Re: [jose] Gen-ART review of draft-ietf-jose-json-web-signature-33

John Bradley <> Tue, 30 September 2014 19:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D66D71A87DF for <>; Tue, 30 Sep 2014 12:37:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JDl-Q416Ue-O for <>; Tue, 30 Sep 2014 12:37:06 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9CFE51A8830 for <>; Tue, 30 Sep 2014 12:37:01 -0700 (PDT)
Received: by with SMTP id q107so14206219qgd.36 for <>; Tue, 30 Sep 2014 12:36:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=A3lMfoZkAFWn4o5uVTWxWyu9IwzfxrUJ55sMJcqjb0M=; b=hNzkU4IcT6WlCPUXsWyU0H8FHJCAABCtDncBEPYg/5D8BsFj46fPxNlR9wOFxIfsae VZbAFkT36Sp6xhXpqmujZ6u1OzHNu42VoLMjHbZAq1GfWsDJ6fX4+w8HKN+491EOvDw6 pMXiGeQcvlA7E7MnbtUlj0RD345KBNkAAvDYuZsozoK5Y7MZVsUFcs6ijf+Qqn2CeDme atQkawhHNgqQ1CixLB+A7iWrVfJNHM5gpDHsOhuElZZ4blnzygZ/YWGSVYyxJaIxUq4l jd388Y2FRdDI6kjhZ1TV4LQIcweGPd/6g7rvLOy17lCB6xG+n7YjpqeMJRmPumJmnQPO FSLg==
X-Gm-Message-State: ALoCoQlrCAO21uQL/9Q4M7nz4T2ahvN1+YsJffAltIw4B07LvjsiFSk1UjbJxdJNlmiOWgpQRUrP
X-Received: by with SMTP id k4mr63949713qao.54.1412105819029; Tue, 30 Sep 2014 12:36:59 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id d49sm1427105qge.45.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 30 Sep 2014 12:36:58 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_2FA83102-229B-4C4A-B1EA-D88A8D1D951F"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <>
In-Reply-To: <>
Date: Tue, 30 Sep 2014 16:37:02 -0300
Message-Id: <>
References: <> <> <>
To: Dave Cridland <>
X-Mailer: Apple Mail (2.1878.6)
Cc: IETF <>, IETF Gen-ART <>, Russ Housley <>, Michael Jones <>, "" <>, "" <>
Subject: Re: [jose] Gen-ART review of draft-ietf-jose-json-web-signature-33
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Sep 2014 19:37:08 -0000

I agree, the likelihood of the application correctly walking the path and validating the chain is very small.  

I strongly prefer leaving it a MUST use TLS and validate the server per RFC 6125.

The other thing to note is that the CN of the cert is not in the header.  If TLS is not used an attacker could simply modify the DNS to retrieve any valid certificate and use that to sign.

Not using TLS breaks the main trust model.  If someone wants to map the "iss" to the cert CN and walk the chain to a trusted root, that is fine.  I don't think having to have a TLS certificate for the server they are publishing the x5u on is going to be an impediment for them.

John B.
On Sep 30, 2014, at 4:08 PM, Dave Cridland <> wrote:

> On 30 September 2014 19:10, Mike Jones <> wrote:
> - In Section 4.1.5, why is TLS required to fetch digitally signed
>   X.509 certificates?
> This question was explicitly discussed by the working group at IETF 87.  The discussion is recorded in the minutes as follows:
> If there is an x5u pointing to a certification issued by a major CA, is TLS required for the HTTP query used to retrieve this certificate?  TLS shouldn't be needed since the certificate is a signed object.  Therefore, the "MUST" use TLS for cert retrieval should be changed to "SHOULD".  This is an application decision.  Mike Jones doesn't want removal of TLS in the case where there's no external means to verify the retrieved key.  Matt Miller: agrees with the jku case, but argues that for x5u, there is a class of applications where it isn't known if the retrieved object is self-protecting (like a certificate) until after it is retrieved.  Even if the object appears to be self-protecting, if the retriever doesn't have a trusted root for that object, it might not be able to verify the protection anyhow.  So it use of TLS might still be preferable instead of having to potentially retrieve an object twice, once over HTTP and then over HTTPS.  Joe Hildebrand wanted to know what the upside of this proposal is.  Richard says it saves on TLS handshakes; Hildebrand envisions a world where TLS is ubiquitous.  Paul Hoffman said that a similar issue in DANE ended up being dropped after a couple of months of discussion.  Richard agreed to drop the TLS MUST to SHOULD proposal.
> Russ is certainly right that for certs that chain back to a known root of trust, integrity protection isn’t necessary.  It’s also the case that this is not true of all certificates that might be used – especially  self-signed certificates intended only to carry a key value.  One possibility is to say that TLS MUST be used unless the certificate chains back to a known trust root accepted by the application.  Of course, just requiring TLS is simpler. Do people in the working group want to re-open this issue or are people content with the current requirements?
> I thought the requirement was confusing as well, however I thought the rationale might be entirely different:
> JOSE exists, in no small part, because of the difficulty in handling X.509 within JavaScript. Therefore even where a certificate [chain] is entirely valid and properly signed, a JOSE client dereferencing the URI almost certainly cannot validate the certificate - yet can validate those used in the TLS handshake because of the difference in the API calls possible. Indeed, it also cannot validate that the certificate's public key matches the private key in the JSON object; making use of a trusted source more important still.
> So I do support making the x5u require a dereference over TLS, however I also think the rationale[s] should be carefully documented in the specification otherwise the requirement is likely to be ignored.
> (More concretely, I think the specification ought to make TLS a SHOULD here, and explain the rationale, and in particular say that it might be relaxed only if a consuming application can perform X.509/PKIX path validation).
> Dave.