Re: [jose] review comment to draft-ietf-jose-json-web-encryption-31
Mike Jones <Michael.Jones@microsoft.com> Mon, 22 September 2014 19:09 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 119E71A1B1D; Mon, 22 Sep 2014 12:09:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ryd2JdJs2KFt; Mon, 22 Sep 2014 12:09:29 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0782.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::782]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CD581A1B0A; Mon, 22 Sep 2014 12:09:29 -0700 (PDT)
Received: from DM2PR03CA0033.namprd03.prod.outlook.com (10.141.96.32) by CY1PR0301MB1209.namprd03.prod.outlook.com (25.161.212.143) with Microsoft SMTP Server (TLS) id 15.0.1034.13; Mon, 22 Sep 2014 19:09:06 +0000
Received: from BN1BFFO11FD027.protection.gbl (2a01:111:f400:7c10::1:135) by DM2PR03CA0033.outlook.office365.com (2a01:111:e400:2428::32) with Microsoft SMTP Server (TLS) id 15.0.1024.12 via Frontend Transport; Mon, 22 Sep 2014 19:09:05 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD027.mail.protection.outlook.com (10.58.144.90) with Microsoft SMTP Server (TLS) id 15.0.1029.15 via Frontend Transport; Mon, 22 Sep 2014 19:09:05 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.23]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0195.002; Mon, 22 Sep 2014 19:08:28 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Linda Dunbar <linda.dunbar@huawei.com>, "ops-dir@ietf.org" <ops-dir@ietf.org>, "ops-ads@tools.ietf.org" <ops-ads@tools.ietf.org>, "draft-ietf-jose-json-web-encryption.all@tools.ietf.org" <draft-ietf-jose-json-web-encryption.all@tools.ietf.org>
Thread-Topic: review comment to draft-ietf-jose-json-web-encryption-31
Thread-Index: Ac/USfJfVlZNMYWpR+G/gGSqUjLaJQCTe1Xw
Date: Mon, 22 Sep 2014 19:08:27 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BA67F80@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <4A95BA014132FF49AE685FAB4B9F17F645E05549@dfweml701-chm>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F645E05549@dfweml701-chm>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.79]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439BA67F80TK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(189002)(377454003)(199003)(51914003)(90102001)(15202345003)(64706001)(50986999)(77096002)(85852003)(92726001)(2201001)(92566001)(84676001)(19300405004)(20776003)(21056001)(4396001)(71186001)(33656002)(86362001)(86612001)(76176999)(95666004)(66066001)(87936001)(54356999)(99396002)(15975445006)(106466001)(81156004)(2656002)(81342003)(74502003)(46102003)(6806004)(76482002)(77982003)(107046002)(81542003)(74662003)(79102003)(80022003)(19580395003)(104016003)(16236675004)(19625215002)(68736004)(55846006)(69596002)(83322001)(19580405001)(44976005)(31966008)(84326002)(85806002)(512954002)(83072002)(85306004)(230783001)(120916001)(26826002)(97736003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB1209; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB1209;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 034215E98F
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/jF5tC31o_hOeSyEe34aVlkpCwBY
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] review comment to draft-ietf-jose-json-web-encryption-31
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Sep 2014 19:09:32 -0000
Thanks for the review, Linda.
I think I'd need a more precise explanation of what attack you are describing as "spoofing the encrypted content" to be able to definitively answer your question. I say that, because in general it's perfectly legitimate for *any* party to encrypt content to a recipient's public encryption key for use by the recipient. If the recipient wants to determine the identity of the sender, that's typically done by having the sender sign the message (which can be done with the related draft-ietf-jose-json-web-signature spec).
Another answer is that if symmetric encryption keys are being used, there may be a presumption that only legitimate senders will be in possession of those keys.
Do those answers address the point of your question, or were you thinking of something else?
-- Mike
From: Linda Dunbar [mailto:linda.dunbar@huawei.com]
Sent: Friday, September 19, 2014 1:40 PM
To: ops-dir@ietf.org; ops-ads@tools.ietf.org; draft-ietf-jose-json-web-encryption.all@tools.ietf.org
Subject: review comment to draft-ietf-jose-json-web-encryption-31
I have reviewed this document as part of the Operational directorate's ongoing
effort to review all IETF documents being processed by the IESG.
The draft is written very well. The encryption process is well described.
The only question I have is how to prevent the unintended parties to spoof the encrypted content?
Linda Dunbar
Huawei USA IP Technology Lab
5340 Legacy Drive,
Plano, TX 75024
Tel: +1 469-277 - 5840
Fax: +1 469 -277 - 5900