Re: [jose] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms

Mike Jones <Michael.Jones@microsoft.com> Sat, 21 September 2019 00:44 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50AC0120916; Fri, 20 Sep 2019 17:44:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iks8B3hoe6sz; Fri, 20 Sep 2019 17:44:52 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650115.outbound.protection.outlook.com [40.107.65.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DCE7120912; Fri, 20 Sep 2019 17:44:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aX5EgF+jBNZQuX0Ur3YzQRfutI7z36gdEdZsg5bJUd9Zhnwz2Nu9eJXhL5EQZHnXiADZmzfUyU7hr9N4lyTMhovXd3zD2yl4JSk13JMF58Me32ePLeWa7ng50VFUqu416f180x8cNcTDcby5fQUhq6jL5oBxoh/ACI2dQzFgMHhUcaZSrnJ6ytzzNYsUQ0meZzMZ/x0yQmyIazAD7P2Nhoq9sreSpyGqRhJKj8WMcgWQZ39upDzE3z15ITVVASuQ4UwGJ20hsbdB+OdNgM8MbHbsHtLE6DC5XsGNM22EBCFlTucuU5wFCpSEpZAjfxDQJSEY1vT0pgNu4FEqyc1cuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pEwMdQd1zn5YFgTBE4rRVDc/IZpAEx9oUzAmV7RNws8=; b=CIhD7c7t4yxjJIkaorPT6ewxuIg8i1ayX9J2F5u15Q56GVoRhXpuITDxLoQN5dWHeGJl8r/ctZYp6VQlLpGoxyt/9O4WhfOEVRoc2wvZNzVk6ajdvA4k+H2xVaMhjjQeyBD3R/IBw+utMCOLMUTKl4YPUbMAqZYkiipk5c5tnaMBAnOXxC895KsdWzdlGoffUUbZUbxpMdggO3aQ+pRINr4N3fmslZnFGX2i5klf0z6Yd33/+J9cD/C357jwo4S29/QAgdQ4gVLZWZ2bTnmAHCsLUcaSCaaEvhQL5RXQmqKxM/D7PsXHYoKvveiSnWleOXLmkYGU5a2LnufXXYCpVQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pEwMdQd1zn5YFgTBE4rRVDc/IZpAEx9oUzAmV7RNws8=; b=BcKWLP2hYZEb55U9IFLd4AK4KGuiqBP6qPMLTRi/UREeUNqYF547Cg+/8eH3g+PPofRS9p9RzbGxbXCxKo+j6Gam3efHSIHhsC3SRyPn/uXWNg6rix2S8WXPus647efGlW04hCdXGQ4HGOK+5k3+thMHj6G4dJOlR350a42e+pI=
Received: from MN2PR00MB0576.namprd00.prod.outlook.com (20.178.255.149) by MN2PR00MB0462.namprd00.prod.outlook.com (20.178.240.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2327.0; Sat, 21 Sep 2019 00:44:46 +0000
Received: from MN2PR00MB0576.namprd00.prod.outlook.com ([fe80::acd1:824c:663:f0da]) by MN2PR00MB0576.namprd00.prod.outlook.com ([fe80::acd1:824c:663:f0da%7]) with mapi id 15.20.2331.000; Sat, 21 Sep 2019 00:44:46 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, 'Neil Madden' <neil.madden@forgerock.com>
CC: "cose@ietf.org" <cose@ietf.org>, "jose@ietf.org" <jose@ietf.org>, 'ivaylo petrov' <ivaylo@ackl.io>
Thread-Topic: =?utf-8?B?W2pvc2VdICDwn5SUIFdHTEMgb2YgZHJhZnQtaWV0Zi1jb3NlLXdlYmF1dGhu?= =?utf-8?Q?-algorithms?=
Thread-Index: AQHVb8hxbNYYvzLOmUqGNbeIaix6hKc1SlAw
Date: Sat, 21 Sep 2019 00:44:45 +0000
Message-ID: <MN2PR00MB0576AB42D6324A7F1FFD581EF58B0@MN2PR00MB0576.namprd00.prod.outlook.com>
References: <CAJFkdRzEF0wh9-H4dDNQeUHVd_VD8KKv1jOJ7BWs+bKN2e6gBQ@mail.gmail.com> <CAJFkdRy6Bs77gFGG0QGMC1fe_niQC6Of7_2Z8+jjYzpWkuMDBQ@mail.gmail.com> <465EE321-1595-4453-8D4E-E3A6A457C86E@forgerock.com> <012001d56fc0$1fb30e90$5f192bb0$@augustcellars.com> <F6FF776D-FFF9-4330-8A6B-81F783D990C2@forgerock.com> <013c01d56fc8$56cb8b20$0462a160$@augustcellars.com>
