Re: [jose] New Version Notification for draft-barnes-jose-jsms-00.txt
"Richard L. Barnes" <rbarnes@bbn.com> Tue, 26 June 2012 19:33 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9196421F8599 for <jose@ietfa.amsl.com>; Tue, 26 Jun 2012 12:33:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.528
X-Spam-Level:
X-Spam-Status: No, score=-106.528 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iKaeda8gTXoH for <jose@ietfa.amsl.com>; Tue, 26 Jun 2012 12:33:35 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 968F321F8595 for <jose@ietf.org>; Tue, 26 Jun 2012 12:33:35 -0700 (PDT)
Received: from ros-dhcp192-1-51-6.bbn.com ([192.1.51.6]:60156) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1SjbW2-0006Oq-7i; Tue, 26 Jun 2012 15:33:34 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: "Richard L. Barnes" <rbarnes@bbn.com>
In-Reply-To: <706BA894-367C-4AC5-B70A-21F9039C1F78@ve7jtb.com>
Date: Tue, 26 Jun 2012 15:33:33 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <080F4097-F27D-4A31-832F-FF5CCF71A1CF@bbn.com>
References: <4E1F6AAD24975D4BA5B168042967394366560A72@TK5EX14MBXC283.redmond.corp.microsoft.com> <CABzCy2D7tU6=Q30eBmRfLzqR1Dj4XbYJZRFOC7t2OU45CwEa3A@mail.gmail.com> <EC718B8E-F3AE-4CB7-9A23-4AAD1E13C093@bbn.com> <007301cd532c$f4e7f0c0$deb7d240$@augustcellars.com> <CFC0148D-7F8F-4693-8D8F-FCEEF0C028CE@ve7jtb.com> <A33A4456-25E1-4248-903D-602C08C5B931@bbn.com> <706BA894-367C-4AC5-B70A-21F9039C1F78@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1278)
Cc: Jim Schaad <ietf@augustcellars.com>, jose@ietf.org
Subject: Re: [jose] New Version Notification for draft-barnes-jose-jsms-00.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jun 2012 19:33:38 -0000
> There was a WG decision to not allow encryption without integrity. Jim and others call that sender verification. > > Or on simple terms no AES-CBC without a mandatory MAC integrity. Thanks. I remembered the "AEAD-only" agreement, but didn't know the "sender verification" term. > The JWE/JWS specs don't control the body. That is intended to be arbitrary content. > > We do have s JWT spec that covers the body for security tokens. The idea was to separate that from signing and encryption so that signing and encryption can be used for other objects. > > John B. That's exactly my point. You can have something like JWT specify a body format that has the protected parameters, so why does JWS/JWE need integrity-protected attributes? --Richard > On 2012-06-26, at 1:43 PM, Richard L. Barnes wrote: > >>> Now that we are mandating JWE sender verification people will be using JWE with symmetric keys or key agreement. >>> In those cases one can easily argue that the header should be protected as much as in HMAC. >> >> Can you clarify the scope of "we are mandating"? >> >> >>> There may well be signing_time or other elements that would go into the header as well for JWE. >> >> Why do these need to go into the header rather than the body? >> >> --Richard >> >> >> >> >>> Regards >>> John B. >>> >>> On 2012-06-25, at 7:48 PM, Jim Schaad wrote: >>> >>>> <personal> >>>> >>>> Richard, >>>> >>>>> -----Original Message----- >>>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of >>>>> Richard L. Barnes >>>>> Sent: Monday, June 25, 2012 2:35 PM >>>>> To: Nat Sakimura >>>>> Cc: Mike Jones; jose@ietf.org >>>>> Subject: Re: [jose] New Version Notification for draft-barnes-jose-jsms- >>>>> 00.txt >>>>> >>>>> Hi Nat, >>>>> >>>>> I'm not sure what X.509 fiasco you're referring to. There was a recent >>>> MD5 >>>>> fiasco [1], but that's an attack on MD5, not X.509. In fact, there have >>>> been >>>>> recommendations for preventing this attack in X.509 since 2005 [2]. As >>>> was >>>>> noted on the SAAG list, the real news here is that Microsoft wasn't >>>> following >>>>> any of those recommendations. >>>>> >>>>> JWS would have had the same problem as X.509. The attack did not modify >>>>> the cryptographic parameters (anything that would have gone in the >>>>> header), it would not have been thwarted by the integrity protection we're >>>>> worrying about. >>>>> >>>>> Actually, the header signing that JWS does makes it even nicer for the >>>>> attacker: Flame used a "chosen prefix" attack, so since the JWS header >>>> value >>>>> is entirely static for a given signer, it's easy to use as a fixed prefix. >>>> If JWS just >>>>> signed the content, then the application could include a something random >>>>> up front to prevent such prefix-based attacks. >>>>> >>>> >>>> I don't believe that this is a true statement. If you had a prefix or just >>>> signed what was given to you (i.e. no prefix), it would make no difference >>>> in terms of the attack for Flame. Flame could always use a fixed prefix of >>>> its own design rather than using the fixed header that is generated by >>>> having JWS sign the header information. >>>> >>>>> It's tempting to say that we should just add randomness to the JOSE >>>> format. >>>>> But the real lesson of the Flame/MD5 attacks is operational: If you're >>>> signing >>>>> something that somebody else gave you, make sure that you're not signing >>>>> exactly what they gave you. Follow the recommendations of RFC 4270. In >>>>> other contexts, there's no need of similar random elements; it just adds >>>>> complexity. >>>> >>>> This is definitely a true statement in all events and is something that >>>> should be added to the Security Considerations section. >>>> >>>> That being said, I think