Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Tue, 14 October 2014 12:48 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F80A1A87C4; Tue, 14 Oct 2014 05:48:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.902
X-Spam-Level:
X-Spam-Status: No, score=-0.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_SUMOF=1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o9zcJcJcxiFQ; Tue, 14 Oct 2014 05:48:45 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0759.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:759]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D87451A87C0; Tue, 14 Oct 2014 05:48:44 -0700 (PDT)
Received: from BN3PR0301CA0064.namprd03.prod.outlook.com (25.160.152.160) by CY1PR0301MB1209.namprd03.prod.outlook.com (25.161.212.143) with Microsoft SMTP Server (TLS) id 15.0.1049.19; Tue, 14 Oct 2014 12:48:21 +0000
Received: from BL2FFO11FD048.protection.gbl (2a01:111:f400:7c09::167) by BN3PR0301CA0064.outlook.office365.com (2a01:111:e400:401e::32) with Microsoft SMTP Server (TLS) id 15.0.1049.19 via Frontend Transport; Tue, 14 Oct 2014 12:48:21 +0000
Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD048.mail.protection.outlook.com (10.173.161.210) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Tue, 14 Oct 2014 12:48:20 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.03.0210.003; Tue, 14 Oct 2014 12:48:11 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Pete Resnick <presnick@qti.qualcomm.com>, The IESG <iesg@ietf.org>
Thread-Topic: Pete Resnick's Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
Thread-Index: Ac/nrRedEkDpT0JfTyehOfg7LID03Q==
Date: Tue, 14 Oct 2014 12:48:10 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB0D3A2@TK5EX14MBXC286.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(51704005)(199003)(51414003)(13464003)(24454002)(189002)(377454003)(43784003)(52044002)(15594002)(23676002)(64706001)(84676001)(44976005)(19580405001)(19580395003)(6806004)(66066001)(46102003)(2656002)(47776003)(69596002)(68736004)(50466002)(15975445006)(20776003)(85306004)(87936001)(33656002)(80022003)(85806002)(26826002)(50986999)(15202345003)(85852003)(31966008)(54356999)(81156004)(106466001)(76482002)(55846006)(95666004)(21056001)(92566001)(97736003)(551544002)(230783001)(92726001)(86362001)(551984002)(4396001)(120916001)(104016003)(86612001)(77096002)(99396003)(107046002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB1209; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB1209;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03648EFF89
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/zE_deoV1ZF1IihAVvMxu3Yne-6g
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "draft-ietf-jose-json-web-algorithms@tools.ietf.org" <draft-ietf-jose-json-web-algorithms@tools.ietf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 12:48:47 -0000

The proposed resolutions below have been incorporated in the -34 drafts.  Plus I deleted the convoluted "MUST not overlap" language that you rightly took exception to.

Note that Stephen Farrell stood up for having implementation requirements on the telechat and in his comments.  Also note that Jim Schaad stood up for the choice of UTF-8 over ASCII, for internationalization reasons.  No specific additional guidance has been proposed in this discussion thread to give to the designated experts about registering algorithm names - also per Jim's input.

Hopefully you will be able to clear your DISCUSSes on that basis.  I look forward to your response.

