Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens
David Adrian <davadria@umich.edu> Mon, 23 April 2018 13:44 UTC
Return-Path: <davadria@umich.edu>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F258D127333 for <jose@ietfa.amsl.com>; Mon, 23 Apr 2018 06:44:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iVE7LLgjF4Vh for <jose@ietfa.amsl.com>; Mon, 23 Apr 2018 06:44:14 -0700 (PDT)
Received: from mail-ot0-x235.google.com (mail-ot0-x235.google.com [IPv6:2607:f8b0:4003:c0f::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B901E1200C5 for <jose@ietf.org>; Mon, 23 Apr 2018 06:44:14 -0700 (PDT)
Received: by mail-ot0-x235.google.com with SMTP id v64-v6so17223494otb.13 for <jose@ietf.org>; Mon, 23 Apr 2018 06:44:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ceE6vfT6h8FMeWrj2liL2WePu5Hwis2HWubm8DzP21k=; b=KYISa3s/S0GrWp7czvCmq6tokpFSDClFp0/VAAbjz6wbtvNQ/cUQhO/ekpK5QzDdsg 4vchN23uQxATNOF3Aw98W3XNXBYEsbXbVLYf3vAINh4sbe/lfo/yfk5JRDtBH5WTwJlH Fxp6x23wRGDUxHryl2UcX3vUrZGTox33GiooJPih6dMD2GBd+lZMZ+JnKsCTXuPSlCc/ F5S1cvM5mzuWq3Gbd7sfqLRFmkoAz8JH6KroiJF/1UvirlkQ8GUKEn6HczDO38Iq6LtD 9m4Ji8RKbOwWBkkT0Z2NCJNKTRac8DGlu9QEwQOWvbD2UtQt/tWwpkx2aZaweF7xaEtO 7QAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ceE6vfT6h8FMeWrj2liL2WePu5Hwis2HWubm8DzP21k=; b=nmTZUAKRgz+igIJWmICEf0ipit5O0jRJY6JXHw6EoLXgh5Ku0IUE+RLCauCc7fM8D4 C/IZakHvHfnDV2pYEpWvTveT64crfI2ZZ09xJ1VzuNZI3eGdS9vMN9UwdgvNg1XOY/UU IBelPcj9qcO9xYZ2JEkmg6It93MIdmPCHysx5A7uxUNxOGw6qbdgbjOUxdLEew2N1zF2 0vB2ezYbBWy9AKPvcBT/Cvbc++0a1j1Y0r1z0LixirxzvNONpPoOUrW2O830AA+yigdE VmEpI70ax1GwRdJESuJvWv7pvmfEsjkLCp8p+AvY3Y4/MqAxwEKi0J2jBhJjRsGoLKuT ZS0Q==
X-Gm-Message-State: ALQs6tCrjxTVEaYqoMw8M48bpUkc87jvfWh3N225BWiv1GlZWwR6mBT1 ay8y/zgg6zVpoEKqOufU3nqL1Q==
X-Google-Smtp-Source: AIpwx4/FalPzfzGrDZkB0T/VbFJXGqP3pd0u46cAflsdDtLol1gONscm5BYMSxzYC0fiXkMFiwQ2Sw==
X-Received: by 2002:a9d:1691:: with SMTP id c17-v6mr14705319ote.115.1524491053984; Mon, 23 Apr 2018 06:44:13 -0700 (PDT)
Received: from mail-oi0-f44.google.com (mail-oi0-f44.google.com. [209.85.218.44]) by smtp.gmail.com with ESMTPSA id q81-v6sm6870179oih.6.2018.04.23.06.44.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Apr 2018 06:44:12 -0700 (PDT)
Received: by mail-oi0-f44.google.com with SMTP id 188-v6so14295427oih.8; Mon, 23 Apr 2018 06:44:11 -0700 (PDT)
X-Received: by 2002:aca:f257:: with SMTP id q84-v6mr12668100oih.240.1524491051769; Mon, 23 Apr 2018 06:44:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAKws9z15m6WY+-mz5D01vxB4s-TE7nQN56=ssYt=vz3z4gAj6A@mail.gmail.com> <DBC2F048-C949-4362-8FD0-A43A54767B03@gmail.com> <CAKws9z277JLfv7Pb9wSkJ7zYR8FzoAfiXuFS6Vq0x32-3bWx7Q@mail.gmail.com> <DB58CEFE-ED93-4C1C-9212-B622DFCCFFB9@gmail.com> <A6784DBB-C147-40B7-8A5C-E96F431020F6@tzi.org> <SN6PR00MB0301F595CF57BF58D4BAA4D2F5B40@SN6PR00MB0301.namprd00.prod.outlook.com>
In-Reply-To: <SN6PR00MB0301F595CF57BF58D4BAA4D2F5B40@SN6PR00MB0301.namprd00.prod.outlook.com>
From: David Adrian <davadria@umich.edu>
Date: Mon, 23 Apr 2018 13:44:00 +0000
X-Gmail-Original-Message-ID: <CACf5n78R3Fur_eunfiQnM9+enbV5vrXs8aW1sfmU6HhV6_3WVA@mail.gmail.com>
Message-ID: <CACf5n78R3Fur_eunfiQnM9+enbV5vrXs8aW1sfmU6HhV6_3WVA@mail.gmail.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Cc: Carsten Bormann <cabo@tzi.org>, Neil Madden <neil.e.madden@gmail.com>, "cfrg@ietf.org" <cfrg@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009aa637056a843b4b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/hNNxUYf4n0D33LouqayB985iTvU>
Subject: Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2018 13:44:18 -0000
