Re: [jose] JWP
Neil Madden <neil.madden@forgerock.com> Thu, 28 July 2022 17:13 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8F67C1C50C0 for <jose@ietfa.amsl.com>; Thu, 28 Jul 2022 10:13:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8seB1VOpU-2R for <jose@ietfa.amsl.com>; Thu, 28 Jul 2022 10:13:10 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0E97C1C50C3 for <jose@ietf.org>; Thu, 28 Jul 2022 10:13:10 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id z16so2998005wrh.12 for <jose@ietf.org>; Thu, 28 Jul 2022 10:13:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=ApVsVkTH/gtdqsGLh5IuwR/M7scyTt/pL0alr8r79ko=; b=R1y23+vpAIBn1UUxzHMzwcfXDppx02Bgcs6L7hG/WdF06AndOapHkHQOvkzNUlvhw2 x98vvT013SCeByM3dUN5Z1LYNobumWaxvG03XaaWPSMmDdCWTUbgFU7fA8fCiILHPDkK +VgU9NF0nvfohm1lWq9jl00tsBHZamd/2IxU0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=ApVsVkTH/gtdqsGLh5IuwR/M7scyTt/pL0alr8r79ko=; b=eWD9I+T24lL7L0qw+Pr90QfK/7QzyOQl5quayciUom2kptzA0SAaZnPwu9AgYCMoH/ AXLUp9LaUvFz0zl47a2pOAVN8KVKaNa8hrZbmHGJ9cCxbJ2vhigEGjSNQD0agu3oyVM/ BAX6GOo5VrJp6k0TTKjlo67mY3fpM4Zp+LWmDeOGdCRVaD+vyO+R/7Ci7f01jcIYmKYU huM8+B6CAlx++8toKlwYKdzYUzrpdbzyYxwdThzVaaGblNQvgy4CjTHyaJ/yMRb5eTow kX5LxOSyYIWkExyvWyCJibGZNPRo4dGXnx4RQrPogtLWFbi28ar0jb43bbD/vlkarueg NvZg==
X-Gm-Message-State: AJIora9Sv1VBSLFyDKBfrkllD3xKaljed0yETwJLMOeWVE2oGzcjl3s0 /pcyQ5LyCSruoyePpJvU90Qc/ykrQTFHUUy7zcQMq9Jcwu7db2ikYHh5i1JYxN0J8/oV0aaMoFP DpUbKdQNMXIbMRk0oxqKTT32JLXzzMFrcjE/vP06aehuIEcLmv5/RpZQGpmQkFsC9/oA=
X-Google-Smtp-Source: AGRyM1ttn7Vk14vGLQSEVAFPpFeIdwOt1x7KMn8lWgf6utv/2vVqpcxhyELgM4zha5q8x27rLLxGNA==
X-Received: by 2002:a05:6000:1d83:b0:21e:9ed9:9f65 with SMTP id bk3-20020a0560001d8300b0021e9ed99f65mr9427740wrb.680.1659028388708; Thu, 28 Jul 2022 10:13:08 -0700 (PDT)
Received: from smtpclient.apple (181.213.93.209.dyn.plus.net. [209.93.213.181]) by smtp.gmail.com with ESMTPSA id t123-20020a1c4681000000b00397402ae674sm6241906wma.11.2022.07.28.10.13.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 28 Jul 2022 10:13:08 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-FD6CB123-1251-459F-812E-0BD5E0932D80"
Content-Transfer-Encoding: 7bit
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Thu, 28 Jul 2022 18:13:06 +0100
Message-Id: <A0CF699F-5F77-4401-92B7-CCEE4340FF5F@forgerock.com>
References: <CAAFNpxs0bUFKu40QbsKzYBYKjGiMy982mDiDqvGjjdA56ESg2g@mail.gmail.com>
Cc: Tobias Looker <tplooker@gmail.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, jose@ietf.org
In-Reply-To: <CAAFNpxs0bUFKu40QbsKzYBYKjGiMy982mDiDqvGjjdA56ESg2g@mail.gmail.com>
To: Jeremie Miller <jeremie.miller@gmail.com>
X-Mailer: iPhone Mail (19F77)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/roiGMAKpthYLOfSo5kg8wvcIWeU>
Subject: Re: [jose] JWP
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 17:13:14 -0000
> On 28 Jul 2022, at 16:47, Jeremie Miller <jeremie.miller@gmail.com> wrote: >> >> > No, to prevent this the issuer simply puts these sorts of claims in the header, which is not subject to selective disclosure, e.g the prover cannot create a valid proof/presentation without disclosing the original un-modified header. >> >> That is a very non-standard use of the header. AFAICT such usage is not compatible with RFC 7800, and I would guess that it may well lead to security issues as implementations won’t be looking for these claims in the header but rather in the claims set. > > That's one of the reasons we're proposing JWP as another specification, it is not compatible with existing JWTs+PoP. > > Also, a current security assumption baked into the JWP draft is that all presentations are not replayable. While this can be accomplished with a proof-of-possession it is not the only mechanism an algorithm could use, BBS for example supports this without requiring a traditional PoP. > So I guess then why do this in the JOSE working group if the work has little in common with existing JOSE specs and semantics? Different algorithms, different formats, different processing rules. It’s not clear if JWP could even reuse the IANA JWT Claims registry if you’re saying that it’s not compatible with some of them (eg cnf). The proposed new charter says: “The current JOSE and JWT specifications are not sufficiently general to enable use of these newer techniques. The reconstituted JSON Object Signing and Encryption (JOSE) working group will build on what came before but also rectify these shortcomings.” But from these discussions it seems that JWP is really its own separate thing. (Indeed the JOSE specs are already criticised for trying to be too general). — Neil
- [jose] JWP Richard Barnes
- Re: [jose] JWP Tobias Looker
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Tobias Looker
- [jose] Fwd: JWP Orie Steele
- Re: [jose] JWP Mike Prorock
- Re: [jose] JWP David Waite
- Re: [jose] JWP Jeremie Miller
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Torsten Lodderstedt
- Re: [jose] JWP Anders Rundgren
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Tobias Looker
- Re: [jose] JWP Zundel, Brent
- Re: [jose] JWP Jeremie Miller
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Jeremie Miller
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Mike Jones
- Re: [jose] JWP Zundel, Brent
- Re: [jose] JWP Richard Barnes
- Re: [jose] [EXTERNAL] Re: JWP Christian Paquin