Re: [jose] SPI proposal

Richard Barnes <rlb@ipv.sx> Fri, 08 February 2013 21:56 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E14CF21F89FC for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 13:56:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.425
X-Spam-Level:
X-Spam-Status: No, score=-2.425 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, GB_I_LETTER=-2, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s6DHaILs7Y+V for <jose@ietfa.amsl.com>; Fri, 8 Feb 2013 13:56:42 -0800 (PST)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 755A521F8BB7 for <jose@ietf.org>; Fri, 8 Feb 2013 13:56:41 -0800 (PST)
Received: by mail-la0-f54.google.com with SMTP id gw10so4276435lab.27 for <jose@ietf.org>; Fri, 08 Feb 2013 13:56:40 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=wZXpJlTpAfkdIJwI3h3LtnzOT3/9OhcWZ7HFGMaMyc0=; b=HlutPs96qsBUqGpUGyULLktEMlEOfhRUjEEOMQ8fH65PHduzCDB5guGS9ZkcOEofy9 tK4mq1+IiftrCnYF8EqZGzuGup9+6c529/X+cJkqc63O5AvRR+EQjHPE+qBKbremZjrD fc8AVoesjpXhbciaLz9yGwXUBnfPcc8HdFb+gLRDCJSFH6FkfJk2z8gJE2pvAX4VwD7F UFTxZPJc9Rz9bLPzVuqTD58A/n/Xj6EBec9dVm7ikgavFbWWaLCLQX8BPZogstcJl1Mb K6alMnLKU1vohCYVWKm9yWePwifRFtbZsBdAczAz6JnpPTCGRf4b8Hjq9mzzyeauNWtW 0M8w==
MIME-Version: 1.0
X-Received: by 10.112.49.106 with SMTP id t10mr2899965lbn.6.1360360599938; Fri, 08 Feb 2013 13:56:39 -0800 (PST)
Received: by 10.112.147.164 with HTTP; Fri, 8 Feb 2013 13:56:39 -0800 (PST)
X-Originating-IP: [192.1.51.63]
In-Reply-To: <CA+k3eCSgXXit3KbK0XHzbhadyXTOGxvrRBm6ha8XJQhieoY0nQ@mail.gmail.com>
References: <CAL02cgSt7w5CrP+DXo7bz_+YsxKsVMoRbZLNWa6EHjnAyScWMg@mail.gmail.com> <CA+k3eCQ_bsTxYq6u5BVe_Xk1ycOhAwWe=ebfAwk+66JavJJQfA@mail.gmail.com> <CAL02cgRvUvf39RyDOStRXZ1Ne6p9gLrAxjtH8kfmdhE4kWG-3w@mail.gmail.com> <CA+k3eCSgXXit3KbK0XHzbhadyXTOGxvrRBm6ha8XJQhieoY0nQ@mail.gmail.com>
Date: Fri, 8 Feb 2013 16:56:39 -0500
Message-ID: <CAL02cgSV0tOtHOACs8K=tmkGcKuUKpCYJ4Mb+OTeLi1UQ9uH4w@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary=bcaec553feb45367a204d53da26b
X-Gm-Message-State: ALoCoQnW0a5PiANcZKkLIwfRSzDMczwG9yxVzhjkWg4e+0RdyW9X5ACcjUZwXvOjdkdTQT+v2GgV
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] SPI proposal
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2013 21:56:43 -0000

As Hannes points out, there are already a couple of examples of key
management protocols that are being built around JWT (and thus JWS/JWE).

I would actually be OK stripping away the protocol-like bits of the SPI
proposal (i.e., the part about putting things into the cache).  We could
just say: If a host uses an external process for agreeing on cryptographic
parameters for use with JOSE objects, then it MUST maintain a table,
indexed by SPI, and [reconstruct a full JWE before processing].  That way,
the key management protocols could focus on how to get stuff associated
with an SPI (including things like lifetimes, scoping, etc.).

That also provides a neat taxonomy to JOSE use cases:
1. The parties have engaged in pre-negotiation and agreed on all
parameters, so they just use SPI
2. The parties have only exchanged keys, so everything else needs to be
explicitly indicated.






