Re: [jose] SECDIR review of draft-ietf-jose-json-web-key-31
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 25 September 2014 16:47 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 659081A6FF9 for <jose@ietfa.amsl.com>; Thu, 25 Sep 2014 09:47:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QNPIBNORKFXB for <jose@ietfa.amsl.com>; Thu, 25 Sep 2014 09:47:18 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA9711A0149 for <jose@ietf.org>; Thu, 25 Sep 2014 09:47:17 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id s18so13119192lam.28 for <jose@ietf.org>; Thu, 25 Sep 2014 09:47:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3XZz7vvuK/Bl59Q/6CFs98iYG4bN7AkUTbqHmvxrKoo=; b=Dj9OBpng5TNkIw2CaIAX9F0XKnUmVkHClLSVirQbXsDKrLw70hKfwzswStclmE0Cup Qv2CgxNMwAtsK02xI+okERgNooAk99/sL+L4LF2jODa4CqbWm9VlzqjIY9pd7TyfEqDw 1TFRLd9XD1fqRqv05ncAmuUIzzfWSJahk/RzDhx6RShHLD5fvIsd3QtyDtIR+/gZGHwH NS944bEJuH/kB3DeK6wRfW2OqSP+E6jUQ0BEKWQX2zZxQ43b2564HNEmnZMXiAJdWhFG UW88MU1gWVitF1oD2Rrf5Jg/4D/KG4ads89r+/QgWBbYbIcRKisaWhUWF34SDhKO99zY Jg9g==
MIME-Version: 1.0
X-Received: by 10.112.168.38 with SMTP id zt6mr13693669lbb.60.1411663636029; Thu, 25 Sep 2014 09:47:16 -0700 (PDT)
Received: by 10.112.41.233 with HTTP; Thu, 25 Sep 2014 09:47:15 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BA78909@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739439AEB89F6@TK5EX14MBXC292.redmond.corp.microsoft.com> <5411BC12.9040808@bbn.com> <4E1F6AAD24975D4BA5B16804296739439BA6F3C8@TK5EX14MBXC286.redmond.corp.microsoft.com> <CAHbuEH4UAmC9eJeW+DRF5hYqiJBy1irkddNdrtKDLu6gA4JVVQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439BA78909@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Thu, 25 Sep 2014 12:47:15 -0400
Message-ID: <CAHbuEH7M5JKyaGJQ0qtaA-2Jj_v+T4VcsPTqVY8=EonoWAJGZA@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11c346749168ea0503e68d84"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/mZvPkxoXhqWZL1jCkuSptINTpYc
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "Moriarty, Kathleen" <kathleen.moriarty@emc.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2014 16:47:22 -0000
On Thu, Sep 25, 2014 at 12:28 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > My sincere apologies. Upon review, it appears that I missed a whole > block of resolutions agreed to in this thread. Those that I believe I > missed were: > > · changing “data associated with a key” to “data cryptographically > secured by a key”? (And of course, deleting the extraneous “than”.) > > · add that this implies a that there is secure way to deliver the > needed decryption key for the JWE > > · In addition to the common parameters, each JWK will have members > that are key type-specific. > > · Rather than saying “SHOULD be used”, we could change it to just > say “is used”. > > · The "alg" member is used to specify the algorithm with which the > key is to be used. > > · The "use" parameter is employed to indicate whether a public key > is for encrypting data or verifying the signature on data. > > · This specification will be used both in open environments … and > closed environments … > > · change “can be” to “is” > > · Clarification about improving interoperability > > · Similarly, if the “alg” member is present, it SHOULD correspond > to the algorithm specified in the certificate. > > · we could add language saying that certificate thumbprints are > also known as certificate fingerprints > > · We could be more explicit and talk about performing > authenticated encryption > > > > Also, there was an issue about the RFC 1421 reference that we did not > reach a resolution on. In looking at 1421, it’s no longer clear to me that > this is the best reference for the “x5u” certificate format definition. > I’ll have to investigate that further. > > > > Finally, on the basis of Stephen’s comment on two weeks being potentially > two short for the registration review period and people taking multi-week > vacations, I propose that we change it to three weeks. > > > > Kathleen, do you want me to publish updated drafts today addressing these > missed resolutions? My thinking is that it would probably be better to go > into the telechat with these issues having been addressed. > > > If you can get this done today, then yes. Barry has started his reviews and is making quick progress. *reduced the distribution list Thanks, Kathleen > -- Mike > > > > *From:* Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > *Sent:* Thursday, September 25, 2014 7:25 AM > *To:* Mike Jones > *Cc:* Stephen Kent; secdir@ietf.org; jose-chairs@tools.ietf.org; > Moriarty, Kathleen; jose@ietf.org > *Subject:* Re: [jose] SECDIR review of draft-ietf-jose-json-web-key-31 > > > > Hi Mike, > > > > It appears that the explanation for thumprints/fingerprints was not > included in the current version and was agreed to. This came up several > times in reviews and I think it would be helpful for the reader. Let me > know if I missed something or if this was an oversight and it will be > addressed in the next revision. > > > > Also, there is some suggested text from Steve on "alg" members. Where > does that stand? I think I am missing the resolution. > > > > These issues are in the email thread right next to each other. > > > > Thanks! > > > > On Tue, Sep 23, 2014 at 7:40 PM, Mike Jones <Michael.Jones@microsoft.com> > wrote: > > Thanks again for your review, Stephen. The resolutions discussed below > have been incorporated in draft -32. > > > > See the thread “JWK member names, was: [jose] SECDIR review of > draft-ietf-jose-json-web-key-31” for the status of that particular issue. > > > > -- Mike > > > > *From:* Stephen Kent [mailto:kent@bbn.com] > *Sent:* Thursday, September 11, 2014 8:13 AM > *To:* Mike Jones; secdir@ietf.org; jose-chairs@tools.ietf.org; Moriarty, > Kathleen > *Cc:* jose@ietf.org > *Subject:* Re: SECDIR review of draft-ietf-jose-json-web-key-31 > > > > Mike, > > Thanks for the reply to my comments. > > I've retained your replies and responded to them, below. > > > I agree that “employing countermeasures to” is more accurate than > “preventing”. I also agree that the “avoiding mistakes” language is not > actionable – I propose to just remove it. > > Great. > > Actually, it was spoken by then-Security AD Sean Turner. ;-) > > gee, I thought Sean was wise, but I didn't realize he was a Jedi ;-). > > How about changing “data associated with a key” to “data cryptographically > secured by a key”? (And of course, deleting the extraneous “than”.) > > OK. > > The wording above is needlessly awkward. Nonetheless, this says that key > sets containing symmetric or private keys should be encrypted by embedding > them in another JSON crypto format (JWE). It would be nice to add that this > implies a that there is secure way to deliver the needed decryption key for > the JWE, else this recommendation just adds a layer of indirection, and > does not solve the problem. > > Fair enough. I propose that we add something along those lines. > > OK, I look forward to seeing the revised wording here. > > Section 9.3 discusses a countermeasure against a specific attack on RSA > key use. This seems unduly narrow, since this spec is intended for use with > RSA, DH, DSS, and ECDH keys. Why devote a long paragraph to this one issue, > while saying nothing about equally serious concerns that arise for other > algorithms? > > > > This particular attack is described both because the countermeasure > requires specific key representation actions and because a working group > member asked it to be included. For what it’s worth, I expect that > additional security considerations will be added when resolving Russ > Housley’s gen-art review of the JWS specification. > > If comparable alg-specific countermeasures are added based on Russ's > comments then > this may be OK, but in isolation this RSA-specific attack seem out of > place. > > These non-goals were agreed to by the working group from the very > beginning, while the working group was still being chartered. The group > wanted to build something simple and easily deployable to represent keys in > JSON – not reinvent all the work that the PKIX working group did on > certificates and certificate chains, etc. Do any working group members > want to suggest specific wording to try to capture this sentiment? > > OK. > > The example that comprises Section 3 should include an explanation of > the parameters, else it’s not a great example. > > > > The parameters and values of them are explained in the paragraph preceding > the example text. It says: > > > > The following example JWK > > declares that the key is an Elliptic Curve [DSS <https://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#ref-DSS>] key, it is used with > > the P-256 Elliptic Curve, and its x and y coordinates are the > > base64url encoded values shown. A key identifier is also provided > > for the key. > > > > Each statement above corresponds to a parameter in the example, and in the > same order. > > OK. I missed that. > > I suppose that one option is to be more verbose above and add > parenthetical remarks after each statement above saying which parameter > does this. So for instance, the parenthetical phrase “(“kty” parameter)” > could be added before the first comma. Do others in the working group > think that would make the example easier to read, harder to read, or do any > of you