IETF Logo Mail Archive

Re: [jose] Comments on version 11 of draft-ietf-jose-json-web-encryption

Mike Jones <Michael.Jones@microsoft.com> Fri, 12 July 2013 15:44 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E4AB11E8125 for <jose@ietfa.amsl.com>; Fri, 12 Jul 2013 08:44:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.676
X-Spam-Level:
X-Spam-Status: No, score=-3.676 tagged_above=-999 required=5 tests=[AWL=-0.078, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVAq9n3RXiu7 for <jose@ietfa.amsl.com>; Fri, 12 Jul 2013 08:44:29 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0203.outbound.protection.outlook.com [207.46.163.203]) by ietfa.amsl.com (Postfix) with ESMTP id 6BD7B21F9AD6 for <jose@ietf.org>; Fri, 12 Jul 2013 08:44:28 -0700 (PDT)
Received: from BY2FFO11FD024.protection.gbl (10.1.15.201) by BY2FFO11HUB027.protection.gbl (10.1.14.113) with Microsoft SMTP Server (TLS) id 15.0.717.3; Fri, 12 Jul 2013 15:32:44 +0000
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD024.mail.protection.outlook.com (10.1.15.213) with Microsoft SMTP Server (TLS) id 15.0.717.3 via Frontend Transport; Fri, 12 Jul 2013 15:32:43 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.146]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0136.001; Fri, 12 Jul 2013 15:32:33 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>
Thread-Topic: Comments on version 11 of draft-ietf-jose-json-web-encryption
Thread-Index: Ac5/FQNss9rx8bF6TMSY6Z9MVdCc0w==
Date: Fri, 12 Jul 2013 15:32:32 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B6B95AC@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436B6B95ACTK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(43784003)(199002)(189002)(51914003)(13464003)(377454003)(83072001)(33656001)(63696002)(74662001)(54316002)(74706001)(47976001)(65816001)(31966008)(49866001)(74366001)(77096001)(71186001)(66066001)(56816003)(15202345003)(44976005)(19300405004)(51856001)(81342001)(53806001)(6806004)(77982001)(59766001)(47736001)(47446002)(54356001)(79102001)(55846006)(46102001)(56776001)(76786001)(76176001)(76482001)(512954002)(16406001)(20776003)(81542001)(50986001)(74876001)(4396001)(80022001)(74502001)(69226001)(76796001)(16236675002); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB027; H:TK5EX14MLTC104.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0905A6B2C7
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Comments on version 11 of draft-ietf-jose-json-web-encryption
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2013 15:44:35 -0000

These changes have been applied in the -12 specs.  Responses inline...

From: Jim Schaad [mailto:ietf@augustcellars.com]
Sent: Friday, June 28, 2013 8:39 PM
To: Mike Jones
Cc: jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: Comments on version 11 of draft-ietf-jose-json-web-encryption



From: Mike Jones [mailto:Michael.Jones@microsoft.com]
Sent: Friday, June 28, 2013 4:45 PM
To: Jim Schaad
Cc: jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: Comments on version 11 of draft-ietf-jose-json-web-encryption

Responses inline...

From: Jim Schaad [mailto:ietf@augustcellars.com]
Sent: Friday, June 28, 2013 12:39 PM
To: Mike Jones
Cc: jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: Comments on version 11 of draft-ietf-jose-json-web-encryption



From: Mike Jones [mailto:Michael.Jones@microsoft.com]
Sent: Thursday, June 27, 2013 3:50 PM
To: Jim Schaad
Cc: jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: Comments on version 11 of draft-ietf-jose-json-web-encryption


Thanks for the useful review comments, Jim.  Replies inline prefixed by "Mike>"...



-----Original Message-----
From: Jim Schaad [mailto:ietf@augustcellars.com]
Sent: Saturday, June 15, 2013 2:08 PM
To: draft-ietf-jose-json-web-encryption@tools.ietf.org<mailto:draft-ietf-jose-json-web-encryption@tools.ietf.org>
Cc: jose@ietf.org<mailto:jose@ietf.org>
Subject: Comments on version 11 of draft-ietf-jose-json-web-encryption



Gentlemen,



Here are a few comments for consideration.  Note that some of the comments from the JWS review are also applicable to this document as much of the language in places is the same.



