Re: [jose] #29: Add an explicit "aad" field to JWE
Mike Jones <Michael.Jones@microsoft.com> Sat, 29 June 2013 10:36 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24AFF21F9F1F for <jose@ietfa.amsl.com>; Sat, 29 Jun 2013 03:36:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uip8WYMU1EdN for <jose@ietfa.amsl.com>; Sat, 29 Jun 2013 03:36:17 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0236.outbound.protection.outlook.com [207.46.163.236]) by ietfa.amsl.com (Postfix) with ESMTP id 1A7A421F9F16 for <jose@ietf.org>; Sat, 29 Jun 2013 03:36:15 -0700 (PDT)
Received: from BL2FFO11FD017.protection.gbl (10.173.161.203) by BL2FFO11HUB037.protection.gbl (10.173.160.241) with Microsoft SMTP Server (TLS) id 15.0.717.3; Sat, 29 Jun 2013 10:21:09 +0000
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD017.mail.protection.outlook.com (10.173.161.35) with Microsoft SMTP Server (TLS) id 15.0.717.3 via Frontend Transport; Sat, 29 Jun 2013 10:21:09 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.25]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0136.001; Sat, 29 Jun 2013 10:20:39 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: jose issue tracker <trac+jose@trac.tools.ietf.org>, "draft-ietf-jose-json-web-encryption@tools.ietf.org" <draft-ietf-jose-json-web-encryption@tools.ietf.org>, "rlb@ipv.sx" <rlb@ipv.sx>
Thread-Topic: [jose] #29: Add an explicit "aad" field to JWE
Thread-Index: AQHOc4rImU7RZeqPmUqN4QOCR8PjxplMfE8A
Date: Sat, 29 Jun 2013 10:20:39 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943678A932C@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <049.2f6c2e28d610320d40f8f4307cd0bf6b@trac.tools.ietf.org>
In-Reply-To: <049.2f6c2e28d610320d40f8f4307cd0bf6b@trac.tools.ietf.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464003)(199002)(189002)(377454003)(53806001)(47976001)(50986001)(49866001)(47736001)(16406001)(4396001)(23676002)(6806003)(46102001)(65816001)(33656001)(80022001)(83072001)(63696002)(47776003)(20776003)(74366001)(81542001)(54356001)(561944002)(81342001)(66066001)(55846006)(74706001)(56776001)(31966008)(77096001)(74502001)(74876001)(74662001)(50466002)(47446002)(76786001)(59766001)(51856001)(76482001)(69226001)(76796001)(54316002)(44976004)(77982001)(56816003)(79102001); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB037; H:TK5EX14HUBC101.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0892FA9A88
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #29: Add an explicit "aad" field to JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jun 2013 10:36:22 -0000
I can see merit in this proposal. On the negative side, it's one more feature for implementations of the JWE JSON Serialization to support and one more way that the JSON Serialization is a superset of what's possible in the Compact Serialization. On the positive side, it would let the JWS JSON Serialization be directly used for use cases where having Additional Authenticated Data (AAD) is useful. I'm curious what others think. -- Mike -----Original Message----- From: jose issue tracker [mailto:trac+jose@trac.tools.ietf.org] Sent: Thursday, June 27, 2013 4:05 PM To: draft-ietf-jose-json-web-encryption@tools.ietf.org; rlb@ipv.sx Cc: jose@ietf.org Subject: [jose] #29: Add an explicit "aad" field to JWE #29: Add an explicit "aad" field to JWE Let's start from the design principle that the crypto operations in JWE should not be JWE-specific if they don't have to be. Right now, the only way for an application to provide AAD to a JWE algorithm is in the protected header. So it's impossible to use JOSE to implement any protocol that uses AAD to protect non-JSON data. (Or if not impossible, it's costly, since it will end up getting double-base64 encoded.) Instead, JWE should have an explicit "aad" field that contains a base64-encoded octet string that is input as Additional Authenticated Data to the AEAD algorithm. If there is a protected header present then the overall AAD is the concatenation of the header and the "aad" field. In the compact format, this field is always empty. OLD: """ Let the Additional Authenticated Data encryption parameter be the octets of the ASCII representation of the Encoded JWE Header value. """ NEW: """ Let the Additional Authenticated Data encryption parameter be the octets of the ASCII representation of the Encoded JWE Header value. If an "aad" parameter is present, set the Additional Authenticated Data to the concatenation of the Encoded JWE Header, a period ('.') character, and the ASCII representation of the "aad" field value. """ -- -------------------------+---------------------------------------------- -------------------------+--- Reporter: rlb@ipv.sx | Owner: draft-ietf-jose-json-web- Type: defect | encryption@tools.ietf.org Priority: major | Status: new Component: json-web- | Milestone: encryption | Version: Severity: - | Keywords: -------------------------+---------------------------------------------- -------------------------+--- Ticket URL: <http://tools.ietf.org/wg/jose/trac/ticket/29> jose <http://tools.ietf.org/jose/>
- [jose] #29: Add an explicit "aad" field to JWE jose issue tracker
- Re: [jose] #29: Add an explicit "aad" field to JWE Mike Jones
- Re: [jose] #29: Add an explicit "aad" field to JWE jose issue tracker
- Re: [jose] #29: Add an explicit "aad" field to JWE jose issue tracker