IETF Logo Mail Archive

Re: [jose] Key Managed JSON Web Signature (KMJWS) specification

Anders Rundgren <anders.rundgren.net@gmail.com> Fri, 13 March 2015 05:52 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FE041AC432 for <jose@ietfa.amsl.com>; Thu, 12 Mar 2015 22:52:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uGJsvVfVMxh6 for <jose@ietfa.amsl.com>; Thu, 12 Mar 2015 22:52:41 -0700 (PDT)
Received: from mail-wg0-x235.google.com (mail-wg0-x235.google.com [IPv6:2a00:1450:400c:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB40F1AC428 for <jose@ietf.org>; Thu, 12 Mar 2015 22:52:40 -0700 (PDT)
Received: by wggx13 with SMTP id x13so20916597wgg.12 for <jose@ietf.org>; Thu, 12 Mar 2015 22:52:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=kbJ/Jp971g0uM6NF105v7EWO/0RrV+cy8n2NNdsbYyE=; b=TLcWXjb/26rcDWdJFraGR3jqIIn5HYntjCi4wSiA1lMcphNiJtkT6BnmjeSljiVJsX E/UE5Hhc6UykT0HvN6YDXLNjltMfAe+SVYpO1mr33WVPdnVThAkkIMutdfudvMw6aMVa e3VDCTCmMwKWtsudP/sWva/IK9NsVz0uX1ZXSGseuKYjzF3cibnCQaDtobJM7Qgrh3u6 IQjNnclU3n7cKnwmcHkZeCKXTtgGKYUTM3eE2dbLahlyNIc9YxJGt7sdbbgnN4dNLPuE /0NvWCvQhFK790GKO5M6yYru87IDU1kLGIXoHDV0LPnyLRG78iau3n2YzJM8oKI6NmGm htQw==
X-Received: by 10.180.87.66 with SMTP id v2mr15976378wiz.51.1426225959484; Thu, 12 Mar 2015 22:52:39 -0700 (PDT)
Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id pa4sm1332888wjb.11.2015.03.12.22.52.38 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Mar 2015 22:52:38 -0700 (PDT)
Message-ID: <55027B14.4020702@gmail.com>
Date: Fri, 13 Mar 2015 06:52:20 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
References: <4E1F6AAD24975D4BA5B1680429673943A2E74771@TK5EX14MBXC292.redmond.corp.microsoft.com> <0f1e01d05c78$94573b00$bd05b100$@augustcellars.com> <BY2PR03MB4427BF68CEE0CE400972401F5060@BY2PR03MB442.namprd03.prod.outlook.com> <BY2PR03MB4420B9763C5DB021DEE13DBF5060@BY2PR03MB442.namprd03.prod.outlook.com>
In-Reply-To: <BY2PR03MB4420B9763C5DB021DEE13DBF5060@BY2PR03MB442.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/rn0seh8261c04HPZpZgQs6tpo24>
Subject: Re: [jose] Key Managed JSON Web Signature (KMJWS) specification
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 05:52:44 -0000

Hi Guys,

Mainly for satisfying my curiosity:
Would it be possible to get a minimal rationale/use-case for using encrypted MAC keys compared to traditional asymmetric signature schemes?
Is this scheme already featured in another standard or widely deployed system?

