Re: [jose] #18: Address MAC key lifetime concerns

"jose issue tracker" <trac+jose@trac.tools.ietf.org> Fri, 05 April 2013 22:15 UTC

Return-Path: <trac+jose@trac.tools.ietf.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F41321F98F8 for <jose@ietfa.amsl.com>; Fri, 5 Apr 2013 15:15:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.574
X-Spam-Level:
X-Spam-Status: No, score=-102.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hN6DQrOPQjKA for <jose@ietfa.amsl.com>; Fri, 5 Apr 2013 15:15:34 -0700 (PDT)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [IPv6:2a01:3f0:1:2::30]) by ietfa.amsl.com (Postfix) with ESMTP id E94D821F98D0 for <jose@ietf.org>; Fri, 5 Apr 2013 15:15:26 -0700 (PDT)
Received: from localhost ([127.0.0.1]:58681 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.80) (envelope-from <trac+jose@trac.tools.ietf.org>) id 1UOEup-0007Nm-ID; Sat, 06 Apr 2013 00:15:23 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "jose issue tracker" <trac+jose@trac.tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: draft-ietf-jose-json-web-signature@tools.ietf.org, rlb@ipv.sx
X-Trac-Project: jose
Date: Fri, 05 Apr 2013 22:15:23 -0000
X-URL: http://tools.ietf.org/jose/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/jose/trac/ticket/18#comment:1
Message-ID: <064.cb00c32d0f9dcf421e1ee2141cb6ca21@trac.tools.ietf.org>
References: <049.d29eb38c96b761dee70b1317e2c051c7@trac.tools.ietf.org>
X-Trac-Ticket-ID: 18
In-Reply-To: <049.d29eb38c96b761dee70b1317e2c051c7@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: draft-ietf-jose-json-web-signature@tools.ietf.org, rlb@ipv.sx, jose@ietf.org
X-SA-Exim-Mail-From: trac+jose@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Resent-To: mbj@microsoft.com, n-sakimura@nri.co.jp, ve7jtb@ve7jtb.com
Resent-Message-Id: <20130405221526.E94D821F98D0@ietfa.amsl.com>
Resent-Date: Fri, 5 Apr 2013 15:15:26 -0700 (PDT)
Resent-From: trac+jose@trac.tools.ietf.org
Cc: jose@ietf.org
Subject: Re: [jose] #18: Address MAC key lifetime concerns
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 22:15:35 -0000

#18: Address MAC key lifetime concerns


Comment (by rlb@ipv.sx):

 As I have argued before, it is my strong opinion that option (1) is the
 simpler thing to do.  There is no great complexity: The key wrapping
 mechanism is already defined in JWE, so this would simply apply it to JWS
 as well.

 Writing the proper considerations for option (2) would be much harder,
 because you have to specify what an OOB protocol needs to do.  (Easier to
 just write the protocol!) Option (2) would also fail to address a known
 security gap in the base protocol, which seems irresponsible.   This
 protocol needs to be secure without having to rely on something external.

-- 
-------------------------+-------------------------------------------------
 Reporter:  rlb@ipv.sx   |       Owner:  draft-ietf-jose-json-web-
     Type:  defect       |  signature@tools.ietf.org
 Priority:  major        |      Status:  new
Component:  json-web-    |   Milestone:
  signature              |     Version:
 Severity:  -            |  Resolution:
 Keywords:               |
-------------------------+-------------------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/18#comment:1>
jose <http://tools.ietf.org/jose/>