Re: [jose] Tightened Key Managed JWS Spec
Mike Jones <Michael.Jones@microsoft.com> Thu, 28 May 2015 04:58 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFFFB1A8AC1 for <jose@ietfa.amsl.com>; Wed, 27 May 2015 21:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aGaz9lfHhrN5 for <jose@ietfa.amsl.com>; Wed, 27 May 2015 21:58:19 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0112.outbound.protection.outlook.com [65.55.169.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C5F21A8ABF for <jose@ietf.org>; Wed, 27 May 2015 21:58:19 -0700 (PDT)
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.172.17; Thu, 28 May 2015 04:58:16 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0172.012; Thu, 28 May 2015 04:58:16 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: Tightened Key Managed JWS Spec
Thread-Index: AdCY2M/LLt/hpU41S9SujXgPXPLaNwAF78KQAAQjNnA=
Date: Thu, 28 May 2015 04:58:16 +0000
Message-ID: <BY2PR03MB4428256C96D3F94B43EBF9EF5CA0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BL2PR03MB433FCE29FB0D85441A0D9CDF5CB0@BL2PR03MB433.namprd03.prod.outlook.com> <255B9BB34FB7D647A506DC292726F6E1285CA8B458@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1285CA8B458@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.90.173]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 3:RIRaURHeiYkG9yRKOCMPHNAf1Dr+1OAPiQoPeLif7ThsL5dyL1/HoRtgHW5b9FdATqvf554fH5xx3j5MDxHc865QCkq+yiKWrks8dDwyamsuuSVpFrx16UT5Z43nfaUyZyhgx+X02ODOr9XdEs00WA==; 10:aLNj/l2e5Wh0gG7ZHq1Eje8Jmx/XxPCV4ttk1Gf1OgTM9R+5E5vxkyQxm9/Fj5JDYlOfkt+nuksOM5cHCZiJbXhAiwwbazpHm78JFVwOYiw=; 6:+QpnP+6Q9TTTg3cQZWGLt6R7JZffCw8NLGHOAZs+zxfmoRJ8D6/KtW9fRTA91hIe
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444;
x-microsoft-antispam-prvs: <BY2PR03MB4447D00083CAB07C913E8A8F5CA0@BY2PR03MB444.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(520003)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444;
x-forefront-prvs: 0590BBCCBC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(199003)(189002)(377454003)(74316001)(2950100001)(2656002)(77156002)(77096005)(2900100001)(15975445007)(19300405004)(99286002)(50986999)(105586002)(33656002)(86362001)(102836002)(40100003)(122556002)(5002640100001)(54356999)(76176999)(19625215002)(2501003)(101416001)(68736005)(64706001)(87936001)(107886002)(5001920100001)(189998001)(5001770100001)(5001830100001)(81156007)(86612001)(5001860100001)(92566002)(62966003)(19580405001)(97736004)(106356001)(46102003)(19617315012)(66066001)(4001540100001)(5001960100002)(19580395003)(76576001)(19609705001)(16236675004)(7059030)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4428256C96D3F94B43EBF9EF5CA0BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2015 04:58:16.5461 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/mQ6vMHemT11ml_kHwJjZmJJHJmg>
Subject: Re: [jose] Tightened Key Managed JWS Spec
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 04:58:23 -0000
Hi James, The means of distinguishing between KMJWS objects and JWS and JWE objects is described in http://tools.ietf.org/html/draft-jones-jose-key-managed-json-web-signature-01#section-7. As I'd written in response to an inquiry on the same subject by Jim Schaad earlier: It's backwards-compatible in the sense that if an implementation supports JWSs and JWEs but not KMJWSs (I'm still looking for a better name than KMJWS, BTW), the current rules all continue to do the right thing. If an implementation supports all three, yes, a little bit of additional logic would be needed, just like a little bit of additional code would be needed, but no breaking changes result. A KMJWS is neither a legal JWS nor a legal JWE, so even if the existing discrimination rules were applied to a KMJWS and it was mis-categorized as one or the other, upon parsing, it would still be rejected, since it would be missing required properties. "crit" isn't required, because a graceful failure will already occur upon receipt if the KMJWS object is not understood. (But on thinking of it, you're right that "crit":["mac"] could be used by KMJWS producers if it is useful in the application context.) -- Mike From: Manger, James [mailto:James.H.Manger@team.telstra.com] Sent: Wednesday, May 27, 2015 7:59 PM To: Mike Jones; jose@ietf.org Subject: RE: Tightened Key Managed JWS Spec How is code supposed to distinguish KMJWS from JWS and JWE? Or how is code that understands JWS and JWE supposed to notice that a KMJWS message is something it cannot handle? JWE section 9 "Distinguishing between JWS and JWE Objects" allows code to use any of 4 methods: counting dot-separated segments; payload/ciphertext member presence; alg value; enc member presence. I think KMJWS breaks all 4. Should 'crit' be used to indicate that something beyond JWS/JWE is going on? -- James Manger From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones Sent: Thursday, 28 May 2015 9:57 AM To: jose@ietf.org<mailto:jose@ietf.org> Subject: [jose] Tightened Key Managed JWS Spec The -01 version of draft-jones-jose-key-managed-json-web-signature tightened the semantics by prohibiting use of "dir" as the "alg" header parameter value so a second equivalent representation for content integrity-protected with a MAC with no key management isn't introduced. (A normal JWS will do just fine in this case.) Thanks to Jim Schaad for pointing this out. This version also adds acknowledgements and references the now-final JOSE RFCs<http://self-issued.info/?p=1387>. This specification is available at: * https://tools.ietf.org/html/draft-jones-jose-key-managed-json-web-signature-01 An HTML formatted version is also available at: * http://self-issued.info/docs/draft-jones-jose-key-managed-json-web-signature-01.html -- Mike P.S. This note was also posted at http://self-issued.info/?p=1396 and as @selfissued.
- [jose] Tightened Key Managed JWS Spec Mike Jones
- Re: [jose] Tightened Key Managed JWS Spec Manger, James
- Re: [jose] Tightened Key Managed JWS Spec Mike Jones