Re: [jose] #15: Broken examples in JWE / JWS
Brian Campbell <bcampbell@pingidentity.com> Mon, 25 March 2013 12:16 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 719A121F8C74 for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 05:16:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.769
X-Spam-Level:
X-Spam-Status: No, score=-4.769 tagged_above=-999 required=5 tests=[AWL=1.207, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nXoqyBwLmr+Q for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 05:16:39 -0700 (PDT)
Received: from na3sys009aog117.obsmtp.com (na3sys009aog117.obsmtp.com [74.125.149.242]) by ietfa.amsl.com (Postfix) with ESMTP id 85BCF21F8E58 for <jose@ietf.org>; Mon, 25 Mar 2013 05:16:35 -0700 (PDT)
Received: from mail-ob0-f199.google.com ([209.85.214.199]) (using TLSv1) by na3sys009aob117.postini.com ([74.125.148.12]) with SMTP ID DSNKUVBAF3pFo95YrG+6c3wEQbqm97rmspbO@postini.com; Mon, 25 Mar 2013 05:16:38 PDT
Received: by mail-ob0-f199.google.com with SMTP id wd20so29839691obb.6 for <jose@ietf.org>; Mon, 25 Mar 2013 05:16:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=65aijBTVe83lhXAOiotwwwjFDl4wXVQxVf7BZEMIjCM=; b=ROXTWXfUquftwzqGoSsfbzl52Izr9t3v9YF59oyOylx6haJydhserz5CuITnhra9eL kE7rTXzaTNkZKWWpviTcCe+iY6FMckMykz6+fcjmhsgMoJYdmFljbfN/rlxJqp1LStmS wa25oPMwnzPkbqHuHFuOUQBdMAWkBU3WuZVSX4sE3Faz1XFJk24utst20k/OnJwsYKpY AnfIp7+S7/n0fcLHE21R1+8s/HD0OMIZQ+pkRxBSsiXzTybj6D4cSv8n9I4j4n6acfm4 pL6z+sQjJ/EM87l13mRUnLCwmqIA0gYLA/0WxsWI4E8XJUXXwB8GNdTq4gBrNTdE9jQE zMkg==
X-Received: by 10.50.37.236 with SMTP id b12mr11128015igk.42.1364213783116; Mon, 25 Mar 2013 05:16:23 -0700 (PDT)
X-Received: by 10.50.37.236 with SMTP id b12mr11128011igk.42.1364213783013; Mon, 25 Mar 2013 05:16:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.32.106 with HTTP; Mon, 25 Mar 2013 05:15:52 -0700 (PDT)
In-Reply-To: <CAL02cgRZA8vvXcUjpnPMzjzZYLbNFTbceZ9JyjQwBt5bpuy5Aw@mail.gmail.com>
References: <049.dec2e6a11006261f47529bfcdfa8c51d@trac.tools.ietf.org> <064.854734170572ce8e0ba10611390025ce@trac.tools.ietf.org> <012701ce274a$8e17ca30$aa475e90$@augustcellars.com> <CAL02cgQ00JWPph9irvkcyqHi=gOMVt4W9J47e_UMWxdr=1_=MQ@mail.gmail.com> <013c01ce2763$ef72d950$ce588bf0$@augustcellars.com> <CAL02cgRZA8vvXcUjpnPMzjzZYLbNFTbceZ9JyjQwBt5bpuy5Aw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 25 Mar 2013 06:15:52 -0600
Message-ID: <CA+k3eCR+GGRA_CSRXktGzGqV-8aZuvpYBDAR8UUFeZ0=NiEMAw@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="f46d044788d9ef360e04d8bec57b"
X-Gm-Message-State: ALoCoQnAyogDCHBhpBlZ8qAaCEXwVtY6jFH/VHfccMys/XM7pcv39csF/JNNnkx12DnxEth+YGp+Z4/oWXMoR7XTEqYiapPOFPACfWgiPxHALiXQ3tvH7jsWTC0rex0yP+QE39RSOKus
Cc: draft-ietf-jose-json-web-encryption@tools.ietf.org, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #15: Broken examples in JWE / JWS
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 12:16:40 -0000
/* special magic */ is just some out of band agreement on the key to use or how to infer it. Which isn't really special or magic. But probably pretty common. On Fri, Mar 22, 2013 at 7:37 PM, Richard Barnes <rlb@ipv.sx> wrote: > I've renamed the issue to try to clarify. > > You're right that there are alternative ways to locate a key. But a JOSE > object needs to contain at least one of them, or else the /* special magic > */ clause applies. > > --Richard > > > On Fri, Mar 22, 2013 at 9:15 PM, Jim Schaad <ietf@augustcellars.com>wrote: > >> This may or may not be a flaw in the specification. However the item you >> created in the tracker does not reflect what you have put here. I think >> you would be better served by saying that there is a flaw in the >> specifications in that there should be a MUST that some type of key or key >> reference is required in a JWS or JWE.**** >> >> ** ** >> >> I would note that your example code should be more complex in that it >> does not deal with jku or any of the x* methods of referencing keys.