68aa tNG3fx3u+51MBs/ORqsGYEf3114YnCtEnckCwEPcxGXJgmmehqrUstiZCc1snn0AkmJZVF0+MAj O/75flWa
X-Google-Smtp-Source: AGHT+IEzabwj1yeRgGO5087eiDERuxdT1jCfxkw2q1r97H6GeLg936YhEo6rtZ0hOjFmXgN4s7P6/ilc2M07VOs4Rz4=
X-Received: by 2002:a05:6102:292a:b0:51f:66fc:53af with SMTP id ada2fe7eead31-5a582ed6587mr1525690137.34.1758654884285; Tue, 23 Sep 2025 12:14:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAMzqgozHFOn_b7BjNgbAKU2AqOBb_h49xTXubtnuHVAp2ei=kg@mail.gmail.com> <ACF1A4DA-E6EA-4E63-A525-EB9817C86325@runbox.eu>
In-Reply-To: <ACF1A4DA-E6EA-4E63-A525-EB9817C86325@runbox.eu>
From: Orie <orie@or13.io>
Date: Tue, 23 Sep 2025 14:14:33 -0500
X-Gm-Features: AS18NWDNpOzeyRjonHtRYH-xsVQI9eI49vFp8313CxERHLc3G9ixZHuTP6gYse8
Message-ID: <CAMzqgoxhHyt-ka5J8bziUjrihqbKyg45uXzfdCWegMiPCZYC9g@mail.gmail.com>
To: Neil Madden <neil.e.madden@runbox.eu>
Content-Type: multipart/alternative; boundary="000000000000a91dbc063f7cbff4"
Message-ID-Hash: UFONRSDWDVMQMLVMR2USUQ5C37LBWHUJ
X-Message-ID-Hash: UFONRSDWDVMQMLVMR2USUQ5C37LBWHUJ
X-MailFrom: orie@or13.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael Jones <michael_b_jones@hotmail.com>, Brian Campbell <bcampbell@pingidentity.com>, jose@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [jose] Re: Review of draft-ietf-jose-deprecate-none-rsa15-02
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/d9xfXn4lIlZkGzeBswaMNvqEQWw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

On Tue, Sep 23, 2025 at 1:51 PM Neil Madden <neil.e.madden@runbox.eu> wrote:

>
>
> On 22 Sep 2025, at 20:54, Orie <orie@or13.io> wrote:
>
> 
> Hi,
>
> I recently reviewed:
> https://datatracker.ietf.org/doc/draft-ietf-lamps-x509-alg-none/10/
>
>
> I kinda wish I’d not seen that.
>

ha : )


>
> It's possible there is useful material to reference here.
>
> I do think commentary on historical usage might be helpful, the current
> text states:
>
> > Although there are some legitimate use-cases for Unsecured JWS, these
> are relatively few in number and can easily be satisfied by alternative
> means.
>
> A reference for what these legitimate use cases are would be helpful.
>
>
> Helpful for whom and for what reason? I’m not averse to adding some text
> if it serves a concrete purpose, but as I said to Mike, it feels like
> muddying the waters. I’m not really sure why it’s helpful for a reader to
> see specific examples.
>

Well in the spirit of the current text, if there are legitimate use cases,
let's name them... If there are not, let's remove the sentence about them
existing.

I'm speculating, but I imagine the legitimate use cases are:

1. Delivering unsigned JWS over TLS (Who does this, why do they do this?)
2. Delivering unsigned JWS as part of requesting a signature (Who does
this, why do they do this?)

2 is maybe the same case as the lamps doc?

I legitimately do not know why anyone would use alg none today.... If
it's still relevant for compatibility, we should be able to point to
systems that are still operational that require it.
If we can't, there might be no legitimate use.

And as a side benefit, if there are protocols that were built by the IETF
that still require alg none, and it might be time to make them historic,
perhaps this could help identify those cases.
The end goal of the draft is to make the internet safer, the more
explicit we can be about where this has been used in the past the better
IMO.


>
> — Neil
>
>
>

v2.38.3 | Report a Bug | By Email | System Status