				Thanks again,
				-- Mike

> -----Original Message-----
> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
> Sent: Saturday, October 04, 2014 6:07 PM
> To: Pete Resnick; The IESG
> Cc: jose-chairs@tools.ietf.org; jose@ietf.org; draft-ietf-jose-json-web-
> algorithms@tools.ietf.org
> Subject: Re: [jose] Pete Resnick's Discuss on draft-ietf-jose-json-web-
> algorithms-33: (with DISCUSS and COMMENT)
> 
> Thanks for your review, Pete.  I'm adding the working group so they’re aware of
> these comments.  At Stephen Farrell's request, I'm responding with "> " line
> prefixes on previous thread content.  I'm also repeating (and in some cases,
> augmenting) my previous responses to the DISCUSS comments in this
> consolidated response.
> 
> > -----Original Message-----
> > From: Pete Resnick [mailto:presnick@qti.qualcomm.com]
> > Sent: Wednesday, October 01, 2014 8:04 PM
> > To: The IESG
> > Cc: jose-chairs@tools.ietf.org; draft-ietf-jose-json-web-
> > algorithms@tools.ietf.org
> > Subject: Pete Resnick's Discuss on
> > draft-ietf-jose-json-web-algorithms-33: (with DISCUSS and COMMENT)
> >
> > Pete Resnick has entered the following ballot position for
> > draft-ietf-jose-json-web-algorithms-33: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut
> > this introductory paragraph, however.)
> >
> >
> > Please refer to
> > http://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-algorithms/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > Moving this first one from a comment to a discuss in light of
> > Richard's
> > comment:
> >
> > 3.1/4.1/5.1/6.1: Why are there implementation requirements in this
> document?
> > I am also curious, as Richard is, whether these are going to be used
> > at all, and I'd like to hear the explanation that the WG had for
> > including these. Are implementation requirements for JOSE different
> > from implementation requirements for any other use of signing or
> > encryption for each of these algorithms? Don't we already have a
> > separate general registry of algorithms and their implementation statuses?
> Why are these necessary?
> 
> There are implementation requirements so that implementations will actually be
> interoperable in practice and not just in theory.  This was discussed by the
> working group as issue #10 http://trac.tools.ietf.org/wg/jose/trac/ticket/10 and
> the chairs made a call to keep the implementation requirements, based upon
> IESG feedback that MTI features are required to enabling interoperability during
> chartering discussions, as well as based upon feedback from some working
> group members.
> 
> > 4.6.2: AlgorithmID. UTF-8 has me worried here. It has me more worried
> > in 4.8, but we'll talk about that later. Here, aren't all "enc" and "alg"
> > values US-ASCII anyway? Saying US-ASCII here would solve the problem,
> > so unless you think you're going to have the MötleyCrüe algorithm,
> > perhaps we can avoid any concerns for this case. (My concern is that you can
> have "interesting"
> > UTF-8 strings with ZERO-WIDTH JOINERs and other nonsense that you
> > probably don't mean to address.
> 
> Even if people used pathological Unicode characters, the exact-match string
> comparison rules would handle this OK.  In practice, what I think we should do is
> provide guidance in the IANA registry instructions that only reasonable,
> displayable Unicode character sequences be registered.  I’m reluctant to tell
> people using non-US character sets that they can’t use printable glyphs from
> their own languages.  Do people have a suggestion what language this guidance
> should contain?
> 
> > 4.8:
> >
> >    The PBES2 password input is an
> >    octet sequence; if the password to be used is represented as a text
> >    string rather than an octet sequence, the UTF-8 encoding of the text
> >    string MUST be used as the octet sequence.
> >
> > This one worries me a lot. It's one thing to say that the password is
> > an octet sequence and the application above is responsible for
> > collecting it from the user and passing it in the correct form. But to
> > say down here in the guts that it MUST be UTF-8 brings up all sorts of
> > ugly questions regarding normalization. I don't think you want to
> > touch this with a 10-foot-pole. I certainly thing you want to stay away from
> that MUST.
> 
> To achieve interoperation, some encoding has to be specified, and UTF-8 seems
> like the best choice.  Restricting human-visible passwords to ASCII isn’t
> reasonable for most cultures.
> 
> > 4.8.1.1: Same as 4.6.2.
> 
> Same answer.
> 
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > For the life of me, I can't figure out why this document set uses the
> > terminology "JSON Web Foo". Seems like buzzword nonsense. I would have
> > much preferred "JOSE Foo" for each one.
> 
> The etymology of the term "JSON Web Token" is that the "JSON Web Token"
> was conceived of as a JSON-based replacement for the "Simple Web Token".
> The relationship between JWTs and SWTs is described in Appendix C of the JWT
> spec.  When the signature encoding description was split out of the JWT spec,
> the natural name was "JSON Web Signature".  The JWE, JWK, and JWA names
> soon followed.
> 
> > 3.2:
> >
> >    A key of the same size as the hash output (for instance, 256 bits for
> >    "HS256") or larger MUST be used with this algorithm.
> >