In-Reply-To: <013c01d56fc8$56cb8b20$0462a160$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=72cc8178-77dd-4c89-a687-0000990f53cc; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-09-21T00:38:53Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [153.188.97.51]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 33807327-5671-450a-378d-08d73e2ce656
x-ms-office365-filtering-ht: Tenant
x-ms-traffictypediagnostic: MN2PR00MB0462:
x-microsoft-antispam-prvs: <MN2PR00MB046282C7AD8405008053520BF58B0@MN2PR00MB0462.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0167DB5752
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(396003)(346002)(366004)(136003)(39860400002)(376002)(51914003)(199004)(189003)(51444003)(6506007)(33656002)(76176011)(186003)(790700001)(7696005)(3846002)(6116002)(53546011)(8990500004)(102836004)(2906002)(26005)(4326008)(6246003)(10090500001)(66946007)(76116006)(66446008)(64756008)(66556008)(66476007)(229853002)(5660300002)(14454004)(52536014)(7736002)(236005)(54896002)(6306002)(9686003)(55016002)(81166006)(8936002)(81156014)(99286004)(25786009)(74316002)(66066001)(10290500003)(478600001)(6436002)(486006)(476003)(446003)(11346002)(86362001)(54906003)(256004)(14444005)(22452003)(71190400001)(71200400001)(110136005)(316002); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR00MB0462; H:MN2PR00MB0576.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LRmn+OZmQdjt6z8xCqdjiVgABQMW6jzdFVBxuzVv3g3U7PoSFufhaDsQNn6QzdHZFHQIlxaoVMgJyWqNnUmYX5sGjXfiElaKN7lo+onYzm0Uco0smQyAlxl6ka3PrWIM6gnOyLAhg7ePd+BEA8wUDgE2Ig1gfXF9w3zGGDioUsxu5VDjYofhZyJl2zFbrYqBbPijBf6DqLG2m8bESggl8eBye25VIGOUtGYekLN1fJVg2rKQKOOYkSk3MycKCpyMhjMZJ3+ZwgVB7MaT2vX0RoNbzNxcABHi/G+GZQSEfqYt+l+N3HXAQ0OsBhdpK9eDzp6LYhUKJa78VJbpWIeqO6mz+7vPux7yZt/lQqQJpTNXU/q2aMZY4BYQVdiPvKAISDVSKQsXjQwEk/zf3yDK67Zi2wdEpSiOyQ5+QposGvs=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB0576AB42D6324A7F1FFD581EF58B0MN2PR00MB0576namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 33807327-5671-450a-378d-08d73e2ce656
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Sep 2019 00:44:45.7659 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vHSS9ISRcT4UkI/JvpRFSFqZGtUrWaCN87VEfsthCZQXlFTtL+QNaAzLoz/0bmjFjdeXyjBAgkt4eNuNNAdaOQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0462
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/h2fwF1fg-pnQys2sYCrh6Rq8Rfc>
Subject: Re: [jose] =?utf-8?q?=F0=9F=94=94_WGLC_of_draft-ietf-cose-webauthn-a?= =?utf-8?q?lgorithms?=
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Sep 2019 00:44:56 -0000

