IETF Logo Mail Archive

Re: [jose] Fully-Specified Algorithms for JOSE and COSE

Brian Campbell <bcampbell@pingidentity.com> Wed, 30 August 2023 17:16 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C86BC14CE29 for <jose@ietfa.amsl.com>; Wed, 30 Aug 2023 10:16:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 71YaCWFpzQuQ for <jose@ietfa.amsl.com>; Wed, 30 Aug 2023 10:16:23 -0700 (PDT)
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2501EC14CF1B for <jose@ietf.org>; Wed, 30 Aug 2023 10:16:23 -0700 (PDT)
Received: by mail-pf1-x430.google.com with SMTP id d2e1a72fcca58-68c0d262933so3843253b3a.0 for <jose@ietf.org>; Wed, 30 Aug 2023 10:16:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1693415782; x=1694020582; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6aXSrc7ZP/XpxSTnQux07Erl6bGc/YcCHQMGK7iy4Uo=; b=E97E4gS7KY+01wqNsCO5UEKXSLmcqDAOH6KJkaVt893188Xog4AXvuCxPy9qVN9w/o jS+aG392MMjf5zDb3kLu22BTUZ2t4Aws4oJGtnkORW01vYJgqDXIpoE4BxNexoIc6Jpx PlQT0KJN8n/YKf7k42kmG6gknoJPtDa5h5SzokdiGZvNu0qy4K463uCtdWVpyx3CDgzt 8mKxJRbCJjApps8QObWOIsFmSttnilDPeKlTcgaNXTRGQay86CUbmiSRVAVwRwcVtds6 +p83yFromror82tZDfWmJkME/OfZqPZt2/T0eMsiJ6RdvXgXBpUFUZ3sEtu0VH4lNoUN nZfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693415782; x=1694020582; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6aXSrc7ZP/XpxSTnQux07Erl6bGc/YcCHQMGK7iy4Uo=; b=bQCu7SWhS0EUU0/i+oBLsJVEL7Li2hVHXDjAt2oCg+mQxIh9Q7bVtHjFb3LpOcsGKj kgPbYA2xOqhYHkwhEXdhTfc3c9xO/yiiIZvdNVonGp7M0fwl2GI1TtnReEea3Z9WZ/sF 6S7OR+Gh1LDrWAKqGSGWrmxz+0Evke/eDsjgcZRXgINajN05Jm8s40aMGxeh1+HA6TpY 0+ppgq8mMDFzvGS+sRK2KHrOBGjtGO8U25TqitEi5rnvB8E6ZcOGpCAMrqD4YwwFarEp Jq/IVbmowubw9bFhRMVj3/f1H9YgOxHmrT4yd4GqGpvFCRHoc8CCd5fEPkNDkYH97W9S 8cDA==
X-Gm-Message-State: AOJu0YwnuMbetUekReF6g106Llj8+qiz2tX6C9V9MgYJxmHQf1+OZeHk iZ3XcvgCz+92qb4RWm1EVHTNLSxjflgxKIT/ZhguZXS7j01ifp0Az8qCg73oo9DJ3K+iRolLcnE V48NsCHz3/FqzimLFakqeJ0noEQ==
X-Google-Smtp-Source: AGHT+IEYn1wgJnamTxRqD3PB69+kt1GK6R9r7Vto6ZgIfochbjiTtdw/bVZidsNUX/PuQbgh0/Njm+n3e6Z2hYfUa4I=
X-Received: by 2002:a05:6a20:391:b0:13e:aede:f380 with SMTP id 17-20020a056a20039100b0013eaedef380mr2765464pzt.34.1693415782317; Wed, 30 Aug 2023 10:16:22 -0700 (PDT)
MIME-Version: 1.0
References: <MW4PR02MB74287C966F89DBE52787E914B7E6A@MW4PR02MB7428.namprd02.prod.outlook.com> <B9C58AE1-3343-4358-B566-1EC305D964ED@gmail.com>
In-Reply-To: <B9C58AE1-3343-4358-B566-1EC305D964ED@gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 30 Aug 2023 11:15:48 -0600
Message-ID: <CA+k3eCQvLWMe9TS=iM1__7NTs_GVSmH27NPL6phuZtvDAj_vYA@mail.gmail.com>
To: Filip Skokan <panva.ip@gmail.com>
Cc: Michael Jones <michael_b_jones@hotmail.com>, jose@ietf.org, Orie Steele <orie@transmute.industries>
Content-Type: multipart/alternative; boundary="0000000000002a36e706042716ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/dwizhHzMVQjKjW924LTjfczUNt4>
Subject: Re: [jose] Fully-Specified Algorithms for JOSE and COSE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Aug 2023 17:16:27 -0000

On Wed, Aug 30, 2023 at 2:22 AM Filip Skokan <panva.ip@gmail.com> wrote:

> Hello Mike, everyone,
>
> After a quick read I have just one note, already mentioned on the list,
> the JOSE ES prefix for Ed* feels wrong and I would suggest to use the sub
> type values as alg values, that is Ed25519 and Ed448 instead of ES25519 and
> ES448.
>

I'd always understood the "S" in the initial set of JWS alg values to be
shorthand for the SHA part of the algorithm (table below from
https://www.rfc-editor.org/rfc/rfc7518#section-3.1). As an unarticulated
convention anyway. So also from that perspective I agree that using the
JOSE 'ES' prefix for Ed* feels wrong.


