Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
Mike Jones <Michael.Jones@microsoft.com> Tue, 14 October 2014 12:55 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E4FC1A1A75; Tue, 14 Oct 2014 05:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UgIqQj7maR-V; Tue, 14 Oct 2014 05:55:33 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0729.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::729]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E73711A87BB; Tue, 14 Oct 2014 05:55:32 -0700 (PDT)
Received: from CH1PR03CA001.namprd03.prod.outlook.com (10.255.156.146) by CY1PR0301MB1211.namprd03.prod.outlook.com (25.161.212.145) with Microsoft SMTP Server (TLS) id 15.0.1049.19; Tue, 14 Oct 2014 12:55:09 +0000
Received: from BN1BFFO11FD028.protection.gbl (10.255.156.132) by CH1PR03CA001.outlook.office365.com (10.255.156.146) with Microsoft SMTP Server (TLS) id 15.0.1054.13 via Frontend Transport; Tue, 14 Oct 2014 12:55:09 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD028.mail.protection.outlook.com (10.58.144.91) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Tue, 14 Oct 2014 12:55:08 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0210.003; Tue, 14 Oct 2014 12:53:47 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>
Thread-Topic: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
Thread-Index: Ac/nrd6iHoCzpvzyTS+w1UkvERbusw==
Date: Tue, 14 Oct 2014 12:53:46 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB0D5B0@TK5EX14MBXC286.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(41574002)(13464003)(377454003)(52044002)(189002)(24454002)(51914003)(51704005)(52604005)(199003)(43784003)(104016003)(230783001)(20776003)(15202345003)(85806002)(86362001)(76482002)(97736003)(46102003)(80022003)(85306004)(64706001)(66066001)(26826002)(47776003)(110136001)(85852003)(31966008)(84676001)(44976005)(19580405001)(19580395003)(69596002)(68736004)(33656002)(6806004)(99396003)(50466002)(23726002)(15395725005)(46406003)(15975445006)(2656002)(87936001)(120916001)(55846006)(95666004)(81156004)(106466001)(21056001)(86612001)(107046002)(4396001)(92566001)(92726001)(50986999)(77096002)(54356999)(97756001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB1211; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB1211;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03648EFF89
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/ePUlQ8i6_IB5pMn22EX8XEWCXUc
Cc: "draft-ietf-jose-json-web-algorithms@tools.ietf.org" <draft-ietf-jose-json-web-algorithms@tools.ietf.org>, "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 12:55:38 -0000
The resolutions proposed below have been incorporated in the -34 draft. Hopefully you can clear your DISCUSSes on that basis. Thanks again, -- Mike > -----Original Message----- > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones > Sent: Saturday, October 11, 2014 1:23 PM > To: Richard Barnes > Cc: jose-chairs@tools.ietf.org; jose@ietf.org; The IESG; draft-ietf-jose-json- > web-algorithms@tools.ietf.org > Subject: Re: [jose] Richard Barnes' Discuss on draft-ietf-jose-json-web- > algorithms-33: (with DISCUSS and COMMENT) > > > From: Richard Barnes [mailto:rlb@ipv.sx] > > Sent: Friday, October 10, 2014 2:58 PM > > To: Mike Jones > > Cc: The IESG; jose-chairs@tools.ietf.org; > > draft-ietf-jose-json-web-algorithms@tools.ietf.org; jose@ietf.org > > Subject: Re: [jose] Richard Barnes' Discuss on > > draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT) > > > > On Mon, Oct 6, 2014 at 3:54 AM, Mike Jones > <Michael.Jones@microsoft.com> wrote: > > Thanks for your review, Richard. Replies are inline below... > > > > > -----Original Message----- > > > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Richard > > > Barnes > > > Sent: Wednesday, October 01, 2014 7:36 PM > > > To: The IESG > > > Cc: jose-chairs@tools.ietf.org; draft-ietf-jose-json-web- > > > algorithms@tools.ietf.org; jose@ietf.org > > > Subject: [jose] Richard Barnes' Discuss on > > > draft-ietf-jose-json-web-algorithms- > > > 33: (with DISCUSS and COMMENT) > > > > > > Richard Barnes has entered the following ballot position for > > > draft-ietf-jose-json-web-algorithms-33: Discuss > > > > > > When responding, please keep the subject line intact and reply to > > > all email addresses included in the To and CC lines. (Feel free to > > > cut this introductory paragraph, however.) > > > > > > > > > Please refer to > > > http://www.ietf.org/iesg/statement/discuss-criteria.html > > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > > > > The document, along with other ballot positions, can be found here: > > > http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-algorithms/ > > > > > > > > > > > > -------------------------------------------------------------------- > > > -- > > > DISCUSS: > > > -------------------------------------------------------------------- > > > -- > > > > > > Section 3.2. > > > "This computed HMAC value is then compared to the result of > > > base64url decoding the received encoded JWS Signature value." > > > Need to add: > > > "In order to avoid timing attacks, the comparison of the computed > > > HMAC value to the JWS Signature value MUST be done in a constant-time > manner." > > > > OK > > > > > Section 3.6. > > > I'm not going to object to "none", even though I think it's a very > > > dangerous feature because of the risk of confusion between Secured and > Unsecured JWS. > > > But there needs to be stronger guidance: > > > 1. An implementation SHOULD NOT support "none" unless the > > > implementer knows that it will be used in application context s that require > it. > > > 2. If an implementation does support "none", then it MUST NOT accept > > > it as part of generic JWS validation. Instead, it should require > > > the application to explicitly signal that an Unsecured JWS is expected for a > given validation operation. > > > > As discussed in the working group, your concern about applications > inappropriately allowing the use of "none" actually is an instance of a more > general concern that applications not allow *any* algorithms to be used that > are not appropriate in their application contexts. This concern is already > addressed in the specification at the end of Section 5.2 as follows: > > > > "Finally, note that it is an application decision which algorithms are acceptable > in a given context. Even if a JWS can be successfully validated, unless the > algorithm(s) used in the JWS are acceptable to the application, it SHOULD reject > the JWS." > > > > Since your specific concern is already handled in a more general way, I would > like to request that you withdraw this DISCUSS on that basis. Also, you were one > of the contributing authors to the security considerations on this topic in Section > 8.5 of JWA (Unsecured JWS Security Considerations), so it's not clear that there's > any cause for you to come back with additional wording change requests on this > topic at this point. > > > > Thanks for reminding me about Section 8.5. I think I would be satisfied here if > the contents of Section 8.5 were just moved up to this section. That way all of > the requirements for implementing "none" will be together. > > Section 3.6 does end with the sentence "See Section 8.5 for security > considerations associated with using this algorithm" so implementers are > reminded to also pay attention to the security considerations. If we were to do > what you requested, this would be the only algorithm for which the security > considerations were included in the algorithm description, rather than in the > security considerations section, which would be fairly weird and non-parallel, > editorially. > > Again, given that you were an author of 8.5 and seemed fine with the resolution > after the extensive discussion then, I'd ask you to clear the DISCUSS on that > basis and not request that it be reworked again. > > > > Section 4.2. > > > Systems that support RSAES-PKCS1-V1_5 key unwrap are commonly > > > vulnerable to oracle attacks based on whether they accept the wrapped key > or not. > > > See, e.g., > > > https://www.w3.org/Bugs/Public/show_bug.cgi?id=25431 > > > http://cryptosense.com/choice-of-algorithms-in-the-w3c-crypto-api/ > > > In light of that, it seems irresponsible to include this algorithm > > > without extensive security precautions, and especially irresponsible > > > for it to be REQUIRED. It's been dropped from WebCrypto, and is being > dropped from TLS in v1.3. > > > > The reasons for its inclusion and security considerations about it are already > covered in Section 8.3 of JWA (RSAES-PKCS1-v1_5 Security Considerations). If > you'd like to beef up the text there, specific additional proposed wording would > be welcomed. It's required because it's the one asymmetric key encryption > algorithm that appeared to be ubiquitously deployed across development > platforms. Otherwise, there would be no practical basis for interoperability for > this functionality. > > > > Thanks for the pointer to 8.3. I had missed that. That helps, but doesn't > resolve the issue. > > My concern here is that by having RSAES-PKCS1-v1_5 as a REQUIRED > algorithm, we will encourage the creation of more vulnerable stacks, and