Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 250EF12704B
 for <oauth@ietfa.amsl.com>; Thu, 16 Mar 2017 01:31:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level: 
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001,
 RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
 header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 5TYPv8ZxWPxj for <oauth@ietfa.amsl.com>;
 Thu, 16 Mar 2017 01:31:44 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com
 (mail-cys01nam02on0047.outbound.protection.outlook.com [104.47.37.47])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 51605126E3A
 for <oauth@ietf.org>; Thu, 16 Mar 2017 01:31:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com;
 s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=rGKnpQ7kMBMMwRs4c/bx0JLzGQUO78n8cHYJ5lnYgBU=;
 b=XCNygjR89iWO6vJPyptNZbdktzh+1Oy4P9PZM9Q8eVeeA0FMW0kDyVU0TlgI/hDnqEN/Y/ns2wfSKUQF3xaIWuHMfcmPO/OcSYGUlQiXMkU0aP+O22+DDvMJ4Hs9dnX1ccIikuc6kPlQgFfXocs9x8G29aqE/OrGc2yMKJeV/VI=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by
 BY1PR0201MB1032.namprd02.prod.outlook.com (10.161.203.15) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.961.17; Thu, 16 Mar 2017 08:31:41 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by
 BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with
 mapi id 15.01.0961.022; Thu, 16 Mar 2017 08:31:40 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Mike Jones <Michael.Jones@microsoft.com>
CC: Sergey Beryozkin <sberyozkin@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] More Criticism of JOSE
Thread-Index: AQHSnaLcfb3Kwkg0yEKlvL9IqrhKmKGWC1EAgABEFACAAA37AIAAB3KAgAC/YAA=
Date: Thu, 16 Mar 2017 08:31:40 +0000
Message-ID: <1005993A-7250-4752-B5A6-AB718F246AED@adobe.com>
References: <mailman.539.1489455092.6649.oauth@ietf.org>
 <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org>
 <814591e4-c21a-451b-cce9-e4f158f07c2e@gmail.com>
 <CY4PR21MB0504F80C01BF3378DE3794C6F5270@CY4PR21MB0504.namprd21.prod.outlook.com>
 <78BE56B7-0253-4635-AB46-F724A8536082@adobe.com>
 <CY4PR21MB0504E2A254D753F8BA3E99CBF5270@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB0504E2A254D753F8BA3E99CBF5270@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: microsoft.com; dkim=none (message not signed)
 header.d=none;microsoft.com; dmarc=none action=none header.from=adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [192.147.117.11]
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1032;
 7:0vgsgBaWHm2zt1R2T5prWModl4h5J71ApzY69v2KWOWz8d96TKSnXYw9Mb1Ouons05XsSPrx2wZrFBG4sVhmotcOv48EbsxYE+9MJo6/1U9axFgu5SqCXV5MWoBZt9AhZcj8Zkty7ObbrLJ9gMxSTqYIEJoZid0L5cZ5kUGFvHlN2Saii7kdmwFnpR3cj3EAl7vEd06TDRR4tGgyhJW14GY94ucb0gXqLsYAWuBM5H73A6Hqfbcb2GQ/kynj1Okbx7VnKuY/2GYD8681gUs2qk7ZtM8UKUtxbY674XvdZLBM0S15jhDnJNA+ekvPFnaybDlRYri4o6r/EI03peapKw==;
 20:tHiey++WHtwv06Qhk9bmGObM8G8Ue6jlsAHd95X2L8jpavfGQ2O+oi/wvjBN+ImrhHhm9HcdMlyLlcMHHxTAz/1lUVlVqAYcVW1vlvKqsQbvrSfXYG/4ts2y/VHaq16zauRZyavCxuvnIQ4r+u/Kho+PuNdQtEj3sVa9CS2lJO8=
x-ms-office365-filtering-correlation-id: d580f13c-69d8-4314-b360-08d46c46deda
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081);
 SRVR:BY1PR0201MB1032; 
x-microsoft-antispam-prvs: <BY1PR0201MB10324ED1DA312203015EDA8CD9260@BY1PR0201MB1032.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0;
 RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123564025)(20161123558025)(20161123562025)(20161123555025)(6072148);
 SRVR:BY1PR0201MB1032; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1032; 
x-forefront-prvs: 024847EE92
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10009020)(6009001)(39860400002)(39850400002)(39840400002)(39410400002)(39450400003)(24454002)(377454003)(53824002)(13464003)(8666007)(6512007)(4326008)(6486002)(6306002)(305945005)(81166006)(25786008)(53936002)(122556002)(77096006)(3660700001)(229853002)(2421001)(93886004)(39060400002)(3280700002)(6246003)(76176999)(38730400002)(7736002)(33656002)(2906002)(110136004)(50986999)(54906002)(54356999)(8676002)(99286003)(2561002)(6116002)(3846002)(102836003)(83716003)(8936002)(66066001)(5660300001)(1511001)(6436002)(82746002)(53546007)(2900100001)(10090500001)(6506006)(189998001)(2950100002)(6916009)(36756003)(86362001)(104396002);
 DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1032;
 H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm;
 PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <09A1200E1E0B8F4F9B161DB1E80528AF@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2017 08:31:40.6592 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1032
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-u2eKUp9k6ARQMpv7nB97nYmX74>
Subject: Re: [OAUTH-WG] More Criticism of JOSE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
 <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 08:31:47 -0000

