Re: [jose] #27: member names MUST be unique needs additional text

"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 27 June 2013 06:30 UTC

From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Tim Bray <tbray@textuality.com>
Date: Thu, 27 Jun 2013 16:29:58 +1000
Thread-Topic: [jose] #27: member names MUST be unique needs additional text
Thread-Index: Ac5y/csF1c6qnG6VTGGz8Tyy5Pl0wgAABhBQ
Message-ID: <255B9BB34FB7D647A506DC292726F6E1151BEDDD3C@WSMSG3153V.srv.dir.telstra.com>
References: <061.bb7bbe0b618ec6b74904f48bdb9bb312@trac.tools.ietf.org> <076.a597050ecb4fb25084cec65f7174dc7e@trac.tools.ietf.org> <033b01ce729b$26ff5c90$74fe15b0$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436789B4CC@TK5EX14MBXC283.redmond.corp.microsoft.com> <03b401ce72e5$002c65f0$008531d0$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436789D4EA@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAHBU6ivNow2xhDvRj7gG2gmHQ+C-ejEHCQubK=LwUtrXxdW6MA@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1151BE45737@WSMSG3153V.srv.dir.telstra.com> <CAHBU6itHZ4NvGLyRqfDFaC9gkWD1_6dxhY=uVmwpyL+5Ay+j2w@mail.gmail.com>
In-Reply-To: <CAHBU6itHZ4NvGLyRqfDFaC9gkWD1_6dxhY=uVmwpyL+5Ay+j2w@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E1151BEDDD3CWSMSG3153Vsrv_"
MIME-Version: 1.0
Cc: Mike Jones <Michael.Jones@microsoft.com>, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>, "draft-ietf-jose-json-web-signature@tools.ietf.org" <draft-ietf-jose-json-web-signature@tools.ietf.org>
Subject: Re: [jose] #27: member names MUST be unique needs additional text
Precedence: list

Most JSON libraries that silently accept [sob] dupe keys at least consistently use the last key. Allowing just that behaviour (or rejecting dupes), while forbidding acceptance of a non-last dupe (eg first key), is safe and allows most JSON libraries to be used. Since this accepts most libraries I think it is practical.

Hence I suggest:

>   A creator of a JOSE message MUST NOT put duplicate names in any JSON

> object in a JOSE header.

>   To prevent attacks where a JOSE message is interpreted as different

> valid messages by different recipients, each recipient MUST either

> reject messages with duplicate names or accept only the last name.

This isn’t “truly predictable” as a message with dupes might be accepted or rejected. The crucial point is that if a message is accepted it is predictable.

--
James Manger

From: Tim Bray [mailto:tbray@textuality.com]
Sent: Thursday, 27 June 2013 4:16 PM
To: Manger, James H
Cc: Mike Jones; Jim Schaad; jose@ietf.org; draft-ietf-jose-json-web-signature@tools.ietf.org
Subject: Re: [jose] #27: member names MUST be unique needs additional text

Well, you have a practical problem in that most implementers will want to use a standard JSON library, which is good practice because it will be well-debugged, and most libraries [sob] silently take care of dupe keys and don’t have a way to tell the client software what happened. So if you want truly predictable behavior, you’re forcing the use of hand-constructed JSON parsers. And that sucks, because getting good performance in JSON parsing is surprisingly hard, with dramatic performance differences between implementations. So you’re forcing receiving software which wants to be conformant to use a hand-rolled parser which will probably have lousy performance and have other bugs which in fact may compromise security more than dupe-key tricks could.  -T

On Wed, Jun 26, 2013 at 10:39 PM, Manger, James H <James.H.Manger@team.telstra.com<mailto:James.H.Manger@team.telstra.com>> wrote:
> I think it’s a nice clean minimal solution to say that producers MUST
> NOT generate dupes, end of story.  I don’t think saying anything beyond
> that adds value. -T
Clean and minimal that may be, but it ignores the security issue. We don't want a malicious producer (who is so malicious they ignore a MUST) to create JOSE messages that a JOSE-compliant security layer accepts as "benign interpretation #1" so it passes the message on to the JOSE-compliant backend app that acts on "nasty interpretation #2".

--
James Manger

[jose] #27: member names MUST be unique needs add… jose issue tracker
Re: [jose] #27: member names MUST be unique needs… jose issue tracker
Re: [jose] #27: member names MUST be unique needs… Jim Schaad
Re: [jose] #27: member names MUST be unique needs… Mike Jones
Re: [jose] #27: member names MUST be unique needs… Jim Schaad
Re: [jose] #27: member names MUST be unique needs… Mike Jones
Re: [jose] #27: member names MUST be unique needs… Tim Bray
Re: [jose] #27: member names MUST be unique needs… Manger, James H
Re: [jose] #27: member names MUST be unique needs… Manger, James H
Re: [jose] #27: member names MUST be unique needs… Tim Bray
Re: [jose] #27: member names MUST be unique needs… Manger, James H
Re: [jose] #27: member names MUST be unique needs… Carsten Bormann
Re: [jose] #27: member names MUST be unique needs… Manger, James H
Re: [jose] #27: member names MUST be unique needs… Tim Bray
Re: [jose] #27: member names MUST be unique needs… John Bradley
Re: [jose] #27: member names MUST be unique needs… Mike Jones
Re: [jose] #27: member names MUST be unique needs… Jim Schaad
Re: [jose] #27: member names MUST be unique needs… Jim Schaad
Re: [jose] #27: member names MUST be unique needs… Jim Schaad
Re: [jose] #27: member names MUST be unique needs… Richard Barnes
Re: [jose] #27: member names MUST be unique needs… Richard Barnes
Re: [jose] #27: member names MUST be unique needs… Mike Jones
Re: [jose] #27: member names MUST be unique needs… Mike Jones
Re: [jose] #27: member names MUST be unique needs… Richard Barnes
Re: [jose] #27: member names MUST be unique needs… Mike Jones
Re: [jose] #27: member names MUST be unique needs… jose issue tracker