IETF Logo Mail Archive

Re: [jose] JWS Unencoded Payload Option spec addressing shepherd comments

"Jim Schaad" <ietf@augustcellars.com> Thu, 12 November 2015 22:27 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6AC31B3937 for <jose@ietfa.amsl.com>; Thu, 12 Nov 2015 14:27:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9RMBb_48Ri9P for <jose@ietfa.amsl.com>; Thu, 12 Nov 2015 14:27:31 -0800 (PST)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 714731B3936 for <jose@ietf.org>; Thu, 12 Nov 2015 14:27:31 -0800 (PST)
Received: from hebrews (c-24-21-96-37.hsd1.or.comcast.net [24.21.96.37]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 75C232C9F2; Thu, 12 Nov 2015 14:27:30 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>, jose@ietf.org
References: <255B9BB34FB7D647A506DC292726F6E13BB1CDF231@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E13BB1CDF231@WSMSG3153V.srv.dir.telstra.com>
Date: Thu, 12 Nov 2015 14:24:28 -0800
Message-ID: <00d001d11d98$e53a4210$afaec630$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00D1_01D11D55.D71B47D0"
X-Mailer: Microsoft Outlook 15.0
thread-index: AQIKDEYue2MLgs8g6jEHrQlWhb5tTp4mEKng
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/j7HD1ZR9J_uKMYMvOy3PRRMy20g>
Subject: Re: [jose] JWS Unencoded Payload Option spec addressing shepherd comments
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2015 22:27:36 -0000

Mike,

 

I wish that we had talked about this last week at the F2F meeting.

 

This does not read like a security consideration, it read like an email that
is sent to the list saying that there is nothing to talk about here and it
can be completely ignored.  If that is the way that you feel about this, you
need to get census that there is no problem and kill the text.

 

How I would approach writing this consideration is as follows:

 

1.       Describe what the problem is.  While both James and I provided one
scenario that was easy to understand, it should not be thought of as the
only case that there is a problem.  The basic description of the problem is
that there are now two different strings that will generate the same
signature value, without there being a weakness in the hash algorithm.

2.      Describe the set of things that can be done to address this problem.

a.      Use the "crit" parameter

b.      Use a profile of the application that states there is only one
possible value

c.      Make sure that all implementations support the b64 parameter

 

Jim

 

 

 

 

 

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Manger, James
Sent: Wednesday, November 11, 2015 4:21 PM
To: Mike Jones <Michael.Jones@microsoft.com>; jose@ietf.org
Subject: Re: [jose] JWS Unencoded Payload Option spec addressing shepherd
comments

 

Mike, thanks for trying to explain with a page of Security Considerations
the ambiguity arising since existing (OLD) JWS implementations will silently
ignore the "b64":false signal.

 

It is still wrong. The extra text starts by saying "there is no security
problem. since the signature will fail" when "b64":false is ignored, but
then ends by saying "crit":["b64"] is necessary when "b64":false is ignored.
It cannot be both!

 

   There is no security problem if a JWS correctly created using "b64"

   with a "false" value is received by an implementation not supporting

   the "b64" Header Parameter, since the signature will fail to verify

   and the JWS will therefore be rejected.

  .

   Only if the application dynamically switches between "false" and

   "true" values for "b64" (something NOT RECOMMENDED in Section 6),

   would it be necessary for the application to require the use of

   "crit" with a value of "["b64"]" in such application contexts.

 

 

The signature can, in fact, still verify when "b64":false is ignored -
giving the verifier the wrong content.

We could have chosen a different signing input to avoid all ambiguity, but
decided against that (as it was aesthetically nice to keep a lower-layer
invariant somewhere inside JWS implementations of
signing-up-to-the-2nd-dot).

We could have required "crit":["b64"], but would prefer to avoid the extra
handful of bytes (and probably aren't that confident that everyone
implements "crit" properly anyway).

We could leave it to users to avoid the ambiguity at higher layers by having
totally separate contexts that do & don't use "b64":false, trying to help
them get it right with advice about "application profiles", "application
context", a "NOT RECOMMENDED", and 5 extra Security Considerations
paragraphs (though what "application" means here is not that clear).

 

To me, this is a design failure.

 

 

 

The extra text about trust is dangerous.

 

   If the trust established by

   verifying the signer's key does not actually establish that the 

   creator is a trusted party, then this case in which JWS libraries

   supporting and not supporting the extension may respectively

   interpret the attacker's payload as being encoded or unencoded is the

   least of the application's worries.

 

CAs issuing certificates to millions of HTTPS web sites (used to verify the
signer's key) absolutely DO NOT establish that the creator (web site) is a
trusted party, merely what the creator's name is. Misinterpreting what a
signer means is bad regardless of trust.

 

--

James Manger

 

 

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Thursday, 12 November 2015 2:37 AM
To: jose@ietf.org <mailto:jose@ietf.org> 
Subject: [jose] JWS Unencoded Payload Option spec addressing shepherd
comments

 

Draft -04 of the JWS Unencoded Payload Option specification addresses the
shepherd comments.  Thanks to Jim Schaad for his careful review.  The
primary change was adding additional security considerations text, including
describing when "crit" should be used.

 

The specification is available at:

*
https://tools.ietf.org/html/draft-ietf-jose-jws-signing-input-options-04

 

An HTML formatted version is also available at:

*
http://self-issued.info/docs/draft-ietf-jose-jws-signing-input-options-04.ht
ml

 

                                                                -- Mike

 

P.S.  This note was also published at http://self-issued.info/?p=1474 and as
@selfissued
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftwitter.co
m%2fselfissued&data=01%7c01%7cmichael.jones%40microsoft.com%7c3a69db7b8b6c4d
47da0f08d2937a3d82%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=ggurSMkRVW%2
bR8Nv93Mnbsf16CmVGqfjB9lW8SV5gAKM%3d> .

v2.23.0 | Report a Bug | By Email