Re: [jose] JWK Thumbprint spec incorporating feedback from IETF 90
Mike Jones <Michael.Jones@microsoft.com> Fri, 25 July 2014 18:21 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 272F31A040C for <jose@ietfa.amsl.com>; Fri, 25 Jul 2014 11:21:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYDg6DP10JzN for <jose@ietfa.amsl.com>; Fri, 25 Jul 2014 11:21:03 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0185.outbound.protection.outlook.com [207.46.163.185]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2CE21A03CB for <jose@ietf.org>; Fri, 25 Jul 2014 11:21:02 -0700 (PDT)
Received: from BY2PR03CA040.namprd03.prod.outlook.com (10.141.249.13) by BLUPR03MB248.namprd03.prod.outlook.com (10.255.213.26) with Microsoft SMTP Server (TLS) id 15.0.990.7; Fri, 25 Jul 2014 18:20:59 +0000
Received: from BY2FFO11FD009.protection.gbl (2a01:111:f400:7c0c::190) by BY2PR03CA040.outlook.office365.com (2a01:111:e400:2c5d::13) with Microsoft SMTP Server (TLS) id 15.0.995.14 via Frontend Transport; Fri, 25 Jul 2014 18:20:59 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD009.mail.protection.outlook.com (10.1.14.73) with Microsoft SMTP Server (TLS) id 15.0.980.11 via Frontend Transport; Fri, 25 Jul 2014 18:20:58 +0000
Received: from TK5EX14MBXC293.redmond.corp.microsoft.com ([169.254.2.111]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0195.002; Fri, 25 Jul 2014 18:20:16 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] JWK Thumbprint spec incorporating feedback from IETF 90
Thread-Index: AQHPqDUVsMUyHs2ofE6QVF/ojvyVAA==
Date: Fri, 25 Jul 2014 18:20:16 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439ADF064E@TK5EX14MBXC293.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739439ADDDB5B@TK5EX14MBXC294.redmond.corp.microsoft.com>, <255B9BB34FB7D647A506DC292726F6E1154BC0A106@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1154BC0A106@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439ADF064ETK5EX14MBXC293r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(438002)(51914003)(377454003)(199002)(189002)(81542001)(85852003)(68736004)(69596002)(44976005)(19580405001)(26826002)(83322001)(55846006)(19580395003)(79102001)(77982001)(15975445006)(6806004)(76482001)(87936001)(84676001)(2656002)(99396002)(84326002)(83072002)(81342001)(71186001)(16236675004)(33656002)(16297215004)(74502001)(97736001)(92726001)(106466001)(54356999)(76176999)(4396001)(92566001)(81156004)(74662001)(86612001)(15202345003)(86362001)(107886001)(107046002)(31966008)(80022001)(50986999)(106116001)(46102001)(20776003)(64706001)(104016003)(19625215002)(21056001)(85306003)(19617315012)(77096002)(95666004); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR03MB248; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 02830F0362
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/u9LXYdA11TUxxZoK5PiJStVLL14
Subject: Re: [jose] JWK Thumbprint spec incorporating feedback from IETF 90
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 18:21:06 -0000
Thanks for the useful review, James. A few comments... Why do you write "there can be alternative representations for a given mathematical key, each giving a different thumbprint"? Do you have an example? You'll note that JWA 6.2.1, 6.3.1, and 6.4 do already say which members are required, so there's no need to repeat this info in the registry. I will add text saying that optional members such as "use" are never used in the thumbprint, even if required for some applications. As for why the "kty" registry is where it is, that's because the "kty" values such as "RSA" are defined there - since they're algorithm specific. -- Mike ________________________________ From: Manger, James<mailto:James.H.Manger@team.telstra.com> Sent: 7/25/2014 3:48 AM To: Mike Jones<mailto:Michael.Jones@microsoft.com>; jose@ietf.org<mailto:jose@ietf.org> Subject: Re: [jose] JWK Thumbprint spec incorporating feedback from IETF 90 Mike, > http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-01 These JWK thumbprint changes are ok (saying anything “unusual” is undefined, to avoid defining canonical JSON). However, the more important issues have not been addressed. See my earlier comments http://www.ietf.org/mail-archive/web/jose/current/msg04054.html Are JWK thumbprints suitable to use on a blacklist of revoked keys? Almost certainly not. The spec needs to be much clearer about when it is and isn’t suitable to use these thumbprints. SUGGESTION: Add this introductory text. A JWK thumbprint is a short label that unambiguously identifies a single mathematical key. When a thumbprint from another party matches a thumbprint you have, it is safe to assume the other party is referring to the same mathematical key as you. A matching thumbprint does not indicate that the other party has the same metadata about the key (eg algorithms, key-id, etc). When thumbprints do not match, it does not guarantee that different keys are being referenced as there can be alternative representations for a given mathematical key, each giving a different thumbprint. Consequently, a list of thumbprints is not a suitable way represent a blacklist of revoked keys, for instance. SUGGESTION: Add a paragraph to the Security Considerations section warning against using JWK thumbprints in a blacklist. (perhaps based on the 2nd paragraph from the suggestion above) The thumbprint spec say only REQUIRED fields are included in a thumbprint. The JWK spec says: “Use of the "use" member is OPTIONAL, unless the application requires its presence.” I hope this doesn’t imply that “use” is sometimes omitted from the thumbprint, but sometimes included in the thumbprint because some applications require its presence. Since you need special knowledge for each specific “kty” value to calculate a thumbprint (ie the fields to include for that “kty” value), it would be better to require each definition of a new “kty” value to explicitly list its thumbprint fields. SUGGESTION: Modify the JSON Key Types Registry [JWA, section 7.4] to include a “Thumbprint fields” item. Modify draft-jones-jose-jwk-thumbprint to refer to this item, instead of REQUIRED fields. Thumbprint fields: List of fields (in addition to “kty”) that are included when calculating a thumbprint for a key with this “kty” value. o "kty" Parameter Value: "EC" o Thumbprint fields: "crv", "x", "y" o "kty" Parameter Value: "RSA" o Thumbprint fields: "e", "n" o "kty" Parameter Value: "oct" o Thumbprint fields: "k" It is strange to define JWK in one spec, but establish a registry for type of JWKs in a different spec [JWA]. SUGGESTION: Move JWA sections 7.4 and 7.4.1 to the JWK spec. -- James Manger From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones Sent: Thursday, 24 July 2014 1:13 AM To: jose@ietf.org Subject: [jose] JWK Thumbprint spec incorporating feedback from IETF 90 I’ve updated the JSON Web Key (JWK) Thumbprint specification to incorporate the JOSE working group feedback on the -00 draft from IETF 90<http://www.ietf.org/meeting/90/>. The two changes were: · Said that the result is undefined if characters requiring escaping are needed in the hash input. · Added instructions for representing integer numeric values in the hash input. If a canonical JSON representation standard is ever adopted, this specification could be revised to use it, resulting in unambiguous definitions for those values (which are unlikely to ever occur in JWKs) as well. (Defining a complete canonical JSON representation is very much out of scope for this work!) The specification is available at: · http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-01
- [jose] JWK Thumbprint spec incorporating feedback… Mike Jones
- Re: [jose] JWK Thumbprint spec incorporating feed… Manger, James
- Re: [jose] JWK Thumbprint spec incorporating feed… Mike Jones
- Re: [jose] JWK Thumbprint spec incorporating feed… Manger, James