IETF Logo Mail Archive

Re: [jose] #29: Add an explicit "aad" field to JWE

Mike Jones <Michael.Jones@microsoft.com> Sat, 29 June 2013 10:36 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24AFF21F9F1F for <jose@ietfa.amsl.com>; Sat, 29 Jun 2013 03:36:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uip8WYMU1EdN for <jose@ietfa.amsl.com>; Sat, 29 Jun 2013 03:36:17 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0236.outbound.protection.outlook.com [207.46.163.236]) by ietfa.amsl.com (Postfix) with ESMTP id 1A7A421F9F16 for <jose@ietf.org>; Sat, 29 Jun 2013 03:36:15 -0700 (PDT)
Received: from BL2FFO11FD017.protection.gbl (10.173.161.203) by BL2FFO11HUB037.protection.gbl (10.173.160.241) with Microsoft SMTP Server (TLS) id 15.0.717.3; Sat, 29 Jun 2013 10:21:09 +0000
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD017.mail.protection.outlook.com (10.173.161.35) with Microsoft SMTP Server (TLS) id 15.0.717.3 via Frontend Transport; Sat, 29 Jun 2013 10:21:09 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.25]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0136.001; Sat, 29 Jun 2013 10:20:39 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: jose issue tracker <trac+jose@trac.tools.ietf.org>, "draft-ietf-jose-json-web-encryption@tools.ietf.org" <draft-ietf-jose-json-web-encryption@tools.ietf.org>, "rlb@ipv.sx" <rlb@ipv.sx>
Thread-Topic: [jose] #29: Add an explicit "aad" field to JWE
Thread-Index: AQHOc4rImU7RZeqPmUqN4QOCR8PjxplMfE8A
Date: Sat, 29 Jun 2013 10:20:39 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943678A932C@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <049.2f6c2e28d610320d40f8f4307cd0bf6b@trac.tools.ietf.org>
In-Reply-To: <049.2f6c2e28d610320d40f8f4307cd0bf6b@trac.tools.ietf.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464003)(199002)(189002)(377454003)(53806001)(47976001)(50986001)(49866001)(47736001)(16406001)(4396001)(23676002)(6806003)(46102001)(65816001)(33656001)(80022001)(83072001)(63696002)(47776003)(20776003)(74366001)(81542001)(54356001)(561944002)(81342001)(66066001)(55846006)(74706001)(56776001)(31966008)(77096001)(74502001)(74876001)(74662001)(50466002)(47446002)(76786001)(59766001)(51856001)(76482001)(69226001)(76796001)(54316002)(44976004)(77982001)(56816003)(79102001); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB037; H:TK5EX14HUBC101.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0892FA9A88
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #29: Add an explicit "aad" field to JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jun 2013 10:36:22 -0000

I can see merit in this proposal.

On the negative side, it's one more feature for implementations of the JWE JSON Serialization to support and one more way that the JSON Serialization is a superset of what's possible in the Compact Serialization.

On the positive side, it would let the JWS JSON Serialization be directly used for use cases where having Additional Authenticated Data (AAD) is useful.

I'm curious what others think.

				-- Mike

-----Original Message-----
From: jose issue tracker [mailto:trac+jose@trac.tools.ietf.org] 
Sent: Thursday, June 27, 2013 4:05 PM
To: draft-ietf-jose-json-web-encryption@tools.ietf.org; rlb@ipv.sx
Cc: jose@ietf.org
Subject: [jose] #29: Add an explicit "aad" field to JWE

#29: Add an explicit "aad" field to JWE

 Let's start from the design principle that the crypto operations in JWE  should not be JWE-specific if they don't have to be.  Right now, the only  way for an application to provide AAD to a JWE algorithm is in the  protected header.  So it's impossible to use JOSE to implement any  protocol that uses AAD to protect non-JSON data.  (Or if not impossible,  it's costly, since it will end up getting double-base64 encoded.)

 Instead, JWE should have an explicit "aad" field that contains a  base64-encoded octet string that is input as Additional Authenticated Data  to the AEAD algorithm.  If there is a protected header present then the  overall AAD is the concatenation of the header and the "aad" field.

 In the compact format, this field is always empty.

 OLD:
 """
 Let the Additional Authenticated Data encryption parameter be the octets  of the ASCII representation of the Encoded JWE Header value.
 """
 NEW:
 """
 Let the Additional Authenticated Data encryption parameter be the octets  of the ASCII representation of the Encoded JWE Header value.  If an "aad"
 parameter is present, set the Additional Authenticated Data to the  concatenation of the Encoded JWE Header, a period ('.') character, and the  ASCII representation of the "aad" field value.
 """

-- 
-------------------------+----------------------------------------------
-------------------------+---
 Reporter:  rlb@ipv.sx   |      Owner:  draft-ietf-jose-json-web-
     Type:  defect       |  encryption@tools.ietf.org
 Priority:  major        |     Status:  new
Component:  json-web-    |  Milestone:
  encryption             |    Version:
 Severity:  -            |   Keywords:
-------------------------+----------------------------------------------
-------------------------+---

Ticket URL: <http://tools.ietf.org/wg/jose/trac/ticket/29>
jose <http://tools.ietf.org/jose/>

v2.23.0 | Report a Bug | By Email