Re: [jose] đź”” WGLC of draft-ietf-cose-webauthn-algorithms

Neil Madden <neil.madden@forgerock.com> Sat, 21 September 2019 10:48 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35DEC12092B for <jose@ietfa.amsl.com>; Sat, 21 Sep 2019 03:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.739
X-Spam-Level:
X-Spam-Status: No, score=-1.739 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QYimK9byDd79 for <jose@ietfa.amsl.com>; Sat, 21 Sep 2019 03:48:00 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A71851200FE for <jose@ietf.org>; Sat, 21 Sep 2019 03:47:59 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id a11so9233484wrx.1 for <jose@ietf.org>; Sat, 21 Sep 2019 03:47:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=pumFkDg9nnmibipKQAc/MCpceBNXPjEqElWUTaBT3Zw=; b=A08Tpjk3Z/s0kCt4neFUMcTZPB259OHFf+MfC2U2RR7SVPJC7T4xj+VCyivow8PZLy MsExHDCw/I+gNzaKnVFoRG6+vl4wpl4VJFdwpJ3sbtHzwgbhQfnj/HZE6hUI7piqTRJb OVqCz7pegbxHJcuXlOJGuoAtt+JzL56YK/CfM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=pumFkDg9nnmibipKQAc/MCpceBNXPjEqElWUTaBT3Zw=; b=XuBhtjbT7UBrb0z7kis/G26HXjwwpPbkqRPNIx5gZJW2tTmtkJFx7yILTnsuzx5cRp MXDU9zsuo7qaLe/08PhLHsF1jx3XBm0++0pbXQTKg4zHJkXQS6vxMhyw90wid7bpDoLI jTptZSeY973UJpaSfO4uOgUoiBL2qWz3YVtiVlSLng+vz6YzCbyvKJG6MfNP04mSbgvv ORb++Q+lkMQkWSsAdkgaWqxFoPI/sXbENYZbzDibQMGDbAQfDnoiPMefH3eliMJseW5r uuvD1Ak0w0U8ngS0hGqyVON98KQYagppcdOdsBjvc2KlSBG8FYO2STGU4SgVRCAGmKN0 bbZw==
X-Gm-Message-State: APjAAAV8KNU+jg4LmYPiNj9Xx5S+S5DBTt/7uDRTd9GsFzlRQFNGLTCh 4mTaj0OWN9md3RQHZbXr7xsBXA==
X-Google-Smtp-Source: APXvYqwbr8yb8txtlbY0lI7UCxAio7CrfSvlH/yBLlg63uAWiaWRiPZB3I8Js7tVuygD9MOrfYU+TA==
X-Received: by 2002:adf:afed:: with SMTP id y45mr14575193wrd.347.1569062877769; Sat, 21 Sep 2019 03:47:57 -0700 (PDT)
Received: from [192.168.1.64] (253.58.93.209.dyn.plus.net. [209.93.58.253]) by smtp.gmail.com with ESMTPSA id s12sm6859161wrn.90.2019.09.21.03.47.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 21 Sep 2019 03:47:57 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <6D55D5B5-0F0C-4674-92CD-61D5CA25FBC5@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_79328B9D-96F4-4D63-9A4C-11C33622BDDB"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sat, 21 Sep 2019 11:47:53 +0100
In-Reply-To: <MN2PR00MB0576AB42D6324A7F1FFD581EF58B0@MN2PR00MB0576.namprd00.prod.outlook.com>
Cc: Jim Schaad <ietf@augustcellars.com>, ivaylo petrov <ivaylo@ackl.io>, "jose@ietf.org" <jose@ietf.org>, "cose@ietf.org" <cose@ietf.org>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
References: <CAJFkdRzEF0wh9-H4dDNQeUHVd_VD8KKv1jOJ7BWs+bKN2e6gBQ@mail.gmail.com> <CAJFkdRy6Bs77gFGG0QGMC1fe_niQC6Of7_2Z8+jjYzpWkuMDBQ@mail.gmail.com> <465EE321-1595-4453-8D4E-E3A6A457C86E@forgerock.com> <012001d56fc0$1fb30e90$5f192bb0$@augustcellars.com> <F6FF776D-FFF9-4330-8A6B-81F783D990C2@forgerock.com> <013c01d56fc8$56cb8b20$0462a160$@augustcellars.com> <MN2PR00MB0576AB42D6324A7F1FFD581EF58B0@MN2PR00MB0576.namprd00.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/uzv7Pb6RXajwgzPST-MzDmiJIDQ>
Subject: Re: [jose] đź”” WGLC of draft-ietf-cose-webauthn-algorithms
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Sep 2019 10:48:04 -0000

On 21 Sep 2019, at 01:44, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
> 
> RSA SHA-1 is used by TPMs, which produce attestations used by W3C WebCrypto.  That can’t be changed.  That’s why an algorithm identifier is needed for it.  It’s use is prohibited for new applications but TPMs are an existing application.  I can work to make this clearer when resolving the WGLC comments.

I think clarifying the text along those lines would help a lot. It is worrying that these TPMs have to continue to use a known weak signature method and they apparently cannot be changed, but at least with the MUST NOT you give people a clue that this is something they want to run away from pretty quickly.

>  
> As for secp256k1, the “ES256K” algorithm is registered, whose definition is “ECDSA using secp256k1 curve and SHA-256”.  That’s only for signing.  The draft is currently silent on whether the registered curve can also be used for other things.  I think that’s how it should be, unless there are security reasons to the contrary.

Well section 4.4 registers secp256k1 as a JWK Elliptic Curve so it will be usable with the existing ECDH-ES family of algorithms without any additional registrations. There *are* some security concerns about using secp256k1 outside of signatures - see e.g. [1] which lists the theoretical problems with the curve. In particular, fast implementations of scalar multiplication (used in ECDH) for secp256k1 are not constant time making it a riskier choice for ECDH than for ECDSA. As far as I'm aware though, that just puts it in the same category as the other NIST/SECG standard curves that are already registered for JOSE. So I'm not against it being available for both JWS and JWE usage, I'd just like that to be an explicit documented decision rather than an accident.

[1]: https://crypto.stackexchange.com/a/68286/26028 <https://crypto.stackexchange.com/a/68286/26028> 

-- Neil