RSA SHA-1 is used by TPMs, which produce attestations used by W3C WebCrypto.  That can’t be changed.  That’s why an algorithm identifier is needed for it.  It’s use is prohibited for new applications but TPMs are an existing application.  I can work to make this clearer when resolving the WGLC comments.

As for secp256k1, the “ES256K” algorithm is registered, whose definition is “ECDSA using secp256k1 curve and SHA-256”.  That’s only for signing.  The draft is currently silent on whether the registered curve can also be used for other things.  I think that’s how it should be, unless there are security reasons to the contrary.

                                                       -- Mike

From: jose <jose-bounces@ietf.org> On Behalf Of Jim Schaad
Sent: Friday, September 20, 2019 8:30 AM
To: 'Neil Madden' <neil.madden@forgerock.com>
Cc: cose@ietf.org; jose@ietf.org; 'ivaylo petrov' <ivaylo@ackl.io>
Subject: Re: [jose] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms

See inline

From: Neil Madden <neil.madden@forgerock.com<mailto:neil.madden@forgerock.com>>
Sent: Friday, September 20, 2019 8:09 AM
To: Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>>
Cc: ivaylo petrov <ivaylo@ackl.io<mailto:ivaylo@ackl.io>>; jose@ietf.org<mailto:jose@ietf.org>; cose@ietf.org<mailto:cose@ietf.org>
Subject: Re: [jose] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms

Thanks for the reply, comments in-line marked with [NEM]:

On 20 Sep 2019, at 15:31, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:



From: jose <jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>> On Behalf Of Neil Madden
Sent: Friday, September 20, 2019 2:35 AM
To: ivaylo petrov <ivaylo@ackl.io<mailto:ivaylo@ackl.io>>
Cc: jose@ietf.org<mailto:jose@ietf.org>; cose@ietf.org<mailto:cose@ietf.org>
Subject: Re: [jose] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms

Thanks, I wasn't aware of this draft. It looks ok, just a few comments from me:

secp256k1 is mentioned in the context of signatures and the new ES256K JWS algorithm, but when it is registered in the JOSE Elliptic Curve registry it will also be usable for ECDH-ES encryption. The current draft mentions JOSE but only links to RFC 7515 (JWS). Is the intention that the curve be only used for signatures, or is it also intended for encryption?

[JLS] That is an interesting question.  Right now I would say that it is only for signatures, but it could be expanded to key agreement quite easily.  Is there any need for it or are you just speculating?  The big use I know of is bit coin which is only signatures and WebAuthn which is only signatures.

[NEM] As soon as it is registered as a JOSE elliptic curve it can be used for ECDH-ES, so the draft should make a statement one way or another as to whether this is intended rather than standardizing that usage by side-effect IMO.


I'm glad RS1 is not being registered for JOSE, although I'm still a bit surprised that it is being registered (even as deprecated) for a standard as new as COSE. I can't find any justification in the linked WebAuthn or CTAP specs for why this algorithm needs to exist at all. Section 5.3 says that it needs to be registered because some WebAuthn TPM attestations use it, but the very same section says that the algorithm MUST NOT be used by COSE implementations (is a WebAuthn implementation not a COSE implementation?). If the normative language in the spec is obeyed then the algorithm will never be used and so the registered identifier isn't needed.

[JLS] For better or for worse, RS1 is already registered for JOSE, so that is the reason it is not registered here.

Ouch, I hadn't seen this. The WebCrypto group really did a number on the registry. Thankfully most of them (including RS1) are only registered for JWK usage and marked as Prohibited. (What does it even mean for things like "A128CBC" to be registered as a JWK "alg" value?)

[JLS] One can have a JWK which contains a symmetric key so in that case an “alg” value of “A128CBC” makes sense.  Only use this key with this algorithm.

My main point still stands that section 5.3 of the draft is self-contradictory as it says that the reason for registry is because some TPMs are using the algorithm but then also says that those implementations MUST NOT use the algorithm, negating the reason for registering it in the first place.

[JLS] I agree and I have also pointed this out in a couple of reviews.

-- Neil