hi Mike

On Mar 15, 2017, at 10:06 PM, Mike Jones <Michael.Jones@microsoft.com> wrot=
e:

> Will you be in Chicago, Antonio?  If so, maybe you can sit down with us a=
nd work on advice to implementers.

Unluckily not. FWIW I will be at https://zisc.ethz.ch/oauth-security-worksh=
op-2017-cfp/. And I=92d be glad to sit down with you and try to help if you=
 are around=85.

regards

antonio


>=20
> 				Cheers,
> 				-- Mike
>=20
> -----Original Message-----
> From: Antonio Sanso [mailto:asanso@adobe.com]=20
> Sent: Wednesday, March 15, 2017 1:40 PM
> To: Mike Jones <Michael.Jones@microsoft.com>
> Cc: Sergey Beryozkin <sberyozkin@gmail.com>; oauth@ietf.org
> Subject: Re: [OAUTH-WG] More Criticism of JOSE
>=20
> hi Mike,
>=20
> while I am the original author of one of the mentioned article in the blo=
g post (http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-j=
son-web.html) I do not share entirely the criticism.
> Said that, I must really admit that some of the cryptographic choices mad=
e specially in JWE are really questionable.
>=20
> regards
>=20
> antonio
>=20
> On Mar 15, 2017, at 8:50 PM, Mike Jones <Michael.Jones@microsoft.com> wro=
te:
>=20
>> The bulk of this seems to be about applications that don't verify that t=
he crypto algorithms that were used in a JWT are acceptable in the applicat=
ion context.  While I know that some people would like crypto to be magic p=
ixie dust that you can sprinkle on an application to get crypto goodness, i=
t will never be that simple.  Crypto algorithms that are thought to be good=
 today will be deprecated later.  Apps that keep allowing them to be used w=
ill be vulnerable.  The JOSE specs requiring that applications be aware of =
the algorithms used is a good and necessary thing for long-term security - =
not a problem with the specs.
>>=20
>> That said, of course some implementers will get things wrong.  To the ex=
tent that we can help them understand what they actually need to do to use =
the specifications securely, we obviously should.  Perhaps we should write =
an article for oauth.net talking about some of these issues?  Maybe a few o=
f us can get together in Chicago and work on that.
>>=20
>> I'm looking forward to seeing many of you in 1.5 weeks!
>>=20
>> 				-- Mike
>>=20
>> -----Original Message-----
>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Sergey=20
>> Beryozkin
>> Sent: Wednesday, March 15, 2017 8:46 AM
>> To: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] More Criticism of JOSE
>>=20
>> and everyone should now start using the most secure alternative=20
>> proposed in that very light in analysis article :-)
>>=20
>> Sergey
>> On 15/03/17 15:43, Mike Schwartz wrote:
>>> Sorry to be the bearer of bad news, but here's a negative review of JOS=
E:
>>>=20
>>> JOSE (Javascript Object Signing and Encryption) is a Bad Standard=20
>>> That Everyone Should Avoid
>>>=20
>>> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standar
>>> d
>>> -that-everyone-should-avoid
>>>=20
>>>=20
>>> - Mike
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20