Re: [jose] review comment to draft-ietf-jose-json-web-encryption-31

Mike Jones <> Mon, 22 September 2014 19:09 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 119E71A1B1D; Mon, 22 Sep 2014 12:09:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ryd2JdJs2KFt; Mon, 22 Sep 2014 12:09:29 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fc10::782]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1CD581A1B0A; Mon, 22 Sep 2014 12:09:29 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1034.13; Mon, 22 Sep 2014 19:09:06 +0000
Received: from (2a01:111:f400:7c10::1:135) by (2a01:111:e400:2428::32) with Microsoft SMTP Server (TLS) id 15.0.1024.12 via Frontend Transport; Mon, 22 Sep 2014 19:09:05 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1029.15 via Frontend Transport; Mon, 22 Sep 2014 19:09:05 +0000
Received: from ([]) by ([]) with mapi id 14.03.0195.002; Mon, 22 Sep 2014 19:08:28 +0000
From: Mike Jones <>
To: Linda Dunbar <>, "" <>, "" <>, "" <>
Thread-Topic: review comment to draft-ietf-jose-json-web-encryption-31
Thread-Index: Ac/USfJfVlZNMYWpR+G/gGSqUjLaJQCTe1Xw
Date: Mon, 22 Sep 2014 19:08:27 +0000
Message-ID: <>
References: <4A95BA014132FF49AE685FAB4B9F17F645E05549@dfweml701-chm>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F645E05549@dfweml701-chm>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439BA67F80TK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(189002)(377454003)(199003)(51914003)(90102001)(15202345003)(64706001)(50986999)(77096002)(85852003)(92726001)(2201001)(92566001)(84676001)(19300405004)(20776003)(21056001)(4396001)(71186001)(33656002)(86362001)(86612001)(76176999)(95666004)(66066001)(87936001)(54356999)(99396002)(15975445006)(106466001)(81156004)(2656002)(81342003)(74502003)(46102003)(6806004)(76482002)(77982003)(107046002)(81542003)(74662003)(79102003)(80022003)(19580395003)(104016003)(16236675004)(19625215002)(68736004)(55846006)(69596002)(83322001)(19580405001)(44976005)(31966008)(84326002)(85806002)(512954002)(83072002)(85306004)(230783001)(120916001)(26826002)(97736003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB1209;; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB1209;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 034215E98F
Received-SPF: Pass ( domain of designates as permitted sender); client-ip=;;
Authentication-Results: spf=pass (sender IP is;
Cc: "" <>
Subject: Re: [jose] review comment to draft-ietf-jose-json-web-encryption-31
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 22 Sep 2014 19:09:32 -0000

Thanks for the review, Linda.

I think I'd need a more precise explanation of what attack you are describing as "spoofing the encrypted content" to be able to definitively answer your question.  I say that, because in general it's perfectly legitimate for *any* party to encrypt content to a recipient's public encryption key for use by the recipient.  If the recipient wants to determine the identity of the sender, that's typically done by having the sender sign the message (which can be done with the related draft-ietf-jose-json-web-signature spec).

Another answer is that if symmetric encryption keys are being used, there may be a presumption that only legitimate senders will be in possession of those keys.

Do those answers address the point of your question, or were you thinking of something else?

                                                                -- Mike

From: Linda Dunbar []
Sent: Friday, September 19, 2014 1:40 PM
Subject: review comment to draft-ietf-jose-json-web-encryption-31

I have reviewed this document as part of the Operational directorate's ongoing
effort to review all IETF documents being processed by the IESG.

The draft is written very well. The encryption process is well described.

The only question I have is how to prevent the unintended parties to spoof the encrypted content?

Linda Dunbar

Huawei USA IP Technology Lab
5340 Legacy Drive,
Plano, TX 75024
Tel: +1 469-277 - 5840
Fax: +1 469 -277 - 5900