have an alternative suggestion? > > I defer to the WG on this presentation issue. > > In addition to the common parameters, each JWK will have members that > > are algorithm-specific. > > > > They’re not algorithm-specific – they’re key type-specific. Another way > of eliminating the repeated use of the word “parameters” is to replace the > second sentence with “These members represent the key value”. Would that > work for you (and the working group)? > > Yes, I meant key-type specific. But if one were to use that term instead > of "algorithm specific" > I still think my wording is better. > > This topic has been heavily discussed by the working group, and while the > specs used to just say that objects with duplicate member names MUST be > rejected, working group members, including Tim Bray (the editor of the JSON > spec), prevailed on us to weaken this so that parsers that implement the > ECMAscript behavior of returning only the last member name may be legally > used. (The argument was made that there was more security downside in > effectively requiring people to write and debug their own strict parsers > than in using laxer, but well-supported and debugged parsers.) > > I find that argument unpersuasive, but I defer to the cognizant Ad on this. > > However, we also intentionally require that producers use only one > instance of each member name, so that legally produced objects will never > exercise the ambiguities that are present in real JSON parsers. That > seemed to be the most practical solution to the working group. > > Based on year of experience in PKIX that is not a great solution. If the > consumer of a data > structure fails to strictly enforce the requirement imposed on the > producer of the data structure, > the result is that non-conforming producers do not receive "appropriate" > feedback. > > > The term "Collision-Resistant Name" is already present in the Terminology > section. However, previous reviewers had requested that definitions not be > repeated in multiple specs, so it’s incorporated by reference, rather than > repeating the definition here. The notion is that of an implementation > wants to use a collision-resistant name such as “ > http://names.example.com/the-name”, it can do so without having to create > a public specification and register the name with IANA. > > I found the definition by reading one of the other specs, but I didn't see > a clear explanation of > why this is a reasonable alternative to using an IANA registry. The text > above does still does > not provide a rationale. > > I agree that the “SHOULD” language is awkward. Rather than saying > “SHOULD be used”, we could change it to just say “is used”. > > OK. > > Would the language “The “alg” member can be used to specify the > cryptographic operation that the key is intended to be used for” work > better for you? Or would people like to just see the parenthetical remark > deleted? > > How about: > > The "alg" member is used to specify the algorithm with which the key is to > be used. > > Section 4.5 defines the key_ops parameter. It’s not clear how this > parameters and “use” relate. There is also an odd sentence at the end of > the first paragraph: > > > > The "key_ops" parameter is intended for use cases in which public, > > private, or symmetric keys may be present. > > > > This seems to encompass all of the types of keys that JWK carries, so the > sentence seems to add no useful qualification for when this parameter is > intended to be used. > > > > This is in contrast to the related statement in the “use” definition: > > > > The "use" parameter is intended for use cases in which > > it is useful to distinguish between public signing keys and public > > encryption keys. > > Too subtle for me, and the language above seems a bit wimpy. Why not say: > > The "use" parameter is employed to indicate whether a public key is for > encrypting > data or verifying the signature on data. > > If you want to see this parameter name changed, you’ll need to file a > bug against the WebCrypto spec and get it changed there. Then I’m sure > that JOSE will gladly follow. > > My request is directed to the IESG, suggesting that they take this action. > > > > This specification will be used both in open environments, in which > multiple organizations will need to have a common understanding of any > extensions used, and closed environments, which the producing and consuming > organization will always be the same and private values could be safely > used. IANA registration is definitely the right thing to do for open > environments. It’s probably unnecessary for deployments in closed > environments. > > Then say this. > > Same answer as