[jose] FW: Issue #54, #55, #141

"Jim Schaad" <ietf@augustcellars.com> Tue, 08 October 2013 00:02 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 8541721E80E8 for <jose@ietfa.amsl.com>; Mon, 7 Oct 2013 17:02:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.255
X-Spam-Status: No, score=-3.255 tagged_above=-999 required=5 tests=[AWL=-0.257, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_56=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id n6m30hpYzSfY for <jose@ietfa.amsl.com>; Mon, 7 Oct 2013 17:01:54 -0700 (PDT)
Received: from smtp3.pacifier.net (smtp3.pacifier.net []) by ietfa.amsl.com (Postfix) with ESMTP id 7BEC021E80DF for <jose@ietf.org>; Mon, 7 Oct 2013 17:01:52 -0700 (PDT)
Received: from Philemon (winery.augustcellars.com []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 246E538F05 for <jose@ietf.org>; Mon, 7 Oct 2013 17:01:50 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: jose@ietf.org
Date: Mon, 07 Oct 2013 17:00:35 -0700
Message-ID: <037701cec3b9$6a9419e0$3fbc4da0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0378_01CEC37E.BE37B2E0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac6+1EkHVVRISruwROWV8HlwOQxxRwE5R4Dw
Content-Language: en-us
Subject: [jose] FW: Issue #54, #55, #141
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2013 00:02:00 -0000



From: Jim Schaad [mailto:ietf@augutscellars.com] 
Sent: Tuesday, October 01, 2013 3:41 PM
To: jose@ietf.org
Subject: Issue #54, #55, #141


There are four issues that need to be addressed with respect to the concat
section of the JWA draft.  There is some agreement for these issues but I am
not totally happy with what is being done here and would like to see some
changes.  This message describes the changes that I would like to see.


The current set of open issues in the tracker are:


Issue #54 - epk/apu/apv need to be REQUIRED

Issue #55 - Mandatory entropy in ECC KDF inputs

Issue #151 - Section 4.7.2 Concat should have its own section

No Tracker Item - The concat usage should be consistent with that of the CMS
DH document RFC 2631



I don't like the current text which says that the partyU name can be either
a name or a nonce value.  While it is true that both are not needed for the
ES version of the key derivation function, this will not be the case for a
SS version of using concat.  I would like to make sure that this is a doable
thing without having to do massive re-writes.  I therefore propose the
following changes:


Add a new section "nonce" Header Parameter


The "nonce" value for a key derivation algorithm.  This parameter is
REQUIRED to be used when a static-static key agreement method is used and
MAY be used for other key agreement methods.  The value MUST be generated
freshly for each key derivation done.  The member value contains the base64
encoded nonce value.  The length of the nonce value needs to be sufficient
that it will not be duplicated for the pair of keys being used.  If the
uniqueness is generated pseudo-randomly, then it should be a minimum of 512
bits long.


Change the way that PartyUInfo is defined in section 4.7.2 as follows:


PartyUInfo  The PartyUInfo value consists of the partyU name and, when
present, the nonce field.  Both fields are encoded as Datalen || Data, where
Datalen is a 32 bit value containing the size of the field in bits as a
big-endian integer and Data is the value of the field.


      PartyUInfo = I4(partyU name.length) || partyU name

      If nonce.length > 0 then PartyUInfo = PartyUInfo || I4(nonce.length)
|| nonce



Replace the last paragraph with

The "apu" and "apv" parameters MUST contain distinct values so that the same
key would not be generated if the KDF is done for the opposite direction.
Applications can change the default values for these parameters in order to
make the keys generated for that application different from other




My reading of the NIST document which we are using for concat says that the
partyU name and partyV names are required to be defined, however they can be
defined by the protocol and not by the actual parties themselves.  This
means that it is possible that the parameters can have values, without them
being transmitted as part of the message.  In fact they should be removable
by the application and not transmitted.  I don't know that we need to make
that an explicit statement in the text or not.  (I have chosen not to do so
in this change, but it can be discussed.) Based on this understanding I
would like to modify the text in the following ways.



Change the way that PartyUInfo and partyVInfo are defined in section 4.7.2
as follows:




If an "apu" (agreement PartyUInfo) header

      parameter is present, Data is set to the result of base64url

      decoding the "apu" value and Datalen is set to the number of

      octets in Data.  Otherwise, the Datalen is set to 6 and Data is set to
the UTF-8 encoded string "Sender".


For apv replace "Sender" with "Recipient"




In order that the concat description be available for other key agreement
algorithms (i.e. ES-DH or SS-ECDH) I really would like to see it described
as a separate algorithm that is then referred to from the ES-ECDH algorithm
description.  This means that apu, apv and nonce would be defined as being
CONCAT parameters and not be defined as ES-ECDH parameters.   This can be
discussed and I can provide the alternate text if it makes sense to do so.