extend > the life of those that already exist. (Note that this is independent of the > guidance in RFC 3447.) Could we compromise on moving the requirement level > for this algorithm to OPTIONAL, and promoting OAEP to REQUIRED? > > Rather than Optional, I'd counter-propose to change it to Recommended- and > changing OAEP to Recommended+. It's not clear that OAEP is widely enough > deployed yet to make it REQUIRED. What do others in the working group think? > > > > Section 6.3.1. > > > The descriptions of these parameters are really vague, especially > > > when it comes to the "oth" parameters. Please cite a reference that > > > provides more detail, e.g., RFC 3447. > > > > I agree that an RFC 3447 reference would be appropriate. > > > > > Section 6.3.2.6. > > > This section defines the wrong parameter. > > > > Thanks! > > > > Cool. I'll clear these points when the updated draft is posted. > > > > > > > -------------------------------------------------------------------- > > > -- > > > COMMENT: > > > -------------------------------------------------------------------- > > > -- > > > > > > Section 1.1. > > > The pointer for BASE64URL should be to JWS. One level of > > > indirection, please :) > > > > Agreed > > > > > Section 3.1, 4.1, and 5.1. > > > As I said in the working group, the implementation requirements in > > > these registries should be removed. They are unnecessary for > > > interoperability, and highly likely to be ignored by implementers, > > > both because (1) many implementations are for specific applications > > > that do not require all of the REQUIRED algorithms, and (2) many > > > implementations use cryptographic libraries that do not support some > > > REQUIRED algorithms. I have personally written more than one > > > JWS/JWE implementation that ignored these requirements, for exactly > > > these reasons. (This would be a DISCUSS for me, if not for my > > > having made this argument already in the WG.) > > > > For what it's worth, apparently Stephen Farrell disagrees with you (as do many > in the working group). > > > Section 3.2. > > > "A key of the same size as the hash output (for instance, 256 bits > > > for > > > "HS256") or larger MUST be used with this algorithm." > > > A pointer to Section 3 of RFC 2104 here would be helpful. I was > > > surprised at this requirement, given that FIPS 198 says "The size of > > > the key, K, shall be equal to or greater than L/2, where L is the size of the > hash function output." > > > > The thread with Jim Schaad on this topic concluded as follows: > > > > [JLS] This does not seem to be the statement in sp800-107 rev1 (section > > 5.3.4) which updated FIPS 198. It says that the security = min (length of > > K, 2*C) where C is the internal barrel length. > > > > Ah, OK. Thanks for the updated reference. I stand corrected. > > --Richard > > > > > Section 3.4. > > > It might be worth noting that though this format seems ad-hoc, it is > > > the same used by WebCrypto. > > > > I'll think about if there's a non-intrusive way to add this. Are there other places > also using this representation? I'd thought that there were. > > > > I was going to say that this is how some libraries do it, but unfortunately, that > doesn't appear to be true of either of the libraries I checked, NSS and OpenSSL. > NSS uses a DER form, and OpenSSL uses a struct with two integers. > > OK - then it's not clear that there's anything else definitive to say, unless we > want to add a note that this is the same representation used by WebCrypto. Do > you think that's worth adding? > > > > Section 4.7.1.1. > > > Shouldn't you require that this field MUST encode a 16-octet / 128-bit value? > > > > Actually, 4.7 already states "Use of an Initialization Vector of size 96 bits is > REQUIRED with this algorithm." (See the GCM spec for why.) But I could add > "96 bit" to the description. > > > > Good catch. Seems like the extra mention wouldn't hurt. > > --Richard > > > > > > > _______________________________________________ > > > jose mailing list > > > jose@ietf.org > > > https://www.ietf.org/mailman/listinfo/jose > > > > Thanks again, > > -- Mike > > -- Mike > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- [jose] Richard Barnes' Discuss on draft-ietf-jose… Richard Barnes
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Jim Schaad
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Brian Campbell
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Mike Jones
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Kathleen Moriarty
- Re: [jose] Richard Barnes' Discuss on draft-ietf-… Richard Barnes