IETF Logo Mail Archive

Re: [jose] #15: Broken examples in JWE / JWS

Mike Jones <Michael.Jones@microsoft.com> Mon, 25 March 2013 21:55 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 123C321F870F for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 14:55:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHRb-811Q7uO for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 14:55:24 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) by ietfa.amsl.com (Postfix) with ESMTP id E07AC21F86AF for <jose@ietf.org>; Mon, 25 Mar 2013 14:55:23 -0700 (PDT)
Received: from BL2FFO11FD028.protection.gbl (10.1.15.200) by BY2FFO11HUB013.protection.gbl (10.1.14.85) with Microsoft SMTP Server (TLS) id 15.0.651.3; Mon, 25 Mar 2013 21:55:19 +0000
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD028.mail.protection.outlook.com (10.173.161.107) with Microsoft SMTP Server (TLS) id 15.0.651.3 via Frontend Transport; Mon, 25 Mar 2013 21:55:18 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.224]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.02.0318.003; Mon, 25 Mar 2013 21:54:53 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [jose] #15: Broken examples in JWE / JWS
Thread-Index: AQHOJ0GRGLcBFTS/L0CrF4Bh9JphKZiyPD8AgAAKWICAAA89AIAAI4YAgAAGLwCAA9bwAIAAmwcAgAAGaeA=
Date: Mon, 25 Mar 2013 21:54:52 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943675886B8@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <049.dec2e6a11006261f47529bfcdfa8c51d@trac.tools.ietf.org> <064.854734170572ce8e0ba10611390025ce@trac.tools.ietf.org> <012701ce274a$8e17ca30$aa475e90$@augustcellars.com> <CAL02cgQ00JWPph9irvkcyqHi=gOMVt4W9J47e_UMWxdr=1_=MQ@mail.gmail.com> <013c01ce2763$ef72d950$ce588bf0$@augustcellars.com> <CAL02cgRZA8vvXcUjpnPMzjzZYLbNFTbceZ9JyjQwBt5bpuy5Aw@mail.gmail.com> <CA+k3eCR+GGRA_CSRXktGzGqV-8aZuvpYBDAR8UUFeZ0=NiEMAw@mail.gmail.com> <CAL02cgRQF18RPmCOAs-ObF=prVpcTO3q9YpRKE7hUwKPxzROKw@mail.gmail.com>
In-Reply-To: <CAL02cgRQF18RPmCOAs-ObF=prVpcTO3q9YpRKE7hUwKPxzROKw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.73]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943675886B8TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464002)(377454001)(189002)(24454001)(51704002)(199002)(5343655001)(63696002)(53806001)(74662001)(79102001)(49866001)(51856001)(77982001)(512954001)(76482001)(5343635001)(54316002)(20776003)(55846006)(47446002)(54356001)(47736001)(33656001)(15202345001)(31966008)(74502001)(56816002)(47976001)(44976002)(66066001)(59766001)(16406001)(80022001)(50986001)(46102001)(4396001)(69226001)(71186001)(65816001)(16236675001)(56776001)(550254004); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB013; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0796EBEDE1
Cc: "draft-ietf-jose-json-web-encryption@tools.ietf.org" <draft-ietf-jose-json-web-encryption@tools.ietf.org>, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #15: Broken examples in JWE / JWS
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 21:55:26 -0000

If you already know that something is going on out of band, the indication in the JOSE object would be unnecessary.

                                                                -- Mike

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes
Sent: Monday, March 25, 2013 2:31 PM
To: Brian Campbell
Cc: draft-ietf-jose-json-web-encryption@tools.ietf.org; Jim Schaad; jose@ietf.org
Subject: Re: [jose] #15: Broken examples in JWE / JWS

I realize that's the common case.  But the spec doesn't say that.

All I'm saying is, the spec should REQUIRE that a sender include either a key indicator, or an indication that something is going on out of band.

--Richard


On Mon, Mar 25, 2013 at 8:15 AM, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:
/* special magic */ is just some out of band agreement on the key to use or how to infer it. Which isn't really special or magic. But probably pretty common.

