[jose] [Technical Errata Reported] RFC8037 (5329)
RFC Errata System <rfc-editor@rfc-editor.org> Tue, 17 April 2018 20:30 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F8BE126D05 for <jose@ietfa.amsl.com>; Tue, 17 Apr 2018 13:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9NC67v2jIWhz for <jose@ietfa.amsl.com>; Tue, 17 Apr 2018 13:30:52 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D1B120725 for <jose@ietf.org>; Tue, 17 Apr 2018 13:30:52 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 414FCB8358A; Tue, 17 Apr 2018 13:30:44 -0700 (PDT)
To: ilariliusvaara@welho.com, kaduk@mit.edu, ekr@rtfm.com, odonoghue@isoc.org, ietf@augustcellars.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: neil.madden@forgerock.com, jose@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20180417203044.414FCB8358A@rfc-editor.org>
Date: Tue, 17 Apr 2018 13:30:44 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/wfnqQUG3JbLtO3_l-vPkOlkuIOs>
Subject: [jose] [Technical Errata Reported] RFC8037 (5329)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2018 20:30:54 -0000
The following errata report has been submitted for RFC8037, "CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5329 -------------------------------------- Type: Technical Reported by: Neil Madden <neil.madden@forgerock.com> Section: 4 Original Text ------------- The JSON Web Algorithm (JWA) ECDH-ES KDF construction does not mix keys into the final shared secret. In key exchange, such mixing could be a bad mistake; whereas here either the receiver public key has to be chosen maliciously or the sender has to be malicious in order to cause problems. In either case, all security evaporates. Corrected Text -------------- The JSON Web Algorithm (JWA) ECDH-ES KDF construction does not mix keys into the final shared secret unless they are included in the "apu" or "apv" claims. It is recommended to include the public keys of both parties in the key derivation. Notes ----- There are two technical errors here. Firstly, the JWA ECDH-ES KDF does allow for mixing keys into the final shared secret via the "apu" and "apv" claims. RFC 7518 (JWA) normatively references NIST SP.800-56A, which explicitly recommends doing this. Secondly, it is not clear what the security issue is here, as there are known security issues in some cases from *not* mixing in public keys and other identifiers, as described in SP.800-56Ar3 Appendix B, and in the Security Considerations of RFC 7748 (another normative reference), which states: "Thus using a public key as an identifier and knowledge of a shared secret as proof of ownership (without including the public keys in the key derivation) might lead to subtle vulnerabilities." Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC8037 (draft-ietf-jose-cfrg-curves-06) -------------------------------------- Title : CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE) Publication Date : January 2017 Author(s) : I. Liusvaara Category : PROPOSED STANDARD Source : Javascript Object Signing and Encryption Area : Security Stream : IETF Verifying Party : IESG
- [jose] [Technical Errata Reported] RFC8037 (5329) RFC Errata System