1.  In Section 4.1.2 - You probably want to say an AEAD algorithm not an AE algorithm



Mike> The problem with the "AEAD" terminology is that it implies both algorithm and encoding properties.  We want the algorithm properties but not the encoding properties defined by RFC 5116.  Thus, a conscious terminology change was made in -08 to longer use the term "AEAD".



[JLS] The term AEAD has nothing to do with the encoding properties defined in RFC 5116.  AE and AEAD algorithms are very distinct.  One offers only authenticated encryption and the other adds the associated data.  They are not to be confused.

Mike> OK - What's a good reference for the term that's not RFC 5116?

[JLS] You don't need one - if you are worried about it rather than just doing an inline abbrev (i.e. Authenticated Encryption with Associated Data (AEAD)) then define it in the terms.

Mike> Done


3.  In section 4.1.4 - Does the group agree that compression is a required feature to implement?



Mike> This feature was discussed at IETF 83 and has been in place in the current form ever since -02.  I'd be shocked if people didn't believe this feature was necessary.



[JLS]  So in your opinion, it is an absolute requirement that my code implement zip, but not that it implement jwk.  This makes absolutely no sense to me.  I am not asking if there is a requirement that it be present in the document.  I am asking if it is a required to implement feature.



Mike> The rationale for this is that people (Eric Rescorla, I think) thought that since "zip" processing changes the ciphertext, that not supporting it would give a weapon to attackers, enabling them to substitute one ciphertext for another.  Since there are security implications in not implementing it, it's MTI.



[JLS] I would have to talk to EKR about this.  Given that you compress before you encrypt and we are authenticating either the post encrypted stream or the post compressed stream I don't see where this is a real security issue.



4.  Why not reference sections 4.1.5 - 10 by reference with a comment that these refer to the key that was used to encrypt the content?  Is there a benefit of having them listed here?  Is there a difference in the way they are interpreted other than the recipient/originator thing?



Mike> I assume you mean reference them in JWS?  There's a complete list here so that it's clear to JWE implementers what the reserved header parameters are without having to reference other specs.  And yes, the JWS and JWE key selection parameters are the same other than the JWS sender/JWE receiver difference.



[JLS] That does not make sense to me.  There are lots of times that referencing other specifications makes a lot of sense.  You certainly be that this is true when it comes to security considerations.  I believe that it is equally true here.  I did not say don't list time, I said that you should reference the sections in the signature draft.



Mike> I have no objection to adding a reference saying that related parameter definitions are also contained in JWS 4.1.2 - 4.1.5.



[JLS] I have no objection to saying the complete definition is in JWS as the entire text of the section.



5.  Why not reference sections 4.1.11-12 from the JWS document?  Is there a difference in the way they are interpreted?



Mike> (Apparently I didn't understand what you were suggesting in 4, having seen this next question.)  In any event, in JWS they reference the key that is used to verify the signature.  In JWE they reference the key to which the content was encrypted.  That's the difference in all these parameters.



Mike> I have no objection to adding a reference saying that the related parameter definitions are also contained in JWS 4.1.8 - 4.1.9.



Mike> I want to do this change in more comprehensive manner, rather than locally, if we do it.  I'll continue thinking about how to best do this.



6.  If we are not going with an alphabetic order of names, the I would suggest that apu should be next to exp as they are used in the same context and therefore having them adjacent makes sense.



Mike> Actually, Richard had suggested moving "apu" to the key agreement section in JWA, since its use is algorithm-specific.  I think I agree with him.



[JLS] that's a fine approach as well.



Mike> Done



7.  Is there a reason not to reference 4.1.14 from JWS?  Is there a difference in interpretation?



Mike> Stylistically, it seems easier for implementers of JWE to have a complete list of general-purpose parameter definitions than to have some here and some there.  The example is also different, because one is a JWS header and the other is a JWE header.



Mike> I have no objection to adding a reference saying that the related parameter definition is also contained in JWS 4.1.10.



Mike> Same status as 5.



                                                                Thanks again,

                                                                -- Mike



Jim

v2.23.0 | Report a Bug | By Email