> > Is this specific to JOSE, or is this a general requirement for use of
> > SHA-2? If the latter, a reference would be better than a MUST in here.
> 
> This is an additional requirement imposed by the JOSE use of this algorithm.  (I
> believe this requirement was proposed by ekr.)
> 
> > [There are many things in the document that look like algorithm
> > requirements and not JOSE requirements. I've noted a few more below,
> > but these should be looked for generally. If something is part of the
> > definition of the algorithm and documented elsewhere, no need to have
> > requirements language, let alone a description of how to run the
> > algorithm, in this document; that should be an external reference.]
> 
> Another example is that we require 2048 bit keys or larger for RSA signatures.
> This is informed by the NIST algorithm usage requirements.  Per ekr's input
> during the BoF that led to JOSE, there's no point in allowing the use of
> deprecated algorithms or key sizes in a new cryptographic format.
> 
> > In the 5th paragraph (the one right after the table), strike
> > everything after the first sentence. Decoding and encoding are things
> > that are JWS specific and should not be in this document.
> 
> In numerous cases, this document is intentionally about how JOSE uses these
> algorithms and not purely about abstract algorithms.  The particular text you
> cite is there to help developers get the validation right, and explains two ways
> that it can be correctly coded.  Another example of where the JWA document is
> intentionally JOSE specific is that the PBES2 algorithms define Header Parameter
> values.
> 
> > 3.3/3.5/4/2/4.3:
> >
> >    A key of size 2048 bits or larger MUST be used with this algorithm.
> >
> > Is this specific to JOSE, or is this a general requirement for use of RSA?
> 
> This is informed by NIST's current guidance on how to use RSA.
> 
> > 3.6: This section seems to be for the JWS document, not this one. If
> > you want to define the "None" algorithm, go ahead and do that, but
> > describing its use in JWS doesn't belong here.
> 
> This section defines the algorithm identifier "none" and its meaning.  An early
> working group decision was that all algorithm identifiers would reside in the JWA
> document and not the JWA, JWE, or JWK specifications.
> 
> > 4.6:
> >
> >    A new ephemeral public key value MUST be generated for each key
> >    agreement operation.
> >
> > Again, specific to JOSE, or requirement of ECDH-ES?
> 
> I believe that this is a JOSE requirement which may be more conservative than
> strictly required, but was included to err on the side of both security and
> simplicity.  Without this simple requirement, developers would be likely to use
> ECDH-ES insecurely.
> 
> >    In Direct Key Agreement mode, the output of the Concat KDF MUST be a
> >    key of the same length as that used by the "enc" algorithm.
> >
> > and
> >
> >    In Key Agreement with Key Wrapping mode, the output of the Concat KDF
> >    MUST be a key of the length needed for the specified key wrapping
> >    algorithm.
> >
> > s/MUST/will?
> 
> MUST.  The caller of Concat passes the desired length as an input parameter.
> 
> > 4.6.1.2/4.6.1.3: These are not very well defined, and it's not clear
> > why they need to be base64ed. What are they?
> 
> These are parameters of the Concat KDF.  Their primary definitions are in
> Section 5.8.1 of [NIST.800-56A].  They need to be base64url encoded because
> JSON can't represent arbitrary binary octet sequences.
> 
> > 5.2.2.1:
> >
> >        Here we denote the number of octets in the MAC_KEY as
> >        MAC_KEY_LEN, and the number of octets in ENC_KEY as
> > ENC_KEY_LEN;
> >
> > Oh, dear. That's a pretty convoluted way of saying (I think)
> > "MAC_KEY_LEN is the number of octets in MAC_KEY and ENC_KEY_LEN is the
> > number of octets in ENC_KEY." If you mean something different, you best
> explain.
> 
> Yes, that's what is meant.  I'll try to reword this to use less convoluted language.
> 
> >        the values of these parameters are specified by the Authenticated
> >        Encryption algorithms in Sections 5.2.3 through 5.2.5.
> >        The number of octets in the input key K MUST be the sum of
> >        MAC_KEY_LEN and ENC_KEY_LEN.
> >
> > "MUST"? Do you mean "is"?
> 
> Ironically, in his secdir review, Charlie Kaufman requested that the language be
> changed from "is" to "MUST be", hence the present wording.  He wrote:
> 
> Section 5.2.2.1 says "The number of octets in the input key K is the sum of
> MAC_KEY_LEN and ENC_KEY_LEN." I believe it would be better to say
> something like "MUST BE the sum". The text goes on to say that the two keys
> must not overlap, but it is also important that an implementation not tolerate a
> gap between the two keys is a too large key is provided.
> 
> >        When generating the secondary keys
> >        from K, MAC_KEY and ENC_KEY MUST NOT overlap.
> >
> > Isn't that completely redundant? If length of K is the sum of
> > MAC_KEY_LEN and ENC_KEY_LEN, then MAC_KEY and ENC_KEY *can't*
> overlap.
> 
> This text was written by David McGrew.  I agree that it's redundant (although
> correct), but I retained it on the assumption that he put it there for a reason.
> 
> > 6.2: s/MUST be/is
> 
> OK
> 
> 				Thanks again,
> 				-- Mike
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose