Re: [jose] Distinguishing signed, encrypted, and unprotected tokens
Mike Jones <Michael.Jones@microsoft.com> Sun, 20 May 2012 22:44 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFA9D21F853D for <jose@ietfa.amsl.com>; Sun, 20 May 2012 15:44:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bZNv-8igbh-P for <jose@ietfa.amsl.com>; Sun, 20 May 2012 15:44:02 -0700 (PDT)
Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe006.messaging.microsoft.com [213.199.154.144]) by ietfa.amsl.com (Postfix) with ESMTP id 3C47721F853C for <jose@ietf.org>; Sun, 20 May 2012 15:44:01 -0700 (PDT)
Received: from mail113-db3-R.bigfish.com (10.3.81.247) by DB3EHSOBE003.bigfish.com (10.3.84.23) with Microsoft SMTP Server id 14.1.225.23; Sun, 20 May 2012 22:43:49 +0000
Received: from mail113-db3 (localhost [127.0.0.1]) by mail113-db3-R.bigfish.com (Postfix) with ESMTP id 4CDCA600E7; Sun, 20 May 2012 22:43:49 +0000 (UTC)
X-SpamScore: -38
X-BigFish: VS-38(zz9371I936eK542M1432N98dKzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839h944hd25hf0ah)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail113-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC106.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail113-db3 (localhost.localdomain [127.0.0.1]) by mail113-db3 (MessageSwitch) id 1337553827370952_14905; Sun, 20 May 2012 22:43:47 +0000 (UTC)
Received: from DB3EHSMHS018.bigfish.com (unknown [10.3.81.234]) by mail113-db3.bigfish.com (Postfix) with ESMTP id 5596F180045; Sun, 20 May 2012 22:43:47 +0000 (UTC)
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS018.bigfish.com (10.3.87.118) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sun, 20 May 2012 22:43:46 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.189]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.02.0298.005; Sun, 20 May 2012 22:43:57 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Richard L. Barnes" <rbarnes@bbn.com>, Jim Schaad <ietf@augustcellars.com>
Thread-Topic: [jose] Distinguishing signed, encrypted, and unprotected tokens
Thread-Index: Ac0z6YIAkxSNdpPpSJGGHmreRKfuNABAjGsAAFxLuoAAF+hbAAAAY/yAAAbafnA=
Date: Sun, 20 May 2012 22:43:56 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366510478@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <255B9BB34FB7D647A506DC292726F6E114F2E1C05D@WSMSG3153V.srv.dir.telstra.com> <44153647-17FA-4B02-B528-60456E1E4751@ve7jtb.com> <255B9BB34FB7D647A506DC292726F6E114F2F2E7DF@WSMSG3153V.srv.dir.telstra.com> <021601cd36bc$86606bf0$932143d0$@augustcellars.com> <AB155C9C-0848-4434-A780-1BB0BC8B12A2@bbn.com>
In-Reply-To: <AB155C9C-0848-4434-A780-1BB0BC8B12A2@bbn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: 'John Bradley' <ve7jtb@ve7jtb.com>, "'Manger, James H'" <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Distinguishing signed, encrypted, and unprotected tokens
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 May 2012 22:44:03 -0000
Indeed, we already have a JSON format proposed in response working group input with no dots. See these specs: http://tools.ietf.org/html/draft-jones-json-web-signature-json-serialization-01 http://tools.ietf.org/html/draft-jones-json-web-encryption-json-serialization-01 -- Mike -----Original Message----- From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Richard L. Barnes Sent: Sunday, May 20, 2012 12:24 PM To: Jim Schaad Cc: 'John Bradley'; 'Manger, James H'; jose@ietf.org Subject: Re: [jose] Distinguishing signed, encrypted, and unprotected tokens +1 Distinguishing based on number of dots seems really fragile. On May 20, 2012, at 3:12 PM, Jim Schaad wrote: > <no hat> > > What happens if you are distinguishing based on the number of dots and > then you move to a new encoding format that is not dot separated? > > Jim > > >> -----Original Message----- >> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf >> Of Manger, James H >> Sent: Sunday, May 20, 2012 12:48 AM >> To: John Bradley >> Cc: jose@ietf.org >> Subject: Re: [jose] Distinguishing signed, encrypted, and unprotected > tokens >> >> First, for unprotected plaintext we still need the header to hold >> metadata about the payload, like its type ("typ" header field). So I now suggest: >> * 3 dots (4 segments) => JWE >> * 2 dots (3 segments) => JWS >> * 1 dot (2 segments) => unprotected payload (<header>.<payload>) >> >> If you don't like using the dot-count to distinguish these cases, how > about >> adding an explicit indication? For instance, a JWE is >> "E".<header>.<wrappedkey>.<ciphertext>.<MAC>; a JWS is >> "S".<header>.<payload>.<signature>, and an unprotected payload is >> "P".<header>.<payload>. >> >> Distinguishing using "alg" value is a poor choice. Consider receiving >> a > JWT in 2 >> year. After splitting on dots, base64 decoding, interpreting as >> UTF-8, > JSON >> parsing, and extracting "alg", you get the value "XY512". Uhmmm.. > obviously >> a new algorithm has been defined since the initial publication of >> "JWA" -- which is not too surprising, eg SHA-3 is expected soon. So >> you look at the IANA web page for registered "alg" values. "XY512" is >> in the list. Its > usage is >> "alg" (not "enc" or "int"). That still means it could be a >> key-wrapping > alg or an >> asymmetric signature alg so you still cannot distinguish what you have. > You >> follow the IANA reference to a spec for "XY512" and, at last, you >> know if > you >> have a JWE or JWS. >> >> For many apps if you don't know the "alg" it doesn't really matter if >> it > is a JWE >> or JWS since you cannot decrypt or verify it so the app will just >> reject > it. But >> for other apps (or other layers of an app or other steps in a >> processing > chain) >> it would be nice to distinguish signed/encrypted/plain at bit more simply. >> >> -- >> James Manger >> >> -----Original Message----- >> From: John Bradley [mailto:ve7jtb@ve7jtb.com] >> Sent: Friday, 18 May 2012 9:45 PM >> To: Manger, James H >> Cc: jose@ietf.org >> Subject: Re: [jose] Distinguishing signed, encrypted, and unprotected > tokens >> >> I would be against using the number of segments to determine the type. >> That has changes over time as we added integrity to encryption. >> >> I would not want to assume that some new algorithm might not need >> another segment. >> >> Their might also be attacks that we haven't considerd that might be > possible >> by altering the number of segments. >> >> I understand that it is an attractive shortcut, but I think the >> downside > is risky. >> >> John B. >> >> On 2012-05-17, at 12:57 AM, Manger, James H wrote: >> >>> draft-jones-json-web-token-10#section-5 suggests looking at the "alg" >> value in the header to distinguish whether you have a JWE, JWS, or >> plain JWT. >>> >>> Wouldn't it be better to distinguish these cases by the number of dots: >>> * 3 dots (4 segments) => JWE >>> * 2 dots (3 segments) => JWS >>> Then we could use 1 segment for a plaintext JWT >>> * 0 dots (1 segment) => Plaintext JWT (base64url-encoded JWT Claim >>> Set) >>> >>> Benefits: >>> >>> 1. JWT spec doesn't need to confusingly specify the "JWT header" as >> though it is a separate thing from a JWS or JWE header. Rules are > specified >> for the JWT header (unique names, no duplicates, all understood or >> reject, JWT-specific "typ" definition) but surely these should just >> be the JWS or > JWE >> header rules as appropriate. >>> >>> 2. No need for the rather pointless "eyJhbGciOiJub25lIn0." prefix >>> (for >> {"alg":"none"}) on plaintext JWTs >>> >>> 3. Top-level code doesn't need to know all sig & enc algs; can leave > that to >> signing & encryption libraries >>> >>> 4. Don't need to split, decode, parse header before passing JWT onto >>> JWS >> or JWE processing (which may well split, decode, and parse the same >> stuff > all >> over again) [eg https://github.com/NimbusDS/Nimbus- >> JWT/blob/master/src/com/nimbusds/jwt/JWT.java#LC137] >>> >>> 5. Less risk that "none" is implemented as a proper JWS signature >> verification algorithm and accidentally allows unsigned code to pass > security >> gates. >>> >>> >>> -- >>> James Manger >>> >>> _______________________________________________ >>> jose mailing list >>> jose@ietf.org >>> https://www.ietf.org/mailman/listinfo/jose >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
- [jose] Distinguishing signed, encrypted, and unpr… Manger, James H
- Re: [jose] Distinguishing signed, encrypted, and … Vladimir Dzhuvinov / NimbusDS
- Re: [jose] Distinguishing signed, encrypted, and … John Bradley
- Re: [jose] Distinguishing signed, encrypted, and … Manger, James H
- Re: [jose] Distinguishing signed, encrypted, and … Mike Jones
- Re: [jose] Distinguishing signed, encrypted, and … Jim Schaad
- Re: [jose] Distinguishing signed, encrypted, and … Richard L. Barnes
- Re: [jose] Distinguishing signed, encrypted, and … Mike Jones
- Re: [jose] Distinguishing signed, encrypted, and … Manger, James H