that there are valid reasons for wanting to protect >>>> the header information by some authentication processing. PKIX certificates >>>> protect the signature algorithm information (by copying the data into the to >>>> be signed block) and CMS has long allowed for information to be included in >>>> the signed attributes area that identifies the algorithms used, the >>>> certificates used and so forth. There are also other things that we might >>>> find to be convenient to be placed in the header information that is current >>>> not there (a signing time and embedded content type comes to mind) that >>>> would be a product either of specific types of signatures or becomes a >>>> common attribute to be placed there. >>>> >>>> In terms of encryption operations, I remember in the past that I have had >>>> either corrupted encrypted streams or corrupted IVs and had a successful >>>> decryption that later generated other problems when trying to parse. This >>>> is less of an issue with AEAD algorithms as they have a much stricter rule >>>> on when the stream decrypts correctly. >>>> >>>> Jim >>>> >>>>> >>>>> --Richard >>>>> >>>>> >>>>> >>>>> [1] <http://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf> >>>>> [2] <http://tools.ietf.org/html/rfc4270#section-5.1> >>>>> >>>>> >>>>> On Jun 21, 2012, at 11:11 AM, Nat Sakimura wrote: >>>>> >>>>>> Especially after the X.509 fiasco, I strongly believe that having >>>> integrity >>>>> check over the metadata is a good thing. It is such a little effort that >>>> gives us >>>>> much more protection down the road. In this sense, I fully agree with Ben >>>>> here. We should have integrity protection over the header. >>>>>> >>>>>> Nat >>>>>> >>>>>> On Thu, Jun 21, 2012 at 8:07 AM, Mike Jones >>>>> <Michael.Jones@microsoft.com> wrote: >>>>>> Two years ago when the developer community needing a JSON-friendly >>>>> token format was designing the JSON Web Token (JWT), we explicitly asked >>>>> security experts whether the header parameters should be integrity >>>>> protected or not. Among them, Ben Laurie was one of the voices saying >>>> that >>>>> securing them was the right thing to do. >>>>>> >>>>>> >>>>>> >>>>>> He argued that if the parameters can be protected in a practical manner, >>>>> then they should. Doing so provides an additional hurdle that attackers >>>>> would have to surmount. For example, if they can try to substitute a >>>> weaker >>>>> authentication scheme, then they must figure out how to make it >>>>> authenticate correctly despite some plaintext they can't control - the >>>> header >>>>> parameters. >>>>>> >>>>>> >>>>>> >>>>>> Ben also took the position that paring security protocols down to the >>>> least >>>>> you can get away with, given attacks you can think of, is not a good >>>> design >>>>> principle. If there is not a strong argument against including a feature >>>> that >>>>> may make it harder for attackers, then that feature should be included. >>>>>> >>>>>> >>>>>> >>>>>> I agree with him. >>>>>> >>>>>> >>>>>> >>>>>> The decision to provide integrity protection for the headers is >>>> documented >>>>> in the session notes at http://self-issued.info/?p=361, which said: >>>>>> >>>>>> >>>>>> >>>>>> . What to sign (envelope.payload or just payload)? >>>>>> >>>>>> Given that the envelope is extensible and therefore may contain >>>> security- >>>>> sensitive information, we reached a consensus (with input from Ben Laurie >>>>> via IM) that the combination envelope.payload must be signed. >>>>>> >>>>>> >>>>>> I believe that logic is as sound today as it was then. >>>>>> >>>>>> >>>>>> >>>>>> For all these reasons, I therefore personally stand by the community's >>>>> decision to provide integrity protection for the headers. >>>>>> >>>>>> >>>>>> >>>>>> Best wishes, >>>>>> >>>>>> -- Mike >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of >>>>> John Bradley >>>>>> Sent: Wednesday, June 20, 2012 3:57 PM >>>>>> To: Richard L.Barnes >>>>>> Cc: jose@ietf.org >>>>>> Subject: Re: [jose] New Version Notification for draft-barnes-jose-jsms- >>>>> 00.txt >>>>>> >>>>>> >>>>>> >>>>>> Hi Richard, >>>>>> >>>>>> >>>>>> >>>>>> While for PKCS 1.5 the hash algorithm is baked into the padding and not >>>>> susceptible to modification with ECDH or RSA-PSS it is not. >>>>>> >>>>>> There are possible hash truncation attacks by shortening SHA256 to >>>> SHA224 >>>>> as an example (I know we preclude truncated hashes at the moment). >>>>>> >>>>>> >>>>>> >>>>>> The bad feeling I get around this is that if there is a scenario where >>>> the >>>>> attacker controls the plaintext to be signed and there is no signer >>>> controlled >>>>> text contributed there are potential bad things that could happen down the >>>>> road. >>>>>> >>>>>> >>>>>> >>>>>> This bit us with x509 certs not that long ago (yes with MD5 admittedly) >>>>> where the attacker could use a certificate extension to include extra data >>>> and >>>>> cause a pre collided hash to be generated. >>>>>> >>>>>> Having part of the signed data outside the control of an attacker is a >>>> good >>>>> thing. (having a nonce or message ID in the envelope is possible though >>>> not >>>>> yet required in JWS.) >>>>>> >>>>>> >>>>>> >>>>>> I am still of the opinion that putting the base64 encoded envelope >>>> inside >>>>> the hash calculation is a valid way to allow additional attributes. >>>>>> >>>>>> Another structure to hold the attributes adds more complexity, as would >>>>> saying