IETF Logo Mail Archive

Re: [jose] Proposal about the SPI proposal

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sat, 09 February 2013 13:39 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2C6021F8A72 for <jose@ietfa.amsl.com>; Sat, 9 Feb 2013 05:39:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.455
X-Spam-Level:
X-Spam-Status: No, score=-102.455 tagged_above=-999 required=5 tests=[AWL=0.144, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sO3f10v6LzVK for <jose@ietfa.amsl.com>; Sat, 9 Feb 2013 05:39:33 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4DE21F8A71 for <jose@ietf.org>; Sat, 9 Feb 2013 05:39:33 -0800 (PST)
Received: from mailout-de.gmx.net ([10.1.76.28]) by mrigmx.server.lan (mrigmx002) with ESMTP (Nemesis) id 0M21kz-1UwyER2SQV-00tyUk for <jose@ietf.org>; Sat, 09 Feb 2013 14:39:32 +0100
Received: (qmail invoked by alias); 09 Feb 2013 13:39:32 -0000
Received: from a88-115-219-140.elisa-laajakaista.fi (EHLO [192.168.100.100]) [88.115.219.140] by mail.gmx.net (mp028) with SMTP; 09 Feb 2013 14:39:32 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1/4+Ep9g4X4NGs0hV7tcEFHRGcdv8c46ERw1fTR3B tF8p3O5QhLgi32
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <CA+k3eCTo_=P_SQCG_ypiksVb-bfjuJ4Q9vt4r10wpuKPbFUWBg@mail.gmail.com>
Date: Sat, 09 Feb 2013 15:39:29 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <AB408A7C-38AA-480D-B5E5-9DBBA8A165B7@gmx.net>
References: <CA+k3eCTo_=P_SQCG_ypiksVb-bfjuJ4Q9vt4r10wpuKPbFUWBg@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.1085)
X-Y-GMX-Trusted: 0
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Proposal about the SPI proposal
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Feb 2013 13:39:35 -0000

I would suggest that we forget the SPI proposal and fix the text for the key id proposal in the three proposals. 
kid and spi are actually doing the same. 

The requirements for key naming are: 
 * The value is used to select the key
 * It has to uniquely select the key.
 * If you cannot find the key corresponding then this must lead to an error.

Here is from example text about key naming from RFC 4962: 

      Uniquely named keys

         AAA key management proposals require a robust key naming
         scheme, particularly where key caching is supported.  The key
         name provides a way to refer to a key in a protocol so that it
         is clear to all parties which key is being referenced.  Objects
         that cannot be named cannot be managed.  All keys MUST be
         uniquely named, and the key name MUST NOT directly or
         indirectly disclose the keying material.  If the key name is
         not based on the keying material, then one can be sure that it
         cannot be used to assist in a search for the key value.


Here is the text from draft-ietf-jose-json-web-encryption-08: 

4.1.10.  "kid" (Key ID) Header Parameter

   The "kid" (key ID) header parameter is a hint indicating which key
   was used to encrypt the JWE; this can be used to determine the
   private key needed to decrypt the JWE.  This parameter allows
   originators to explicitly signal a change of key to recipients.
   Should the recipient be unable to locate a key corresponding to the
   "kid" value, they SHOULD treat that condition as an error.  The
   interpretation of the "kid" value is unspecified.  Its value MUST be
   a string.  Use of this header parameter is OPTIONAL.

   When used with a JWK, the "kid" value MAY be used to match a JWK
   "kid" parameter value.


My proposal would be: 

----
4.1.10.  "kid" (Key ID) Header Parameter

   The "kid" (key ID) header parameter indicates which key and  
   associated parameters were used to encrypt the JWE.  
   This parameter also allows
   originators to explicitly signal a change of key to recipients.
   Should the recipient be unable to locate a key corresponding to the
   "kid" value, they MUST treat that condition as an error.  

   The value in the "kid" MUST be treated as a a case sensitive string.
   Use of this header parameter is OPTIONAL.

