IETF Logo Mail Archive

Re: [jose] JOSE dependence on "Key Guessing"

Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 07 February 2018 07:18 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31C8B1205D3 for <jose@ietfa.amsl.com>; Tue, 6 Feb 2018 23:18:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6gzcSnbpaHel for <jose@ietfa.amsl.com>; Tue, 6 Feb 2018 23:18:53 -0800 (PST)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58CF81204DA for <jose@ietf.org>; Tue, 6 Feb 2018 23:18:53 -0800 (PST)
Received: by mail-wm0-x22c.google.com with SMTP id 141so1205070wme.3 for <jose@ietf.org>; Tue, 06 Feb 2018 23:18:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=BgjxQle0O1TONJLnGlz2yLne/wFucjrnZQZZEal6nn8=; b=Zf/x3eWrdxFb+cfIFYNQ6LynSlZ1Z0LURKOqNgjwp9YfwC7BGHHQO5nQ7EJQuxJb6i icR9xY+PpJyS7sS+RVhKPGx0dhEAOGxpoyiy+rJdMpeG+0ejK0YwNGam5f0AIGgn59BT ruRmGgxaXBckdqEps8gi0lWj5hKyUU3JiinuUGIhQVUGqB6qbyAlTIgKIGg4kF3HvbtD x30GoMpqq230VCtgTPNqeXzxfasDUPGrrTFoUNu+KSSvPHLupyYGQiWNwcGeCCMRYNsG Ut8OCJnj52rEJEaVmMGd0s1CJm4ITBWHoklBaBVQVyRYftC7IqvP/7JvZD5wQOrKHUYc HWcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=BgjxQle0O1TONJLnGlz2yLne/wFucjrnZQZZEal6nn8=; b=g3Vd31GGnO3WXUWVt1CWqiybZHQbCwMiEZw9mvDLGknawOev9ydaNxQk6nIIJnVv7X dfRmWl5o6HfINYyWsRE+9NTmrrq8CTB0iIQ6O0CiO22wbX3FmevU8ZFJRYlh8+MpA4qD J2mRFS3O8YRTCuGpgFZIr0NgC5IfNW7dbfphCWLjPSd4Hek1qZCEXCeI3TXTUEPzmF5X 6A1sb/ovE7i1NzybBp85SnXFZs2ddIL/gLXYbnP+IgKkEO4qHYaLsKsMLVRUzB3eHKCy TI/zZcdJZUR0UWUW04NBkZZwEaydfmKJL+JVJEfNOu0ystFu+2WBFB66Pkko2Snxd9RB bUMA==
X-Gm-Message-State: APf1xPBrxPQolD72NGk2AR40aJ2unQVhs5fdZmmq/4t7+oaILOl60jKe VV90AjYJyFhxwPAQAcgbP8eOBA==
X-Google-Smtp-Source: AH8x224CnJpoPgQnkgKwmQx8Kql0j/l7PFcs/eNzUgc+LbyfgXU1kLpDSi3XpAeSEzIu/Uv+WEWtEw==
X-Received: by 10.80.149.136 with SMTP id w8mr7109348eda.70.1517987931512; Tue, 06 Feb 2018 23:18:51 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id 30sm677884edz.63.2018.02.06.23.18.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Feb 2018 23:18:50 -0800 (PST)
To: Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
References: <6b3f854d-f370-8f94-12ca-0f8ae0051362@gmail.com> <SN6PR2101MB09437284FC84E3154BC8C64EF5FC0@SN6PR2101MB0943.namprd21.prod.outlook.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <e3c7e41b-ad42-828f-86d4-ef77c2c26292@gmail.com>
Date: Wed, 07 Feb 2018 08:18:50 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <SN6PR2101MB09437284FC84E3154BC8C64EF5FC0@SN6PR2101MB0943.namprd21.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/y8_ve0Xh516bfqnfGJaoMWFJO8E>
Subject: Re: [jose] JOSE dependence on "Key Guessing"
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 07:18:55 -0000

On 2018-02-07 07:22, Mike Jones wrote:
> Anders, you misunderstand the feature and its purpose.  The ability to reference a set of keys is essential to performing key roll-over - a critical security function.  The "kid" (key ID) value is typically used to indicate which member of the key set was employed.  There is no "key guessing".
> 
> For an example of how JWK sets are used for key roll-over in a production system, see http://openid.net/specs/openid-connect-core-1_0.html#Signing.

    "If there are multiple keys in the referenced JWK Set document,
     a kid value MUST be provided in the JOSE Header"

This is what I was referring to. JKU as a standalone property is useless unless the set of keys is restricted to 1.

This is not mentioned in the JOSE specifications but fundamental for interoperabiity and testing.
The OpenID scheme does not only presume that there's an additional "kid" in the header, but that the referred key set also contains matching "kid"s.

Maybe the "right" solution is providing an interoperability section with a reference to JKU as well?

My (strong) wish is getting away from any kind of key guessing as a part of a test suite and reference implementation.  Yes, the are indeed JOSE implementations that support key guessing.

BTW, the spec you are referring to doesn't appear to actually use JKU:

    "ID Tokens SHOULD NOT use the JWS or JWE x5u, x5c, jku, or jwk Header Parameter fields.
     Instead, references to keys used are communicated in advance using
     Discovery and Registration parameters, per Section 10"

Anders

> 
> 				-- Mike
> 
> -----Original Message-----
> From: jose <jose-bounces@ietf.org> On Behalf Of Anders Rundgren
> Sent: Tuesday, February 6, 2018 10:03 PM
> To: jose@ietf.org
> Subject: [jose] JOSE dependence on "Key Guessing"
> 
> Dear list,
> 
> Believe or not but there is a new multi-party IETF effort in the workings for dealing with "clear text" versions of JWS and JWE.  Our BOF request was though turned down due to lack of published drafts and "customers" so issues will have to go through the mailing list only.
> 
> The goal is reusing as much as possible of the existing specifications, essentially limiting the work to repackaging.
> 
> However, it turned out that I wasn't fully up-to-date on the JOSE concept "Key Guessing":
> https://tools.ietf.org/html/rfc7515#appendix-D
> 
> As far I can tell they only way you would ever need to do "Key Guessing" as described in appendix-D is if you have a scheme where the sender doesn't inform the receiver which key it actually used which sounds like a poor idea as well as highly unlikely to be used anywhere in practice.
> 
> Therefore I didn't bother too much with that until I had implemented support for JKU where the sender supplies a URL to a set of keys for the receiver to try out.  That is, "Key Guessing" is not only a possibility, it is an intrinsic part of the JOSE specifications.
> 
> So the question simply boils down to: Should derived standards-to-be, inherit obvious design flaws as well? IMO, they should not.  JKU could be redefined to point to a single JWK, removing the need for "Key Guessing" altogether.  Yes, there are "workarounds" like requiring additional key identification properties...
> 
> thanx,
> Anders
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>

v2.23.0 | Report a Bug | By Email