that they need to be inside the signed object. >>>>>> >>>>>> >>>>>> >>>>>> I think part of this is that as one of the openID Connect authors I look >>>> at this >>>>> as a necessary security token format, for OAuth and Connect. >>>>>> >>>>>> For that simple processing with one signature is a high priority for >>>> adoption. >>>>>> >>>>>> >>>>>> >>>>>> From a general signing/encrypting of documents point of view you >>>>> legitimately have different priorities. >>>>>> >>>>>> >>>>>> >>>>>> I know it is hard to prove a negative but It is also going to be >>>> difficult for me >>>>> to go back to security people at google Facebook and other places and >>>>> explain how not integrity protecting the header could be better than >>>>> integrity protecting it. >>>>>> >>>>>> >>>>>> >>>>>> It seems that I would be reduced to arguing that this is no worse than >>>> CMS >>>>> and that hasn't been proven insecure yet. >>>>>> >>>>>> >>>>>> >>>>>> Allowing a possible attacker to control the hash output, and not >>>> integrity >>>>> protecting the additional data, seems like something I am bound to regret >>>> in >>>>> the future. >>>>>> >>>>>> >>>>>> >>>>>> Regards >>>>>> >>>>>> John B. >>>>>> >>>>>> >>>>>> >>>>>> On 2012-06-19, at 7:00 PM, Richard L. Barnes wrote: >>>>>> >>>>>> >>>>>> >>>>>>> Hey John, >>>>>> >>>>>>> >>>>>> >>>>>>> Interesting points, but I don't think they actually apply here. >>>>>> >>>>>>> >>>>>> >>>>>>> With regard to downgrade attacks: >>>>>> >>>>>>> >>>>>> >>>>>>> The attack that RFC 5752 is concerned with is when an attacker strips >>>>> signatures from a signed message, so that the only ones left are ones he >>>> can >>>>> tamper with. So the integrity protection here is "horizontal"; it goes >>>> across >>>>> signatures. The integrity protection in JWS/JWE is "vertical" -- it only >>>> protects >>>>> one signer's parameters -- so it is, so to speak, orthogonal. >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> With regard to "brown bag" attacks: >>>>>> >>>>>>> >>>>>> >>>>>>> The root of this attack is ambiguity about what content is *signed* >>>>>> >>>>>>> vs. what content is *used*. If an application doesn't verify that >>>>>> >>>>>>> it's actually using the stuff that's signed, then it can be tricked >>>>>> >>>>>>> into accepting something unsigned. (Cf. >>>>>> >>>>>>> <http://en.wikipedia.org/wiki/Confused_Deputy>) >>>>>> >>>>>>> >>>>>> >>>>>>> However, I don't think any of the current proposals have that problem. >>>>> In JWE/JWS, the signed content is right there between the dots, and in >>>> JSMS, >>>>> it's in the "content" element. The current JSMS draft does allow detached >>>>> signatures, but with a "voids your warranty" sticker on it. >>>>>> >>>>>>> >>>>>> >>>>>>> In any case, these attacks have nothing to do with whether the >>>>> cryptographic parameters are integrity-protected with the content. The >>>>> example attacks in the IBM still work regardless -- the whole point of the >>>>> attack is that the cryptographic processing is the same, only the >>>> (non-crypto) >>>>> matching of content is flawed. >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> With regard to "arbitrary attributes": >>>>>> >>>>>>> >>>>>> >>>>>>> We can have that here, too, but you need canonicalization. And >>>> base64- >>>>> encoding is not not canonicalization -- it just waves its hands over the >>>>> question of equivalence. In my opinion, we should keep the cryptographic >>>>> object simple by disallowing attributes, and push the attributes you would >>>>> sign inside of the thing being signed. If people really do want >>>> attributes, it >>>>> doesn't seem to me like JSON canonicalization is very hard. I can do it >>>> in 19 >>>>> lines of python: >>>>>> >>>>>>> <http://pastebin.com/ptUfn0c3> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> With regard too "meta-data in the body": >>>>>> >>>>>>> >>>>>> >>>>>>> It seems to me like if we're trying to define a general format for >>>> applying >>>>> security protections, then we ought to keep out things that aren't >>>> strictly >>>>> security relevant. Those things can go in application-specific content >>>> types >>>>> (e.g., SAML) without polluting the general purpose header. >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> With regard to "defense in depth" and selling this to government >>>>> agencies: >>>>>> >>>>>>> >>>>>> >>>>>>> CMS, via S/MIME, is in broad use across multiple federal agencies and >>>>> large enterprises. JSMS is essentially a profile of CMS (see Section 7), >>>> and >>>>> has the same security properties. >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> Cheers, >>>>>> >>>>>>> --Richard >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> On Jun 19, 2012, at 5:10 PM, John Bradley wrote: >>>>>> >>>>>>> >>>>>> >>>>>>>> Hi Richard, >>>>>> >>>>>>>> >>>>>> >>>>>>>> Originally we only integrity protected the header for signing. We >>>> added >>>>> the integrity protection to encryption as part of AEAD, as encryption can >>>> also >>>>> be used for sender verification. >>>>>> >>>>>>>> >>>>>> >>>>>>>> I understand the argument that it makes things simpler if we don't >>>>> integrity protect the header information. >>>>>> >>>>>>>> >>>>>> >>>>>>>> However xmldsig, provides integrity over those elements to prevent >>>>> possible downgrade attacks by manipulating the algorithms. >>>>>> >>>>>>>> >>>>>> >>>>>>>> CMS may not typically provide that integrity protection but I