Cheers,
Anders

On 2015-03-12 16:55, Mike Jones wrote:
> I’ll add one other thing, Jim.  I’m sorry that you left the Denver meeting feeling like your idea for key management was dismissed. We should have pushed harder then to try to come up with an approach for that that would work for all.  I’ll try to personally take this an object lesson for future standards work.
>
> See you in Dallas!
>
>                                                              -- Mike
>
> *From:*jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Mike Jones
> *Sent:* Thursday, March 12, 2015 12:37 AM
> *To:* Jim Schaad; jose@ietf.org
> *Subject:* Re: [jose] Key Managed JSON Web Signature (KMJWS) specification
>
> Hi Jim.  Thanks for responding and for your honest feedback.  While you may feel insulted (I’m genuinely sorry about that!), I’m to try to take the negatives you’ve expressed as positives, in the sense that they can constructively inform future work by the working group.
>
> One reason I wrote this draft was to get down a straightforward way of using key managed HMACs, should people want to do that in the future, especially since there’s talk of closing the working group soon.  The other reason I wrote it was to further illuminate the upsides and downsides of some of the choices we made in JWS and JWE, given we have a chance to reuse and/or revisit those choices should the COSE work go forward.
>
> Replies to your specific points follow inline…
>
> *From:*Jim Schaad [mailto:ietf@augustcellars.com]
> *Sent:* Wednesday, March 11, 2015 8:57 PM
> *To:* Mike Jones; jose@ietf.org <mailto:jose@ietf.org>
> *Subject:* RE: [jose] Key Managed JSON Web Signature (KMJWS) specification
>
>> I cannot respond for Richard, but personally I feel rather insulted by the current draft.  My first half a dozen responses were rather vulgar and pejorative to this draft and thus deleted.
>
>>
>
>> This draft seems to be, more or less, what Richard and I were proposing in Denver and were told was not possible due to backwards compatibility.  What has changed that this is no longer true?
>
> For what it’s worth, I’ve occasionally been thinking about key management for MACs ever since you and Richard raised the possibility in Denver.  Somewhere along the way I realized that there was a simple way to combine the JWE key management methods and the JWS MAC methods.  So I decided to write it down, while there was still a working group to consider it, should the working group decide to do so.
>
> If the reason you’re insulted is that you feel that you should receive more credit for some of the ideas, I’d be glad to point out in the Acknowledgements that you and Richard suggested the possibility of key-managed MACs and/or make you co-editors if you agree with the approach and would like to work more actively on it.  If the reason that you’re insulted is that you feel that we should have done this earlier, I think the verdict is still out on whether we need to do this at all.  Looking at http://trac.tools.ietf.org/wg/jose/trac/ticket/2, Karen made a consensus call that “we should not add the ability to have a randomly generated MAC key protected by a different key” based on working group input.
>
> I think the key question for the working group relative to this draft is whether people now want to see a standard way to do this or not.
>
> As for the backwards compatibility issues discussed in Denver, I know that several participants were opposed to seeing the JWS format for non-key-managed MACs change.  I suspect that’s what you’re referring to. The good news about the current draft is that it adds the ability to have key-managed MACs without such a change.
>
> Should we have thought of this approach then?  Probably.  Did we?  At least I didn’t.  I thought of it recently, so I decided to write it down.
>
>> Why is there need to have a compact formation for this draft?  We were told in no uncertain terms that this was completely unnecessary in Denver and thus was out of scope for the documents.
>
> I can’t remember the part of the discussion that you’re referring to in Denver and I can’t find it in the published notes.  The only uses of “compact” in the notes aren’t about this.
>
> That said, there’s a compact serialization for key managed MACs for the same reason that there’s a compact serialization for the other JOSE objects – to provide a compact, URL-safe representation for use cases that need it.  It also makes this draft more parallel to both JWS and JWE than it would otherwise be.
>
>> This document does not seem to have read the security considerations section of the JWS draft specifically dealing with the existence of multiple sharers of the secret key.
>
> I’m not sure I’m following you here, because different recipients use different ephemeral keys in this representation.  What’s the security consideration that you think wasn’t taken into account?
>
>> This document has messed up the current documentation in JWE about how to determine what type of document is being presented.  This is completely unacceptable.
>
> It’s backwards-compatible in the sense that if an implementation supports JWSs and JWEs but not KMJWSs (I’m still looking for a better name than KMJWS, BTW), the current rules all continue to do the right thing. If an implementation supports all three, yes, a little bit of additional logic would be needed, just like a little bit of additional code would be needed, but no breaking changes result.  A KMJWS is neither a legal JWS nor a legal JWE, so even if the existing discrimination rules were applied to a KMJWS and it was mis-categorized as one or the other, upon parsing, it would still be rejected, since it would be missing required properties.
>
>> There are now multiple representations of direct keying for mac.  This is a significant problem as one does not know which of the version one is supposed to be using.
>
> Thanks for pointing this out.  We should probably just prohibit the use of “alg”:”dir” in KMJWS so that there’s exactly one way of representing non-key-managed MACS – the existing way.
>
>> (The fact that I am half, if not all the way drunk has make this message much easier to write).
>
> I’m glad you enjoyed your evening. J
>
>> Jim
>
>                                                              Thanks again,
>
>                                                              -- Mike
>
> *From:*jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Mike Jones
> *Sent:* Tuesday, March 03, 2015 2:42 AM
> *To:* jose@ietf.org <mailto:jose@ietf.org>
> *Subject:* [jose] Key Managed JSON Web Signature (KMJWS) specification
>
> I took a little time today and wrote a short draft specifying a JWS-like object that uses key management for the MAC key used to integrity protect the payload.  We had considered doing this in JOSE issue #2 <http://trac.tools.ietf.org/wg/jose/trac/ticket/2> but didn’t do so at the time because of lack of demand.  However, I wanted to get this down now to demonstrate that it is easy to do and specify a way to do it, should demand develop in the future – possibly after the JOSE working group <http://datatracker.ietf.org/wg/jose/charter/> has been closed.  See http://tools.ietf.org/html/draft-jones-jose-key-managed-json-web-signature-00 or http://self-issued.info/docs/draft-jones-jose-key-managed-json-web-signature-00.html.
>
> This spec reuses key management functionality already present in the JWE spec <http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption> and MAC functionality already present in the JWS spec <http://tools.ietf.org/html/draft-ietf-jose-json-web-signature>.  The result is essentially a JWS with an Encrypted Key value added, and a new “mac” Header Parameter value representing the MAC algorithm used.  (Like JWE, the key management algorithm is carried in the “alg” Header Parameter value.)
>
> I also wrote this now as possible input into our thinking on options for creating a CBOR <http://tools.ietf.org/html/rfc7049> JOSE mapping.  If there are CBOR use cases needing managed MAC keys, this could help us reason about ways to structure the solution.
>
> Yes, the spec name and abbreviation are far from catchy.  Better naming ideas would be great.
>
> Feedback welcomed.
>
>                                                              -- Mike
>
> P.S.  This note was also posted at http://self-issued.info/?p=1344 and as @selfissued.
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>

v2.23.0 | Report a Bug | By Email