Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)

Mike Jones <> Thu, 02 October 2014 15:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4FD471A046F; Thu, 2 Oct 2014 08:26:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_SUMOF=1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fe0MvliRqHEK; Thu, 2 Oct 2014 08:26:09 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fc10::1:718]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0ABD41A1A89; Thu, 2 Oct 2014 08:26:09 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1039.15; Thu, 2 Oct 2014 15:25:45 +0000
Received: from (2a01:111:f400:7c10::1:183) by (2a01:111:e400:401e::39) with Microsoft SMTP Server (TLS) id 15.0.1044.10 via Frontend Transport; Thu, 2 Oct 2014 15:25:45 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1029.15 via Frontend Transport; Thu, 2 Oct 2014 15:25:45 +0000
Received: from ([]) by ([]) with mapi id 14.03.0195.002; Thu, 2 Oct 2014 15:25:38 +0000
From: Mike Jones <>
To: Pete Resnick <>, The IESG <>
Thread-Topic: Pete Resnick's Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
Thread-Index: AQHP3e2Zk8P2825gjEmgPkuKf4EMaZwc69nQ
Date: Thu, 02 Oct 2014 15:25:37 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439BAB3877TK5EX14MBXC288r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(377454003)(15594002)(189002)(52044002)(13464003)(199003)(68736004)(80022003)(106466001)(19625215002)(21056001)(66066001)(50986999)(230783001)(97736003)(54356999)(84676001)(76482002)(99396003)(69596002)(77096002)(16236675004)(85306004)(20776003)(33656002)(512874002)(92566001)(104016003)(81156004)(46102003)(64706001)(26826002)(120916001)(6806004)(2656002)(55846006)(551984002)(19580395003)(31966008)(106116001)(15975445006)(85852003)(95666004)(84326002)(92726001)(4396001)(551544002)(87936001)(10300001)(19580405001)(44976005)(15202345003)(71186001)(19300405004)(86362001)(76176999)(107046002)(86612001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB1211;; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB1211;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03524FBD26
Received-SPF: Pass ( domain of designates as permitted sender); client-ip=;;
Authentication-Results: spf=pass (sender IP is;
Cc: "" <>, "" <>, "" <>
Subject: Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Oct 2014 15:26:13 -0000

Responding only to the DISCUSS portions for now…

-----Original Message-----
From: Pete Resnick []
Sent: Wednesday, October 01, 2014 8:04 PM
To: The IESG
Subject: Pete Resnick's Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)

Pete Resnick has entered the following ballot position for

draft-ietf-jose-json-web-algorithms-33: Discuss

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)

Please refer to

for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:




Moving this first one from a comment to a discuss in light of Richard's


3.1/4.1/5.1/6.1: Why are there implementation requirements in this document? I am also curious, as Richard is, whether these are going to be used at all, and I'd like to hear the explanation that the WG had for including these. Are implementation requirements for JOSE different from implementation requirements for any other use of signing or encryption for each of these algorithms? Don't we already have a separate general registry of algorithms and their implementation statuses? Why are these necessary?

There are implementation requirements so that implementations will actually be interoperable in practice and not just in theory.

4.6.2: AlgorithmID. UTF-8 has me worried here. It has me more worried in 4.8, but we'll talk about that later. Here, aren't all "enc" and "alg"

values US-ASCII anyway? Saying US-ASCII here would solve the problem, so unless you think you're going to have the MötleyCrüe algorithm, perhaps we can avoid any concerns for this case. (My concern is that you can have "interesting" UTF-8 strings with ZERO-WIDTH JOINERs and other nonsense that you probably don't mean to address.

Even if people used pathological Unicode characters, the exact-match string comparison rules would handle this OK.  In practice, what I think we should do is provide guidance in the IANA registry instructions that only reasonable, displayable Unicode character sequences be registered.  I’m reluctant to tell people using non-US character sets that they can’t use printable glyphs from their own languages.  Do people have a suggestion what language this guidance should contain?


   The PBES2 password input is an

   octet sequence; if the password to be used is represented as a text

   string rather than an octet sequence, the UTF-8 encoding of the text

   string MUST be used as the octet sequence.

This one worries me a lot. It's one thing to say that the password is an octet sequence and the application above is responsible for collecting it from the user and passing it in the correct form. But to say down here in the guts that it MUST be UTF-8 brings up all sorts of ugly questions regarding normalization. I don't think you want to touch this with a 10-foot-pole. I certainly thing you want to stay away from that MUST.

To achieve interoperation, some encoding has to be specified, and UTF-8 seems like the best choice.  Restricting human-visible passwords to ASCII isn’t reasonable for most cultures. Same as 4.6.2.

Same answer.




For the life of me, I can't figure out why this document set uses the terminology "JSON Web Foo". Seems like buzzword nonsense. I would have much preferred "JOSE Foo" for each one.


   A key of the same size as the hash output (for instance, 256 bits for

   "HS256") or larger MUST be used with this algorithm.

Is this specific to JOSE, or is this a general requirement for use of SHA-2? If the latter, a reference would be better than a MUST in here.

[There are many things in the document that look like algorithm requirements and not JOSE requirements. I've noted a few more below, but these should be looked for generally. If something is part of the definition of the algorithm and documented elsewhere, no need to have requirements language, let alone a description of how to run the algorithm, in this document; that should be an external reference.]

In the 5th paragraph (the one right after the table), strike everything after the first sentence. Decoding and encoding are things that are JWS specific and should not be in this document.


   A key of size 2048 bits or larger MUST be used with this algorithm.

Is this specific to JOSE, or is this a general requirement for use of RSA?

3.6: This section seems to be for the JWS document, not this one. If you want to define the "None" algorithm, go ahead and do that, but describing its use in JWS doesn't belong here.


   A new ephemeral public key value MUST be generated for each key

   agreement operation.

Again, specific to JOSE, or requirement of ECDH-ES?

   In Direct Key Agreement mode, the output of the Concat KDF MUST be a

   key of the same length as that used by the "enc" algorithm.


   In Key Agreement with Key Wrapping mode, the output of the Concat KDF

   MUST be a key of the length needed for the specified key wrapping


s/MUST/will? These are not very well defined, and it's not clear why they need to be base64ed. What are they?

       Here we denote the number of octets in the MAC_KEY as

       MAC_KEY_LEN, and the number of octets in ENC_KEY as ENC_KEY_LEN;

Oh, dear. That's a pretty convoluted way of saying (I think) "MAC_KEY_LEN is the number of octets in MAC_KEY and ENC_KEY_LEN is the number of octets in ENC_KEY." If you mean something different, you best explain.

       the values of these parameters are specified by the Authenticated

       Encryption algorithms in Sections 5.2.3 through 5.2.5.

       The number of octets in the input key K MUST be the sum of


"MUST"? Do you mean "is"?

       When generating the secondary keys

       from K, MAC_KEY and ENC_KEY MUST NOT overlap.

Isn't that completely redundant? If length of K is the sum of MAC_KEY_LEN and ENC_KEY_LEN, then MAC_KEY and ENC_KEY *can't* overlap.

6.2: s/MUST be/is