think >>>> Jim >>>>> Schaad and Sean Terner created RFC5752 to address downgrade attacks. >>>>>> >>>>>>>> Given they are on this list they can speak to their view on integrity >>>> over >>>>> the crypto parameters. >>>>>> >>>>>>>> >>>>>> >>>>>>>> I also recall when working on InfoCards there was a Monte Carlo/Brown >>>>> Bag attack that needs to be considered if we move to something more like a >>>>> detached signature. >>>>>> >>>>>>>> >>>>>> >>>>>>>> The other design consideration is that we wanted to be able to sign >>>>> arbitrary byte strings not just JSON. You could sign XML if you wanted. >>>>>> >>>>>>>> That prevented us from including meta-data in the body as we didn't >>>>> want to touch it. That left us with the header to include additional >>>> elements >>>>> in. >>>>>> >>>>>>>> Not integrity protecting those elements as well would be a problem. >>>>>> >>>>>>>> >>>>>> >>>>>>>> I am not a CMS expert but I believe it allows for signing of >>>> arbitrary >>>>> attributes not unlike the current JOSE spec. >>>>>> >>>>>>>> >>>>>> >>>>>>>> Especially for something that will be used with JWT security tokens I >>>> will >>>>> have a hard time making the argument to NIST and others that need to >>>>> approve this format that not integrity protecting the header parameters is >>>>> appropriate defence in depth, for something that might be replacing signed >>>>> SAML assertions in some applications. >>>>>> >>>>>>>> >>>>>> >>>>>>>> I do understand how not integrity protecting the header will make >>>> some >>>>> things easier, however I can't agree that the benefit outweighs the >>>>> disadvantages. >>>>>> >>>>>>>> >>>>>> >>>>>>>> Regards >>>>>> >>>>>>>> John B. >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> On 2012-06-18, at 10:02 PM, Richard L. Barnes wrote: >>>>>> >>>>>>>> >>>>>> >>>>>>>>> Hey Mike, >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> Thanks for having some back-and-forth with me on this. I think this >>>> is a >>>>> good discussion to have right now. I would like to discuss some >>>> high-level >>>>> points, and then I'll respond inline to your precise points. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> tl;dr: In order to meet its deliverables, the WG needs to define >>>> JSON- >>>>> based formats for integrity and confidentiality protections. JWE and JWS >>>>> don't fit that requirement, so we should re-consider their adoption and >>>> call >>>>> for new candidates. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> Major points: >>>>>> >>>>>>>>> 1. JOSE is JSON >>>>>> >>>>>>>>> 2. JSON does not imply canonicalization 3. Compactness and >>>>>> >>>>>>>>> URL-safeness are still OK, as derivatives >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> Part 1: JOSE is JSON >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> The JOSE WG charter calls out four deliverables, three of which are >>>>> explicitly required to be JSON: >>>>>> >>>>>>>>> -- "JSON-structured integrity protection" >>>>>> >>>>>>>>> -- "JSON-structured encryption" >>>>>> >>>>>>>>> -- "public keys as JSON-structured objects" >>>>>> >>>>>>>>> (The fourth is just a list of algorithms, which should be JSON as >>>>>> >>>>>>>>> well, just as RFC 3370 is ASN.1.) >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> In light of these requirements, JWE and JWS are clearly not suitable >>>>>> >>>>>>>>> candidates to fulfill the working group's milestones. (At least in >>>>>> >>>>>>>>> their current form.) So ISTM that we need to step back and >>>>>> >>>>>>>>> re-evaluate alternatives for the three above milestones, especially >>>>>> >>>>>>>>> the first two. (JWK is not as far off.) >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> As JSON-based mechanisms, though, the "JSON serialization" drafts >>>>> are pretty half-hearted. Because JWS and JWE include the cryptographic >>>>> parameters within the integrity protection, they have to have the headers >>>>> included as base64-encoded strings. That obviously adds a lot of >>>> complexity >>>>> to encoding and decoding -- for example, you have to keep the encoded >>>>> header around even after you've decoded it! -- and just plain more octets. >>>>> The support for multiple recipients and multiple signatures is both >>>> unweildy >>>>> (matching up parallel indices for headers and signatures) and inefficient >>>>> (multiple integrity check values in encrypted objects). >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> By contrast, JSMS takes advantage of the cryptographic wisdom that >>>>> went into CMS, while making the syntax pure JSON and as simple as >>>> possible. >>>>> Multiple signatures and multiple recipients are supported with absolute >>>>> minimum overhead. So I think it's worth consideration by the working >>>> group. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> Part 2: JSON !