On Fri, Mar 22, 2013 at 7:37 PM, Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:
I've renamed the issue to try to clarify.

You're right that there are alternative ways to locate a key.  But a JOSE object needs to contain at least one of them, or else the /* special magic */ clause applies.

--Richard

On Fri, Mar 22, 2013 at 9:15 PM, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:
This may or may not be a flaw in the specification.  However the item you created in the tracker does not reflect what you have put here.  I think you would be better served by saying that there is a flaw in the specifications in that there should be a MUST that some type of key or key reference is required in a JWS or JWE.

I would note that your example code should be more complex in that it does not deal with jku or any of the x* methods of referencing keys.

Jim


From: Richard Barnes [mailto:rlb@ipv.sx<mailto:rlb@ipv.sx>]
Sent: Friday, March 22, 2013 4:09 PM
To: Jim Schaad
Cc: draft-ietf-jose-json-web-encryption@tools.ietf.org<mailto:draft-ietf-jose-json-web-encryption@tools.ietf.org>; jose@ietf.org<mailto:jose@ietf.org>

Subject: Re: [jose] #15: Broken examples in JWE / JWS

I admit that they are not broken according to the current spec.  However, I have a lot of trouble figuring out how I would write code to process them.

If "kid" or "jwk" MUST be present to indicate what key I should use, then I can have deterministic code:
if (/* recognized "kid" or "jwk" value */) {
    /* use it */
} else {
    /* FAIL.  can't process this object */
}

As the spec stands, I have no idea what to put in that "else" clause.  I'm clearly not supposed to fail, because the parameters are optional.  But what else?
if (/* recognized "kid" or "jwk" value */) {
    /* use it */
} else {
    /* insert special magic here */
}

This is actually what SPI is supposed to clear up.  SPI would provide an explicit third branch for the special magic to live in.
if (/* recognized "kid" or "jwk" value */) {
    /* use it */
} else if (/* recognized SPI value */) {
    /* process using stored parameters */
} else {
    /* FAIL.  can't process this object */
}

But without the concept of SPI, the spec is broken because of the non-determinism noted above.

--Richard



On Fri, Mar 22, 2013 at 6:13 PM, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:
My inclination is that this response is correct.

What make you think that the key or key reference is required and cannot be
implied?

Jim


> -----Original Message-----
> From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>] On Behalf Of
> jose issue tracker
> Sent: Friday, March 22, 2013 2:37 PM
> To: draft-ietf-jose-json-web-encryption@tools.ietf.org<mailto:draft-ietf-jose-json-web-encryption@tools.ietf.org>;
ignisvulpis@gmail.com<mailto:ignisvulpis@gmail.com>
> Cc: jose@ietf.org<mailto:jose@ietf.org>
> Subject: Re: [jose] #15: Broken examples in JWE / JWS
>
> #15: Broken examples in JWE / JWS
>
>
> Comment (by ignisvulpis@gmail.com<mailto:ignisvulpis@gmail.com>):
>
>  I think this is not an issue. The examples are NOT broken and they do not
> need a fix.
>  I suggest to close this ticket.
>  The draft should definitely not make these illegal. These objects are
perfect
> examples for a valid JWS/JWE.
>
> --
> -------------------------+----------------------------------------------
> -------------------------+---
>  Reporter:  rlb@ipv.sx<mailto:rlb@ipv.sx>   |       Owner:  draft-ietf-jose-json-web-
>      Type:  defect       |  encryption@tools.ietf.org<mailto:encryption@tools.ietf.org>
>  Priority:  minor        |      Status:  new
> Component:  json-web-    |   Milestone:
>   encryption             |     Version:
>  Severity:  -            |  Resolution:
>  Keywords:               |
> -------------------------+----------------------------------------------
> -------------------------+---
>
> Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/15#comment:1>
> jose <http://tools.ietf.org/jose/>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org<mailto:jose@ietf.org>
> https://www.ietf.org/mailman/listinfo/jose



_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email