for Section 4. > > ibid. > > “Can” is being used as a non-2119 synonym for “MAY” here. That being > said, we could just change “can be” to “is”, since it’s explicitly said > that its use is optional at the end of the paragraph. > > please revise accordingly. > > It’s the inclusion of other metadata about the key that might improve > interoperability that’s being referred to – not the inclusion of the cert > reference. For instance, including “use” or “alg” parameters might be > useful to applications that can’t process the certificate. > > that's not what the text said, hence my confusion. > > As for the cert vs. cert chain question, in the general case, a chain may > be required to establish trust. However, a chain of length one (a single > certificate) will also be sufficient in some use cases. We’re not > inventing anything new here. The data format is specified in RFC 1421. > > could you point specifically to where 1421 uses two names to identify > equivalent data structures > for transport of certs/cert chains? I trued a quick search of the text and > didn't locate the > text to which you appear to refer. > > I had thought there were uses of RSA keys where the same key is used both > for signing and encryption (even though this is a deprecated practice). > > Yes, that practice is frowned upon, and we prefer that certs use an OID > that makes it clear > how a key is to be used. How about the following text: > > Similarly, if the "alg" member is present, it MUST be consistent with > > the algorithm specified in the certificate. > > > > But we could change this to “Similarly, if the “alg” member is present, it > SHOULD correspond to the algorithm specified in the certificate.” Or is > that overly strong for some certificates and uses of them? > > I prefer this text. > > Also, the name seems misleading since the chain MAY contain additional > certs, and hence may not be a chain at all! > > > > I’m not sure if I’m following you here. Are you suggesting the > possibility of having multiple certificates not chaining to one another in > the representation? This isn’t allowed by the specification, as written. > Are you suggesting that it needs to be allowed? > > > > Thumbprint is the term used in the Windows libraries, such as > http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.thumbprint(v=vs.110).aspx. > Whereas OpenSSL uses fingerprint > http://www.openssl.org/docs/apps/x509.html. I know that there would be > an uproar if we tried to make a breaking change to the “x5t” name at this > point, because it’s in widespread production use. However, we could add > language saying that certificate thumbprints are also known as certificate > fingerprints, so people familiar with either term will know what this is. > > Yes, do add that explanatory text. > > The term “base64url” is incorporated by reference in the terminology > section (Section 2). > > > > Actually, Appendix C in JWS is not normative. It’s just example code. > The normative definition of the encoding is in Section 5 of RFC 4648. > > Then 4648 should be cited. > > > > It used to be a “SHOULD” but the working group felt that the “MUST … > unless” wording was a more accurate statement of the requirement. > > I defer to the cognizant AD here, but the notion of SHOULD is really MUST > ... unless ... > > > > Section 8 (IANA Considerations) establishes a two-week review period for > creating new (IANA) registry items. This seems too short; some people take > multi-week vacations. I note that the same text appears in the JWS and JWE > documents. > > > > This text was taken from RFC 6749. > > I didn't review that RFC. My comment still stands. > > Aren’t appendices normally informative? > > normally, but not always. > > We could be more explicit and talk about performing authenticated > encryption. > > please do. > > Steve > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > > > > > -- > > > > Best regards, > > Kathleen > -- Best regards, Kathleen
- Re: [jose] SECDIR review of draft-ietf-jose-json-… Mike Jones
- Re: [jose] SECDIR review of draft-ietf-jose-json-… Stephen Kent
- Re: [jose] SECDIR review of draft-ietf-jose-json-… Mike Jones
- Re: [jose] SECDIR review of draft-ietf-jose-json-… Kathleen Moriarty
- Re: [jose] SECDIR review of draft-ietf-jose-json-… Mike Jones
- Re: [jose] SECDIR review of draft-ietf-jose-json-… Kathleen Moriarty
- Re: [jose] SECDIR review of draft-ietf-jose-json-… Mike Jones
- Re: [jose] SECDIR review of draft-ietf-jose-json-… Mike Jones
- Re: [jose] SECDIR review of draft-ietf-jose-json-… Stephen Kent
- Re: [jose] SECDIR review of draft-ietf-jose-json-… Carsten Bormann
- Re: [jose] SECDIR review of draft-ietf-jose-json-… Mike Jones