=> canonicalization >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> I would like to dispel the myth that a JSON-based format requires >>>>>> >>>>>>>>> canonicalization. In JWE/JWS, the JSON header requires >>>>>> >>>>>>>>> "canonicalization" (via base64url encoding) because it's included >>>>>> >>>>>>>>> within the integrity protection. I'm not aware of any reason for >>>>>> >>>>>>>>> including the cryptographic parameters in the integrity check, >>>>>> >>>>>>>>> instead of only integrity-protecting the content itself. Indeed, if >>>>>> >>>>>>>>> there were an attack based on non-integrity-protected cryptographic >>>>>> >>>>>>>>> parameters, it would be a pretty big deal, since neither CMS nor IKE >>>>>> >>>>>>>>> nor provides this protection. (TLS does provide a signature over >>>>>> >>>>>>>>> the algorithms, but only as a way to bind the public key to the >>>>>> >>>>>>>>> session.) >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> Indeed CMS doesn't require canonicalization at all, except for >>>>> attributes that are included in the protected content (signedAttrs / >>>>> authenticatedAttrs), which need to be DER-encoded. In JSMS, we don't >>>>> allow those parameters, so there is no need for canonicalization at all. >>>> All the >>>>> "canonicalization" that's needed is to base64url-encode the protected >>>>> content. In that regard, JSMS is even simpler than JWE/JWS. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> Part 3: Compactness and URL-safeness are still OK, as derivatives >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> I have absolutely no objection to defining a compact, URL-safe >>>> format. >>>>> Indeed, I did so in the JSMS draft, in Section 5. Encoding the example >>>> from >>>>> Section 3.1 of the JWS spec, we get the following JSMS object: >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> { >>>>>> >>>>>>>>> "v":1, >>>>>> >>>>>>>>> "t":"au", >>>>>> >>>>>>>>> "a":"hs256", >>>>>> >>>>>>>>> "c":"eyJpc3MiOiJqb2...0cnVlfQ", >>>>>> >>>>>>>>> "mac":"pwM0gJNMLFxn8G1-juQFLrJtMEOR8_FeKIH3wIM_OAo", >>>>>> >>>>>>>>> "ki":"rSIilRk8Ego" >>>>>> >>>>>>>>> } >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> If we remove the decorative spaces and base64url-encode, we only >>>>> use >>>>>> >>>>>>>>> 88 octets more than JWS (267 vs. 179). If we take this a step >>>>>> >>>>>>>>> further and define an explicit compact format for AuthenticatedData, >>>>>> >>>>>>>>> we can emulate JWS by moving the content and MAC fields outside >>>>> and >>>>>> >>>>>>>>> dot-combining. That avoids double-base64url-encoding, and only >>>>>> >>>>>>>>> takes up 11 more octets than a JWS (190 vs 179). (I've put the code >>>>>> >>>>>>>>> to generate these in the Github project linked earlier.) >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> So it's fine to have a compact, URL-safe format for an objective, >>>> but it >>>>> makes *much* more sense to derive that from a full-size, usable, JSON >>>>> format than the other way around. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> Responses to specific points inline below. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>>> Fair enough. I'll briefly respond to each in turn. Before doing >>>> so, I'll >>>>> say that I'm writing in the spirit of trying to increase mutual >>>> understanding >>>>> and consensus, rather than taking the point of view that the status quo is >>>> the >>>>> only reasonable outcome. >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> -- Not being JSON >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> This was by design, so that the results are URL-safe. This is >>>> required, >>>>> for instance, for them to be used as OAuth Bearer Tokens. At the request >>>> of >>>>> the working group, closely related pure-JSON drafts were also published. >>>>> See: >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> http://tools.ietf.org/html/draft-jones-json-web-signature-json-seri >>>>>> >>>>>>>>>> alization-01 and >>>>>> >>>>>>>>>> http://tools.ietf.org/html/draft-jones-json-web-encryption-json-ser >>>>>> >>>>>>>>>> ialization-01 >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> Use them if you prefer if they better suit your use cases. They >>>> could >>>>> be adopted as working group documents, if there's interest. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> See above. These are super-clunky, and the need to be the main >>>>> focus of the WG, not an afterthought. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>>> -- Not supporting multiple recipients >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> The JSON serialization drafts above do, again, in response to use >>>>> cases presented by the working group. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> See above. Because of the unnecessary inclusion of the header in >>>> the >>>>> integrity check, this is far less efficient than it should be. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>>> -- Lacking clear distinctions between signing and MAC >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> Functionally, these are very similar operations, at least from an >>>>> implementation perspective, so it's not clear that making a clear >>>> distinction >>>>> would help either developers or adoption in any practical way. They >>>> achieve >>>>> overlapping, but admittedly sometimes different goals. I believe that >>>>> developers can be trusted to use the algorithms that achieve their >>>>> applications' goals without making a hard distinction between the two. >>>> But >>>>> I'd be interested in hearing your thoughts on why you believe a >>>> brighter-line >>>>> distinction might be useful or necessary. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> It's important if you want to do MACs with anything other than pre- >>>>> shared keys. If you want to do anything more advanced, you need to have >>>>> wrapped keys, in which case an object with a MAC starts to look a lot more >>>>> like a JWE than a JWS. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>>> -- Lacking clear processing instructions for different key >>>>>> >>>>>>>>>> establishment modalities >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> This seems like an area where the existing drafts could be refined >>>> to >>>>> add descriptions for additional establishment modalities, possibly based >>>>> upon your ideas and descriptions, should the working group decide to do >>>> so. >>>>> What additional modalities do you have use cases for that you believe are >>>>> not achievable or straightforward with the existing drafts? The existing >>>>> modalities supported are largely those that existing developers had told >>>> us >>>>> they needed and draw both from the precursor draft-jones-json-web-* >>>>> documents and draft-rescorla-jsms. >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> Bear in mind that the balance that the current drafts try to strike >>>> is >>>>> keeping the Mandatory to Implement (MTI) feature footprint small enough >>>>> that developers, including Web developers, are likely to adopt the specs, >>>>> while still providing enough functionality to make them generally useful. >>>> As >>>>> in any balance, it's often possible to shift things a bit and still >>>> maintain the >>>>> balance, but I'd like people to keep the ubiquitous adoption goal >>>> front-and- >>>>> center when proposing additional functionality. >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> Ubiquitous deployment and usefulness trump theoretical >>>>>> >>>>>>>>>> completeness. (Just look at XMLDSIG and XMLENC to understand >>>>>> >>>>>>>>>> that!) >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> I agree that we need to find a reasonable MTI. The current JSMS >>>> draft >>>>> doesn't really specify which parts are MTI, beyond basic things like >>>> base64url >>>>> encoding and ignoring unknown fields. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> My main concern is that JWS and JWE don't really tell me which >>>> fields >>>>> need to be present for which use case. If I'm putting a MAC on a JWS vs. >>>> a >>>>> signature, do I need "jwk" or "jku" fields to be populated? Whereas in >>>> JSMS, >>>>> I think these things are much clearer due to the separation of the use >>>> cases >>>>> (Signed/Authenticated/Encrypted) and the isolation of signatures and >>>>> wrapped keys into sub-objects. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>>> -- Lack of clear typing of objects >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> Most JSON documents aren't clearly typed; instead, developers and >>>>> implementations understand from context what the meaning of each field is. >>>>> XML is clearly typed, but developers are voting with their feet by moving >>>> to >>>>> JSON. >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> What practical advantages resulting from overlaying a typing >>>>> infrastructure on JSON do you believe are worth the potential costs of >>>> doing >>>>> so? BTW, I'm not opposed to having a JSON schema description of the JOSE >>>>> JSON data structures like JSMS did in http://tools.ietf.org/html/draft- >>>>> rescorla-jsms-00#appendix-A, but I'll remark that this an informative >>>> tool, not >>>>> a normative one. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> I actualy don't have a hugely urgent requirement here either. It's >>>>> something that others in the WG had requested, which is trivial to add in >>>>> JSMS, but not in JWE/JWS -- again because of the unnecessary integrity >>>>> protection of the header. >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>>> -- Lack of versioning for future extensibility >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> An optional version field could be added if the working group >>>>>> >>>>>>>>>> desires, however the last time the working group discussed it, they >>>>>> >>>>>>>>>> decided not to do so. Rather, specs like this effectively become >>>>>> >>>>>>>>>> "versioned" when revised in a way that new fields are added. If >>>>>> >>>>>>>>>> you understand the new fields, you support that new version. (Note >>>>>> >>>>>>>>>> that this is independent of whether there is a version number >>>>>> >>>>>>>>>> field, which according to some participants in the previous >>>>>> >>>>>>>>>> discussion, they regarded as therefore being redundant >>>>>> >>>>>>>>>> information.) >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> I'm not religious about not having a version number field, but >>>> often >>>>> "less is more". >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> Indeed, I'm not religious either. It just seems like a general good >>>> idea >>>>> to state this directly as opposed to having parsers divine it based on >>>> which >>>>> fields are present. To quote RFC 5652: >>>>>> >>>>>>>>> " >>>>>> >>>>>>>>> Each of the major data structures includes a version number as the >>>>>> >>>>>>>>> first item in the data structure. The version numbers are intended >>>>>> >>>>>>>>> to avoid ASN.1 decode errors. Some implementations do not check >>>>> the >>>>>> >>>>>>>>> version number prior to attempting a decode, and if a decode error >>>>>> >>>>>>>>> occurs, then the version number is checked as part of the error >>>>>> >>>>>>>>> handling routine. This is a reasonable approach; it places error >>>>>> >>>>>>>>> processing outside of the fast path. This approach is also >>>>>> >>>>>>>>> forgiving when an incorrect version number is used by the