**** >> >> ** ** >> >> Jim**** >> >> ** ** >> >> ** ** >> >> *From:* Richard Barnes [mailto:rlb@ipv.sx] >> *Sent:* Friday, March 22, 2013 4:09 PM >> *To:* Jim Schaad >> *Cc:* draft-ietf-jose-json-web-encryption@tools.ietf.org; jose@ietf.org >> >> *Subject:* Re: [jose] #15: Broken examples in JWE / JWS**** >> >> ** ** >> >> I admit that they are not broken according to the current spec. However, >> I have a lot of trouble figuring out how I would write code to process them. >> **** >> >> ** ** >> >> If "kid" or "jwk" MUST be present to indicate what key I should use, then >> I can have deterministic code:**** >> >> if (/* recognized "kid" or "jwk" value */) { **** >> >> /* use it */**** >> >> } else {**** >> >> /* FAIL. can't process this object */**** >> >> }**** >> >> ** ** >> >> As the spec stands, I have no idea what to put in that "else" clause. >> I'm clearly not supposed to fail, because the parameters are optional. >> But what else?**** >> >> if (/* recognized "kid" or "jwk" value */) { **** >> >> /* use it */**** >> >> } else {**** >> >> /* insert special magic here */**** >> >> }**** >> >> ** ** >> >> This is actually what SPI is supposed to clear up. SPI would provide an >> explicit third branch for the special magic to live in.**** >> >> if (/* recognized "kid" or "jwk" value */) { **** >> >> /* use it */**** >> >> } else if (/* recognized SPI value */) {**** >> >> /* process using stored parameters */**** >> >> } else {**** >> >> /* FAIL. can't process this object */**** >> >> }**** >> >> ** ** >> >> But without the concept of SPI, the spec is broken because of the >> non-determinism noted above.**** >> >> ** ** >> >> --Richard**** >> >> ** ** >> >> ** ** >> >> ** ** >> >> On Fri, Mar 22, 2013 at 6:13 PM, Jim Schaad <ietf@augustcellars.com> >> wrote:**** >> >> My inclination is that this response is correct. >> >> What make you think that the key or key reference is required and cannot >> be >> implied? >> >> Jim**** >> >> >> >> > -----Original Message----- >> > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of >> > jose issue tracker >> > Sent: Friday, March 22, 2013 2:37 PM >> > To: draft-ietf-jose-json-web-encryption@tools.ietf.org; >> ignisvulpis@gmail.com >> > Cc: jose@ietf.org >> > Subject: Re: [jose] #15: Broken examples in JWE / JWS >> > >> > #15: Broken examples in JWE / JWS >> > >> > >> > Comment (by ignisvulpis@gmail.com): >> > >> > I think this is not an issue. The examples are NOT broken and they do >> not >> > need a fix. >> > I suggest to close this ticket. >> > The draft should definitely not make these illegal. These objects are >> perfect >> > examples for a valid JWS/JWE. >> > >> > -- >> > -------------------------+---------------------------------------------- >> **** >> >> > -------------------------+---**** >> >> > Reporter: rlb@ipv.sx | Owner: draft-ietf-jose-json-web- >> > Type: defect | encryption@tools.ietf.org >> > Priority: minor | Status: new >> > Component: json-web- | Milestone: >> > encryption | Version: >> > Severity: - | Resolution: >> > Keywords: | >> > -------------------------+---------------------------------------------- >> **** >> >> > -------------------------+---**** >> >> > >> > Ticket URL: < >> http://trac.tools.ietf.org/wg/jose/trac/ticket/15#comment:1> >> > jose <http://tools.ietf.org/jose/> >> > >> > _______________________________________________ >> > jose mailing list >> > jose@ietf.org >> > https://www.ietf.org/mailman/listinfo/jose**** >> >> ** ** >> > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- [jose] #15: Broken examples in JWE / JWS jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Jim Schaad
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS Jim Schaad
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: Broken examples in JWE / JWS Brian Campbell
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS Mike Jones
- Re: [jose] #15: Broken examples in JWE / JWS Jim Schaad
- Re: [jose] #15: Broken examples in JWE / JWS Richard Barnes
- Re: [jose] #15: Broken examples in JWE / JWS Dick Hardt
- Re: [jose] #15: Broken examples in JWE / JWS Mike Jones
- Re: [jose] #15: Broken examples in JWE / JWS Dick Hardt
- Re: [jose] #15: Broken examples in JWE / JWS Dick Hardt
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: At least one key indicator should… jose issue tracker
- Re: [jose] #15: At least one key indicator should… jose issue tracker