> If we have to invent a new standard each time an existing standard is implemented with a security flaw, we have a lot of work to do. You fundamentally cannot fix a standard with unusable to the point of broken negotiation by extending the negotiation. If you don't want PASETO to be a new standard, call it JOSEv3. On Fri, Apr 20, 2018 at 11:18 AM Mike Jones <Michael.Jones= 40microsoft.com@dmarc.ietf.org> wrote: > The JWT Best Current Practices (BCP) draft catalogs the different > implementation mistakes that have been documented and describes how not > make them. The timing of this discussion is good because the draft is > currently in working group last call - through Monday, April 30th. Have a > look at https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-01. If you > believe that additional content is needed, please send your reviews to > oauth@ietf.org. > > Also, see Neil Madden's draft > https://tools.ietf.org/html/draft-madden-jose-siv-mode-02 on > misuse-resistant cryptography for JOSE. I've encouraged him to take it > forward. Please provide feedback on that as well. > > -- Mike > > -----Original Message----- > From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Carsten Bormann > Sent: Friday, April 20, 2018 4:03 AM > To: Neil Madden <neil.e.madden@gmail.com> > Cc: cfrg@ietf.org; jose@ietf.org > Subject: Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Agnotic SEcurity > TOkens > > On Apr 20, 2018, at 12:49, Neil Madden <neil.e.madden@gmail.com> wrote: > > > > insecure implementations of old standards don’t go away because you > introduce a new standard > > Exactly. > > If we have to invent a new standard each time an existing standard is > implemented with a security flaw, we have a lot of work to do. > > Insecure implementations exist even of standards such as TLS. Usually the > strategy is to fix the implementations. (It is also a good idea to > envision what implementers will mess up when creating a new standard. But > there are limits to that approach.) > > One of the objectives in the definition of COSE was to avoid some of the > pitfalls of JOSE. > There is also work ongoing to document the security considerations of JOSE > better, e.g., draft-ietf-oauth-jwt-bcp. > > I’d like to focus the energy that appears to be visible here on agreeing > good SIV constructions and getting them registered with COSE. > > Grüße, Carsten > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > -- David Adrian https://dadrian.io
- [jose] RFC Draft: PASETO - Platform-Agnotic SEcur… Scott Arciszewski
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Neil Madden
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Carsten Bormann
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Vladimir Dzhuvinov
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Mike Jones
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… David Adrian
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Neil Madden
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Jim Schaad
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Mike Jones
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Mike Jones
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Neil Madden
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Scott Arciszewski
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Salz, Rich
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Scott Arciszewski
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Salz, Rich
- Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Ag… Jim Schaad