On Fri, Feb 8, 2013 at 9:21 AM, Brian Campbell
<bcampbell@pingidentity.com>wrote;wrote:

> Seems to me that, in the absence of more advanced management, the use of
> spi is potentially very very fragile. And that, in many cases, such
> advanced management would be a lot more trouble than it's worth. But maybe
> I'm missing the bigger picture.
>
> My own applications of JOSE are in OpenID and OAuth (and similar) and the
> JOSE message is generally sent from one entity to another thought a web
> browser user agent as an intermediary. That situation doesn't lend itself
> well to use of spi or even easily creating some management protocol around
> it.
>
> WRT collision and scoping to sender, I had the same thought but there's
> not, AFAIK, a reliable way to identify the sender. No?
>
> Anyway, I get the point of just establishing the basic behavior. But I'd
> like to be careful not to inadvertently impose a lot of complexity or
> potential operational or security issues when doing so.
>
>
>
>
>
>
> On Thu, Feb 7, 2013 at 7:52 AM, Richard Barnes <rlb@ipv.sx> wrote:
>
>> The motivation here is not very deep.  A lot of the current design (e.g.,
>> the three-letter names) is focused on reducing header size.  The SPI
>> proposal further compresses header size in cases where two entities will be
>> exchanging many JOSE objects.  I understood from some discussions with
>> OpenID folks that this was often the case for their use cases.
>>
>> Obviously, you could build a whole management protocol around this stuff
>> (cf. IKE for IPsec).  Whatever application is using this would need to
>> figure out how to deal with the issues you note, as well as things like
>> what happens when an object shows up with an unknown SPI.  (I don't think
>> collision is an issue, if you can scope to sender; the sender just ensures
>> uniqueness.)  The idea of this basic proposal is to establish the basic
>> behavior, around which you could then wrap more advanced management.
>>
>> --Richard
>>
>>
>> On Thu, Feb 7, 2013 at 9:42 AM, Brian Campbell <
>> bcampbell@pingidentity.com> wrote:
>>
>>> Admittedly I'm not really up on this spi issue or the motivation behind
>>> it but a couple questions came to mind when I saw this. How does the
>>> receiver protect against unbounded growth of the cache? And index
>>> collision? And for distributed environments, it seems supporting this could
>>> be very cumbersome.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Feb 6, 2013 at 3:11 PM, Richard Barnes <rlb@ipv.sx> wrote:
>>>
>>>> To move us toward closing Issue #9 [9], here is some proposed text for
>>>> an SPI [1] field.  To recall, SPI stands for "security parameters index",
>>>> borrowing a term from IPsec.  The idea is that in cases where the same
>>>> crypto parameters are being used repeatedly, this would save the parties
>>>> from having to re-send the same parameters.
>>>>
>>>> The below text is designed for the JWE spec, but could be adapted for
>>>> JWS (just keep header, ignore part about key/iv).  Similar text is probably
>>>> needed for the encryption/decryption/signing/verification sections.
>>>>
>>>> Feedback welcome,
>>>> --Richard
>>>>
>>>> -----BEGIN-----
>>>> Section 4.1.X. "spi" Header Parameter
>>>>
>>>> The "spi" (Security Parameters Index) header parameter contains an
>>>> opaque byte string that labels a set of security parameters.  This index is
>>>> designed to enable the use of smaller headers in cases where entities will
>>>> be re-using the same security parameters for several messages.
>>>>
>>>> Entities supporting the use of the "spi" parameter MUST maintain a
>>>> table of cached security parameters.  When an entity receives an object
>>>> whose header contains both "spi" and "alg" values, then it MUST cache the
>>>> following values from the JWE, indexed by the "spi" value:
>>>> -- Contents of the JWE header
>>>> -- Encrypted Key
>>>> -- Initialization Vector
>>>>
>>>> If an object containing an "spi" parameter but no "alg" parameter, then
>>>> it MUST NOT contain an Encrypted Key or Initialization Vector.  That is, it
>>>> will have the form "header.ciphertext.integrity_value".  When a recipient
>>>> receives such an object, it uses the "spi" value to retrieve cached header,
>>>> key, and initialization vector and reconstructs a full JWE.  This full JWE
>>>> can then be further processed according to the normal JWE processing rules.
>>>>  If the recipient has no cached parameters for the "spi" value, the process
>>>> MUST fail.
>>>> -----END-----
>>>>
>>>>
>>>> [9] http://tools.ietf.org/wg/jose/trac/ticket/9
>>>>
>>>> _______________________________________________
>>>> jose mailing list
>>>> jose@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/jose
>>>>
>>>>
>>>
>>
>