[jose] Re: 2nd WGLC for draft-ietf-jose-fully-specified-algorithms (Fully Specified Algorithms)

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 14 September 2024 08:01 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4897BC180B73; Sat, 14 Sep 2024 01:01:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H_Lj008z4j5F; Sat, 14 Sep 2024 01:01:30 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1693C1519A7; Sat, 14 Sep 2024 01:01:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 54683204D3; Sat, 14 Sep 2024 11:01:25 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id XSu2xP9ptl2B; Sat, 14 Sep 2024 11:01:25 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-153-79.rev.dnainternet.fi [87.92.153.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 0A2FA230A; Sat, 14 Sep 2024 11:01:22 +0300 (EEST)
Date: Sat, 14 Sep 2024 11:01:22 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>, cose@ietf.org
Message-ID: <ZuVC0qtaxmW-BrFg@LK-Perkele-VII2.locald>
References: <CA+mgmiOqZqu1fNjEK69zTbx3ndsum5jrLg06bzYTjtH+VQyWtA@mail.gmail.com> <5233A37F-2EA1-40CB-A3DA-EAEF885E52B0@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <5233A37F-2EA1-40CB-A3DA-EAEF885E52B0@gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: YBC77YVLW22YOXMGMMHROTWBA7EVTRE3
X-Message-ID-Hash: YBC77YVLW22YOXMGMMHROTWBA7EVTRE3
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: 2nd WGLC for draft-ietf-jose-fully-specified-algorithms (Fully Specified Algorithms)
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/qooqUtEcZxxTq7RVDCaZ4LaE878>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

On Fri, Sep 13, 2024 at 07:19:55AM +0100, Neil Madden wrote:
> As myself and Filip Skokan have pointed out, the wording of section
> 3.1 currently (I believe accidentally) outlaws all of the ECDH-ES
> encryption algorithms, and any future KEM-based algorithms. So no,
> even if you support the idea, the document is not ready. 

What I think section 3.1 is trying to do is to prohibit algorithms
depending on each other. But it seems to accidentally extend that to
all algorithms being fully specifed.

Now, arguably RFC7516/RFC9052 already has some dependencies between
algorithms, involving Direct Encryption and Direct Key Agreement.

However, as having dependencies between algorithms can very easily
cause serious interoperability, implementation and interface issues,
one should be extremely careful in introducing any new kind of
dependency. And in case of JOSE, any such dependency seems to inevitably
require updating RFC7516.

In addition, I think that RFC7516 already implcitly requires all "enc"
to be fully specified, and anything else would need to update RFC7516.

In COSE, algorithms with recipients are allowed to be polymorphic w.r.t.
headers. However, I think such algorithms are a bad idea.


Then section 3.2 looks like it should be appendix. And section 3.2.2.
has:

"To convey a fully-specified Key Establishment with Direct Encryption
algorithm in JOSE, the "alg" value MUST be "dir", and the "enc" value
MUST be fully specified, specifying all essential parameters for both
key establishment and symmetric encryption.  For example: 'ECDH-ES
using P-256 and Concat-KDF with A128GCM' or 'ECDH-ES using X25519 and
Concat-KDF with A256GCM'."

This is illegal in JWE (enc is not symmetric AEAD). The correct way
would be to use "alg" like "ECDH-ES using P-256 and Concat-KDF" or
"ECDH-ES using X25519 and Concat-KDF" and then leave the rest to
"enc".




-Ilari