sender. >>>>>> >>>>>>>>> " >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> Best, >>>>>> >>>>>>>>> --Richard >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> Best wishes, >>>>>> >>>>>>>>>> -- Mike >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> -----Original Message----- >>>>>> >>>>>>>>>> From: Richard L. Barnes [mailto:rbarnes@bbn.com] >>>>>> >>>>>>>>>> Sent: Friday, June 15, 2012 3:00 PM >>>>>> >>>>>>>>>> To: Mike Jones >>>>>> >>>>>>>>>> Cc: jose@ietf.org >>>>>> >>>>>>>>>> Subject: Re: [jose] Fwd: New Version Notification for >>>>>> >>>>>>>>>> draft-barnes-jose-jsms-00.txt >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> Ok, so maybe I should have phrased my lead-in differently. IMO, >>>> the >>>>> current JW* specs are deficient in several ways, e.g.: >>>>>> >>>>>>>>>> -- Not being JSON >>>>>> >>>>>>>>>> -- Not supporting multiple recipients >>>>>> >>>>>>>>>> -- Lacking clear distinctions between signing and MAC >>>>>> >>>>>>>>>> -- Lacking clear processing instructions for different key >>>>>> >>>>>>>>>> establishment modalities >>>>>> >>>>>>>>>> -- Lack of clear typing of objects >>>>>> >>>>>>>>>> -- Lack of versioning for future extensibility >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> Looking at the current specs, it didn't seem to me that it would be >>>>> simple to adapt them to address these deficiencies. So I just did a >>>> re-write. >>>>> If you think they can be addressed within the current framework, please >>>>> explain. I just found it simpler to start from whole cloth. >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> Cheers, >>>>>> >>>>>>>>>> --Richard >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> On Jun 15, 2012, at 5:43 PM, Mike Jones wrote: >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>>> Hi Richard, >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> If you're puzzled by specific design decisions in the JOSE >>>> documents, >>>>> I encourage you to ask about them on the list. The documents have >>>>> significant history going back to mid-2010 when convergence discussions >>>>> started among people with four different JSON signing & encryption >>>>> proposals. JWT and the current JOSE specs and implementations are the >>>>> result. I realize that not all the JOSE participants were part of those >>>>> discussions from the beginning (although many were) and so teasing out the >>>>> rationale for specific decisions might help people better understand the >>>>> choices made, and hopefully thereby increase consensus behind the >>>>> eventual working group choices. >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> If the list that you're puzzled by is the bulleted list below, >>>> maybe we >>>>> can start a discussion on that basis. >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> Best wishes, >>>>>> >>>>>>>>>>> -- Mike >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> -----Original Message----- >>>>>> >>>>>>>>>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On >>>>>> >>>>>>>>>>> Behalf Of Richard L. Barnes >>>>>> >>>>>>>>>>> Sent: Friday, June 15, 2012 2:08 PM >>>>>> >>>>>>>>>>> To: jose@ietf.org >>>>>> >>>>>>>>>>> Subject: [jose] Fwd: New Version Notification for >>>>>> >>>>>>>>>>> draft-barnes-jose-jsms-00.txt >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> Dear JOSE WG, >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> Like Mr. Manger, once I finally got around to doing a thorough >>>>> review of the JW* specs, I was kind of puzzled by some of the design >>>>> decisions. So I also went through and wrote an alternative format, this >>>> time >>>>> taking a more of a cue from CMS. A link to the document is below. >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> Summary of differences: >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> o JSMS is pure JSON, whereas in JWE and JWS only the header >>>>>> >>>>>>>>>>> parameters are represented in JSON. >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> o JSMS allows for full algorithm agility in key agreement, while >>>> JWE >>>>>> >>>>>>>>>>> only allows ECDH-ES. >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> o JSMS supports multiple recipients for EncryptedData and >>>>>> >>>>>>>>>>> AuthenticatedData objects via the inclusion of multiple >>>>> WrappedKey >>>>>> >>>>>>>>>>> objects. Sending a JWE to multiple recipients requires re- >>>>>> >>>>>>>>>>> encryption of the entire object for each recipient. >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> o The signature and MAC functions of the JWS object are separated >>>>>> >>>>>>>>>>> into SignedData and AuthenticatedData JSMS objects. >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> o JSMS parameters are not integrity-protected, as they are in JWE >>>>>> >>>>>>>>>>> and JWS. >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> o The "typ" and "zip" parameters are not defined in JSMS, but >>>> could >>>>>> >>>>>>>>>>> be added without significant change. >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> o JSMS requires that recipients MUST ignore unknown header >>>>>> >>>>>>>>>>> parameters, in order to facilitate extensibility. >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> I've also thrown together an initial JavaScript implementation >>>> (based >>>>> on NodeJS for some python crypto glue), which is on github: >>>>>> >>>>>>>>>>> <https://github.com/bifurcation/jsms> >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> Comments are very