   +--------------+-------------------------------+--------------------+
   | "alg" Param  | Digital Signature or MAC      | Implementation     |
   | Value        | Algorithm                     | Requirements       |
   +--------------+-------------------------------+--------------------+
   | HS256        | HMAC using SHA-256            | Required           |
   | HS384        | HMAC using SHA-384            | Optional           |
   | HS512        | HMAC using SHA-512            | Optional           |
   | RS256        | RSASSA-PKCS1-v1_5 using       | Recommended        |
   |              | SHA-256                       |                    |
   | RS384        | RSASSA-PKCS1-v1_5 using       | Optional           |
   |              | SHA-384                       |                    |
   | RS512        | RSASSA-PKCS1-v1_5 using       | Optional           |
   |              | SHA-512                       |                    |
   | ES256        | ECDSA using P-256 and SHA-256 | Recommended+       |
   | ES384        | ECDSA using P-384 and SHA-384 | Optional           |
   | ES512        | ECDSA using P-521 and SHA-512 | Optional           |
   | PS256        | RSASSA-PSS using SHA-256 and  | Optional           |
   |              | MGF1 with SHA-256             |                    |
   | PS384        | RSASSA-PSS using SHA-384 and  | Optional           |
   |              | MGF1 with SHA-384             |                    |
   | PS512        | RSASSA-PSS using SHA-512 and  | Optional           |
   |              | MGF1 with SHA-512             |                    |
   | none         | No digital signature or MAC   | Optional           |
   |              | performed                     |                    |
   +--------------+-------------------------------+--------------------+





>
> This might even align with implementations which often don't enumerate
> every supported alg but instead look at the prefix to pull an algorithm
> family implementation.
>
> - Filip
>
> 30. 8. 2023 v 3:28, Michael Jones <michael_b_jones@hotmail.com>:
>
> 
>
> Orie Steele <https://twitter.com/OR13b> and I have written a new
> specification creating algorithm identifiers for JOSE and COSE that fully
> specify the cryptographic operations to be performed – something we’d
> promised to do during our presentation to the JOSE working group
> <https://datatracker.ietf.org/meeting/117/materials/slides-117-jose-fully-specified-algorithms-for-jose-and-cose-00> at
> IETF 117. The introduction to the specification (quoted below) describes
> why this matters.
>
>
>
> The IANA algorithm registries for JOSE [IANA.JOSE.Algorithms
> <https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms>]
> and COSE [IANA.COSE.Algorithms
> <https://www.iana.org/assignments/cose/cose.xhtml#algorithms>] contain
> two kinds of algorithm identifiers:
>
> ·        *Fully Specified*: Those that fully determine the cryptographic
> operations to be performed, including any curve, key derivation function
> (KDF), hash functions, etc. Examples are RS256 and ES256K in both JOSE
> and COSE and ES256 in JOSE.
>
> ·        *Polymorphic*: Those requiring information beyond the algorithm
> identifier to determine the cryptographic operations to be performed. Such
> additional information could include the actual key value and a curve that
> it uses. Examples are EdDSA in both JOSE and COSE and ES256 in COSE.
>
>
>
> This matters because many protocols negotiate supported operations using
> only algorithm identifiers. For instance, OAuth Authorization Server
> Metadata [RFC8414 <https://www.rfc-editor.org/rfc/rfc8414.html>] uses
> negotiation parameters like these (from an example in the specification):
>
> "token_endpoint_auth_signing_alg_values_supported": ["RS256", "ES256"]
>
>
>
> OpenID Connect Discovery [OpenID.Discovery
> <https://openid.net/specs/openid-connect-discovery-1_0.html>] likewise
> negotiates supported algorithms using alg and enc values. W3C Web
> Authentication [WebAuthn
> <https://www.w3.org/TR/2021/REC-webauthn-2-20210408/>] and FIDO Client to
> Authenticator Protocol (CTAP) [FIDO2
> <https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html>]
> negotiate using COSE alg numbers.
>
>
>
> This does not work for polymorphic algorithms. For instance, with EdDSA,
> you do not know which of the curves Ed25519 and/or Ed448 are supported!
> This causes real problems in practice.
>
>
>
> WebAuthn contains this de-facto algorithm definition to work around this
> problem:
>
> -8 (EdDSA), where crv is 6 (Ed25519)
>
>
>
> This redefines the COSE EdDSA algorithm identifier for the purposes of
> WebAuthn to restrict it to using the Ed25519 curve – making it
> non-polymorphic so that algorithm negotiation can succeed, but also
> effectively eliminating the possibility of using Ed448. Other similar
> workarounds for polymorphic algorithm identifiers are used in practice.
>
>
>
> This specification creates fully-specified algorithm identifiers for all
> registered polymorphic JOSE and COSE algorithms and their parameters,
> enabling applications to use only fully-specified algorithm identifiers. It
> furthermore deprecates the practice of registering polymorphic algorithm
> identifiers.
>
>
>
> The specification is available at:
>
> ·
> https://www.ietf.org/archive/id/draft-jones-jose-fully-specified-algorithms-00.html
>
>
>
>                                                        -- Mike
>
>
>
> P.S.  This note was also published at https://self-issued.info/?p=2401
> and was referenced from
> https://twitter.com/selfissued/status/1696693714008322088.
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email