IETF Logo Mail Archive

Re: [jose] #24: Move JWS headers into signature block

Mike Jones <Michael.Jones@microsoft.com> Wed, 03 July 2013 21:47 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D56C11E80F5 for <jose@ietfa.amsl.com>; Wed, 3 Jul 2013 14:47:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.583
X-Spam-Level:
X-Spam-Status: No, score=-3.583 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PG7NDN+nFjie for <jose@ietfa.amsl.com>; Wed, 3 Jul 2013 14:47:09 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0241.outbound.protection.outlook.com [207.46.163.241]) by ietfa.amsl.com (Postfix) with ESMTP id 8FE2511E80EE for <jose@ietf.org>; Wed, 3 Jul 2013 14:47:09 -0700 (PDT)
Received: from BN1AFFO11FD002.protection.gbl (10.58.52.203) by BN1BFFO11HUB031.protection.gbl (10.58.53.141) with Microsoft SMTP Server (TLS) id 15.0.717.3; Wed, 3 Jul 2013 21:43:02 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.37) by BN1AFFO11FD002.mail.protection.outlook.com (10.58.52.62) with Microsoft SMTP Server (TLS) id 15.0.717.3 via Frontend Transport; Wed, 3 Jul 2013 21:43:02 +0000
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.102]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0136.001; Wed, 3 Jul 2013 21:42:22 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Richard Barnes <rlb@ipv.sx>
Thread-Topic: [jose] #24: Move JWS headers into signature block
Thread-Index: Ac54NjJg5C03HQHUR1anYW0r6+OpQQ==
Date: Wed, 03 Jul 2013 21:42:21 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943678D9442@TK5EX14MBXC285.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.72]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943678D9442TK5EX14MBXC285r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464003)(377454003)(189002)(199002)(71186001)(81542001)(54316002)(47736001)(53806001)(76786001)(81342001)(49866001)(4396001)(55846006)(65816001)(59766001)(74502001)(20776003)(63696002)(80022001)(77982001)(50986001)(66066001)(69226001)(74876001)(76176001)(512954002)(47976001)(51856001)(46102001)(54356001)(74662001)(76796001)(33656001)(56776001)(76482001)(15202345003)(16406001)(16236675002)(47446002)(6806003)(74366001)(31966008)(79102001)(56816003)(83072001)(74706001)(19300405004)(77096001); DIR:OUT; SFP:; SCL:1; SRVR:BN1BFFO11HUB031; H:TK5EX14HUBC103.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0896BFCE6C
Cc: Dick Hardt <dick.hardt@gmail.com>, Jim Schaad <ietf@augustcellars.com>, n-sakimura <n-sakimura@nri.co.jp>, "jose@ietf.org" <jose@ietf.org>, "draft-ietf-jose-json-web-signature@tools.ietf.org" <draft-ietf-jose-json-web-signature@tools.ietf.org>
Subject: Re: [jose] #24: Move JWS headers into signature block
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2013 21:47:16 -0000

[Changing subject line to the correct thread]

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Wednesday, July 03, 2013 2:40 PM
To: John Bradley; Richard Barnes
Cc: Jim Schaad; n-sakimura; draft-ietf-jose-json-web-signature@tools.ietf.org; jose@ietf.org; Dick Hardt
Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded

John, since you're raising the topic of integrity protecting JWS header values, I'd be interested in your reactions to my note encoded below.

                                                                Cheers,
                                                                -- Mike



-----Original Message-----
From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Saturday, June 29, 2013 3:43 AM
To: jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: [jose] #24: Move JWS headers into signature block



Perhaps I'm in an odd frame of mind tonight, because I wouldn't normally even consider re-raising a closed issue, but Ben Laurie's advice "why not just protect everything" kept running my mind and I realized that the current JWS JSON Serialization doesn't allow us to do that in the general case.  Specifically, we don't allow a per-signature "protected" headers field, which would be necessary to protect the cryptographic parameters if different signatures use different algorithms.



So I'd at least like others' thoughts on whether we want to "fill in the matrix" for the JWS JSON Serialization and allow header parameters to be specified both in protected and unprotected forms, both on a shared and per-signature basis.  We currently support 3 of these 4 header parameter locations.



Note that we would not do this for JWE, since (as extensively discussed) per-recipient protected content is problematic.



For the signature input, if both shared and per-signature protected headers were present, we'd need to concatenate the two base64url encoded representations together with a separator character between (I'm thinking comma (',') because it is distinct from period ('.'), which is also used as a separator in the signature input).



I'm fine with this issue remaining closed, but I wanted to at least run this possibility by the working group for their input, since it hadn't been discussed previously.



                                                                Cheers,

                                                                -- Mike

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Wednesday, July 03, 2013 2:25 PM
To: Richard Barnes
Cc: Dick Hardt; Jim Schaad; n-sakimura; Mike Jones; jose@ietf.org<mailto:jose@ietf.org>; draft-ietf-jose-json-web-signature@tools.ietf.org<mailto:draft-ietf-jose-json-web-signature@tools.ietf.org>
Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded

...

Just for the record I am one of the people on the side of integrity protecting headers unless there is a strong reason not to as is the case with multiple recipients and counter mode encryption.

John B.

v2.23.0 | Report a Bug | By Email