welcome. >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> Thanks, >>>>>> >>>>>>>>>>> --Richard >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> Begin forwarded message: >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>>> From: internet-drafts@ietf.org >>>>>> >>>>>>>>>>>> Subject: New Version Notification for >>>>>> >>>>>>>>>>>> draft-barnes-jose-jsms-00.txt >>>>>> >>>>>>>>>>>> Date: June 15, 2012 4:56:09 PM EDT >>>>>> >>>>>>>>>>>> To: rbarnes@bbn.com >>>>>> >>>>>>>>>>>> >>>>>> >>>>>>>>>>>> >>>>>> >>>>>>>>>>>> A new version of I-D, draft-barnes-jose-jsms-00.txt has been >>>>>> >>>>>>>>>>>> successfully submitted by Richard Barnes and posted to the IETF >>>>>> >>>>>>>>>>>> repository. >>>>>> >>>>>>>>>>>> >>>>>> >>>>>>>>>>>> Filename: draft-barnes-jose-jsms >>>>>> >>>>>>>>>>>> Revision: 00 >>>>>> >>>>>>>>>>>> Title: JavaScript Message Security Format >>>>>> >>>>>>>>>>>> Creation date: 2012-06-15 >>>>>> >>>>>>>>>>>> WG ID: Individual Submission >>>>>> >>>>>>>>>>>> Number of pages: 25 >>>>>> >>>>>>>>>>>> URL: >>>> http://www.ietf.org/internet-drafts/draft-barnes-jose- >>>>> jsms-00.txt >>>>>> >>>>>>>>>>>> Status: >>>> http://datatracker.ietf.org/doc/draft-barnes-jose-jsms >>>>>> >>>>>>>>>>>> Htmlized: >>>> http://tools.ietf.org/html/draft-barnes-jose-jsms-00 >>>>>> >>>>>>>>>>>> >>>>>> >>>>>>>>>>>> >>>>>> >>>>>>>>>>>> Abstract: >>>>>> >>>>>>>>>>>> Many applications require the ability to send cryptographically >>>>>> >>>>>>>>>>>> secured messages. While the IETF has defined a number of >>>>> formats >>>>>> >>>>>>>>>>>> for such messages (e.g. CMS) those formats use encodings which >>>>>> >>>>>>>>>>>> are not easy to use in modern applications. This document >>>>>> >>>>>>>>>>>> describes the JavaScript Message Security format (JSMS), a new >>>>>> >>>>>>>>>>>> cryptographic message format which is based on JavaScript Object >>>>>> >>>>>>>>>>>> Notation (JSON) and thus is easy for many applications to >>>> generate >>>>> and parse. >>>>>> >>>>>>>>>>>> >>>>>> >>>>>>>>>>>> >>>>>> >>>>>>>>>>>> >>>>>> >>>>>>>>>>>> >>>>>> >>>>>>>>>>>> The IETF Secretariat >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> _______________________________________________ >>>>>> >>>>>>>>>>> jose mailing list >>>>>> >>>>>>>>>>> jose@ietf.org >>>>>> >>>>>>>>>>> https://www.ietf.org/mailman/listinfo/jose >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> >>>>>> >>>>>>>>>>> _______________________________________________ >>>>>> >>>>>>>>>>> jose mailing list >>>>>> >>>>>>>>>>> jose@ietf.org >>>>>> >>>>>>>>>>> https://www.ietf.org/mailman/listinfo/jose >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> >>>>>> >>>>>>>>>> _______________________________________________ >>>>>> >>>>>>>>>> jose mailing list >>>>>> >>>>>>>>>> jose@ietf.org >>>>>> >>>>>>>>>> https://www.ietf.org/mailman/listinfo/jose >>>>>> >>>>>>>>> >>>>>> >>>>>>>>> _______________________________________________ >>>>>> >>>>>>>>> jose mailing list >>>>>> >>>>>>>>> jose@ietf.org >>>>>> >>>>>>>>> https://www.ietf.org/mailman/listinfo/jose >>>>>> >>>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> jose mailing list >>>>>> jose@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/jose >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Nat Sakimura (=nat) >>>>>> Chairman, OpenID Foundation >>>>>> http://nat.sakimura.org/ >>>>>> @_nat_en >>>>>> >>>>>> _______________________________________________ >>>>>> jose mailing list >>>>>> jose@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/jose >>>>> >>>>> _______________________________________________ >>>>> jose mailing list >>>>> jose@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/jose >>>> >>>> _______________________________________________ >>>> jose mailing list >>>> jose@ietf.org >>>> https://www.ietf.org/mailman/listinfo/jose >>> >>> _______________________________________________ >>> jose mailing list >>> jose@ietf.org >>> https://www.ietf.org/mailman/listinfo/jose >> >
- [jose] Fwd: New Version Notification for draft-ba… Richard L. Barnes
- Re: [jose] Fwd: New Version Notification for draf… Mike Jones
- Re: [jose] Fwd: New Version Notification for draf… Mike Jones
- Re: [jose] Fwd: New Version Notification for draf… Richard L. Barnes
- Re: [jose] Fwd: New Version Notification for draf… Mike Jones
- Re: [jose] Fwd: New Version Notification for draf… Mike Jones
- Re: [jose] Fwd: New Version Notification for draf… Breno de Medeiros
- Re: [jose] Fwd: New Version Notification for draf… Nat Sakimura
- Re: [jose] Fwd: New Version Notification for draf… John Bradley
- Re: [jose] Fwd: New Version Notification for draf… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Breno de Medeiros
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Mike Jones
- Re: [jose] New Version Notification for draft-bar… Nat Sakimura
- Re: [jose] New Version Notification for draft-bar… Brian Campbell
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Brian Campbell
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Mike Jones
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Matt Miller
- [jose] protected attributes Manger, James H
- Re: [jose] protected attributes Richard L. Barnes
- Re: [jose] protected attributes Jim Schaad
- Re: [jose] protected attributes Manger, James H
- Re: [jose] protected attributes Richard L. Barnes
- Re: [jose] protected attributes Manger, James H
- Re: [jose] protected attributes Stephen Kent
- Re: [jose] protected attributes Richard L. Barnes