----

Here is the text from draft-ietf-jose-json-web-signature-08:

4.1.7.  "kid" (Key ID) Header Parameter

   The "kid" (key ID) header parameter is a hint indicating which key
   was used to secure the JWS.  This parameter allows originators to
   explicitly signal a change of key to recipients.  Should the
   recipient be unable to locate a key corresponding to the "kid" value,
   they SHOULD treat that condition as an error.  The interpretation of
   the "kid" value is unspecified.  Its value MUST be a string.  Use of
   this header parameter is OPTIONAL.

   When used with a JWK, the "kid" value MAY be used to match a JWK
   "kid" parameter value.

My proposal would be: 

----
4.1.7.  "kid" (Key ID) Header Parameter

   The "kid" (key ID) header parameter is a hint indicating which key
   was used to secure the JWS.  This parameter allows originators to
   explicitly signal a change of key to recipients.  Should the
   recipient be unable to locate a key corresponding to the "kid" value,
   they SHOULD treat that condition as an error.  The interpretation of
   the "kid" value is unspecified.  Its value MUST be a string.  Use of
   this header parameter is OPTIONAL.

   The "kid" (key ID) header parameter indicates which key and  
   associated parameters were used for the digital signature and  
   the keyed message digest computation of the JWS.   
   This parameter also allows
   originators to explicitly signal a change of key to recipients.
   Should the recipient be unable to locate a key corresponding to the
   "kid" value, they MUST treat that condition as an error.  

   The value in the "kid" MUST be treated as a a case sensitive string.  
   Use of this header parameter is OPTIONAL.
----

Here is the text from draft-ietf-jose-json-web-key-08: 

4.4.  "kid" (Key ID) Parameter

   The "kid" (key ID) member can be used to match a specific key.  This
   can be used, for instance, to choose among a set of keys within a JWK
   Set during key rollover.  The interpretation of the "kid" value is
   unspecified.  Key ID values within a JWK Set need not be unique.  The
   "kid" value is a case sensitive string.  Use of this member is
   OPTIONAL.

   When used with JWS or JWE, the "kid" value MAY be used to match a JWS
   or JWE "kid" header parameter value.

   In some contexts, different keys using the same Key ID value might be
   present, with the keys being disambiguated using other information,
   such as the "kty" or "use" values.  For example, imagine "kid" values
   like "Current", "Upcoming", and "Deprecated", used for key rollover
   guidance.  One could apply a label to all keys where the
   classification fits.  If there are multiple "Current" keys, then in
   this example, they might be differentiated either by having different
   "kty" or "use" values, or some combination of both.  As one example,
   there might only be one current RSA signing key and one current
   Elliptic Curve signing key, but both would be "Current".

My proposal would be: 

----

4.4.  "kid" (Key ID) Parameter

   The "kid" (key ID) header parameter indicates the name of the key.  The key 
   id must be unique for the specific context so that the recipient is able to 
   determine what key to use for a cryptographic operation without additional information. 
   This parameter also allows  originators to explicitly signal a change of 
   key to recipients. Should the recipient be unable to locate a key corresponding to the
   "kid" value, they MUST treat that condition as an error.  

   When the JSON Web Key payload is used together with a JWS or a JWE
   and the "kid" value matches the value in the JWS
   or JWE "kid" header parameter value then a key transport mechanism is
  used, i.e., the key itself is attached to the JWS or the JWE payload.  

-----

Notice that I changed the description for the JSON Web Key quite a bit since this non-uniqueness description was a bit of nonsense. 
If you have the ability to uniquely name the key using a kid then why wouldn't you want to do it. This simplifies implementations. 

Ciao
Hannes


On Feb 9, 2013, at 1:01 AM, Brian Campbell wrote:

> Maybe this was apparent from my comments/questions on the SPI proposal over the last couple days[1] but I have concerns that run the gamut from operational complexity and fragility to security problems. I believe strongly that, without considerably more analysis and specification detail, the current SPI work is much too risky to consider go in the current base JOSE WG drafts.
> 
> As an alternative I'd like to request/propose that the SPI stuff be submitted as new I-D to help facilitate that additional discussion and analysis that I think it needs.
> 
> Thanks,
> Brian
> 
> [1] http://www.ietf.org/mail-archive/web/jose/current/msg01500.html
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email