Re: [OAUTH-WG] More Criticism of JOSE
Mike Jones <Michael.Jones@microsoft.com> Thu, 16 March 2017 19:36 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B53BD129A16 for <oauth@ietfa.amsl.com>; Thu, 16 Mar 2017 12:36:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjdcDA-D0nSz for <oauth@ietfa.amsl.com>; Thu, 16 Mar 2017 12:36:13 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0091.outbound.protection.outlook.com [104.47.36.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B737A1299E5 for <oauth@ietf.org>; Thu, 16 Mar 2017 12:36:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=iAxUC3KAQRU1MeGTPEMWfAqVUkd3EtkdKqK+GqUlEnk=; b=RQyF8tkA1lGs2iXekZrZNcPmaO/c309kse6LxiB0XRVMCuOeHBeJjGLE5TuvnTx6H2+nHJXnVCXEhBdCIDF77qGLx/v/p6vXunJGi6wBF6L5/LZBu+KzgCee96O0QeAq/6oYFSkhmYsgbl8lVM7OvKqq1OJhIuJr5NLC8MtEWsI=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.0; Thu, 16 Mar 2017 19:36:12 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0991.003; Thu, 16 Mar 2017 19:36:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Antonio Sanso <asanso@adobe.com>
CC: Sergey Beryozkin <sberyozkin@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] More Criticism of JOSE
Thread-Index: AQHSnaLc8rEEDhIYtU+PeFy9Q2RU+KGWC1EAgABCAdCAABAKgIAAB0zAgAC/igCAALmqPQ==
Date: Thu, 16 Mar 2017 19:36:11 +0000
Message-ID: <CY4PR21MB050463E4943A4FF1FECDAF1AF5260@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <mailman.539.1489455092.6649.oauth@ietf.org> <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org> <814591e4-c21a-451b-cce9-e4f158f07c2e@gmail.com> <CY4PR21MB0504F80C01BF3378DE3794C6F5270@CY4PR21MB0504.namprd21.prod.outlook.com> <78BE56B7-0253-4635-AB46-F724A8536082@adobe.com> <CY4PR21MB0504E2A254D753F8BA3E99CBF5270@CY4PR21MB0504.namprd21.prod.outlook.com>, <1005993A-7250-4752-B5A6-AB718F246AED@adobe.com>
In-Reply-To: <1005993A-7250-4752-B5A6-AB718F246AED@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: adobe.com; dkim=none (message not signed) header.d=none;adobe.com; dmarc=none action=none header.from=microsoft.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [107.77.205.139]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:xyYtkP5dIAiZAOQw+VkRwMiPhhH1iq5poHMlPEntn4WUPYNF/bsc+2u60fUmqn+5KTU1c3qE+4GmE22eV3aO1pREa4P95yBXeDvud/pMzFSzhRfukHpg01vo8+VSkPeGZIhTDQ79xCuQ+s918QsKWE3q7jBrJsAcK1OhIWEJubWFvW7W61vv255pIh7znTLU+x8aC82UsldUXf4gq2p7nyugOiueJ7LKcbpQecgGoKQyXzu6AwmXeLA2CgopnqD/SNkxBTk161KThlFuCVn2oGpw9jkPFCYM3j2GRcnUhEiuI+1jU//gyVvd4wguEoQonEuIL2hVDxD9uUVYx+kN8ys9zoG7+WyOWfVFilz4xI8=
x-ms-office365-filtering-correlation-id: cabc8496-43ab-40d8-0d6e-08d46ca3b40b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254036)(48565401081); SRVR:CY4PR21MB0502;
x-microsoft-antispam-prvs: <CY4PR21MB050289AE8803C6BE467C68CDF5260@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(278428928389397)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(93006012)(93001012)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123560025)(20161123564025)(20161123562025)(20161123555025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502;
x-forefront-prvs: 024847EE92
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39410400002)(39850400002)(39450400003)(39840400002)(39860400002)(53824002)(377454003)(13464003)(24454002)(7736002)(8676002)(3660700001)(6306002)(54896002)(236005)(9686003)(39060400002)(2900100001)(6116002)(53936002)(54906002)(33656002)(3846002)(102836003)(74316002)(10090500001)(8936002)(54356999)(50986999)(76176999)(86612001)(7906003)(55016002)(99286003)(3280700002)(81166006)(25786008)(8990500004)(122556002)(5660300001)(7696004)(38730400002)(93886004)(189998001)(53546007)(110136004)(2906002)(6506006)(4326008)(6246003)(2950100002)(229853002)(6436002)(6916009)(606005)(86362001)(10290500002)(77096006)(5005710100001)(66066001)(19627235001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050463E4943A4FF1FECDAF1AF5260CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2017 19:36:11.9942 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6wfcpp-aR2xIHnw3ScdxoisaQ1s>
Subject: Re: [OAUTH-WG] More Criticism of JOSE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 19:36:17 -0000
It would be great to talk to you at the OAuth security worship, Antonio. Cheers, -- Mike From: Antonio Sanso<mailto:asanso@adobe.com> Sent: Thursday, March 16, 2017 1:31 AM To: Mike Jones<mailto:Michael.Jones@microsoft.com> Cc: Sergey Beryozkin<mailto:sberyozkin@gmail.com>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] More Criticism of JOSE hi Mike On Mar 15, 2017, at 10:06 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > Will you be in Chicago, Antonio? If so, maybe you can sit down with us and work on advice to implementers. Unluckily not. FWIW I will be at https://zisc.ethz.ch/oauth-security-workshop-2017-cfp/. And I’d be glad to sit down with you and try to help if you are around…. regards antonio > > Cheers, > -- Mike > > -----Original Message----- > From: Antonio Sanso [mailto:asanso@adobe.com] > Sent: Wednesday, March 15, 2017 1:40 PM > To: Mike Jones <Michael.Jones@microsoft.com> > Cc: Sergey Beryozkin <sberyozkin@gmail.com>; oauth@ietf.org > Subject: Re: [OAUTH-WG] More Criticism of JOSE > > hi Mike, > > while I am the original author of one of the mentioned article in the blog post (http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html) I do not share entirely the criticism. > Said that, I must really admit that some of the cryptographic choices made specially in JWE are really questionable. > > regards > > antonio > > On Mar 15, 2017, at 8:50 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > >> The bulk of this seems to be about applications that don't verify that the crypto algorithms that were used in a JWT are acceptable in the application context. While I know that some people would like crypto to be magic pixie dust that you can sprinkle on an application to get crypto goodness, it will never be that simple. Crypto algorithms that are thought to be good today will be deprecated later. Apps that keep allowing them to be used will be vulnerable. The JOSE specs requiring that applications be aware of the algorithms used is a good and necessary thing for long-term security - not a problem with the specs. >> >> That said, of course some implementers will get things wrong. To the extent that we can help them understand what they actually need to do to use the specifications securely, we obviously should. Perhaps we should write an article for oauth.net talking about some of these issues? Maybe a few of us can get together in Chicago and work on that. >> >> I'm looking forward to seeing many of you in 1.5 weeks! >> >> -- Mike >> >> -----Original Message----- >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Sergey >> Beryozkin >> Sent: Wednesday, March 15, 2017 8:46 AM >> To: oauth@ietf.org >> Subject: Re: [OAUTH-WG] More Criticism of JOSE >> >> and everyone should now start using the most secure alternative >> proposed in that very light in analysis article :-) >> >> Sergey >> On 15/03/17 15:43, Mike Schwartz wrote: >>> Sorry to be the bearer of bad news, but here's a negative review of JOSE: >>> >>> JOSE (Javascript Object Signing and Encryption) is a Bad Standard >>> That Everyone Should Avoid >>> >>> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standar >>> d >>> -that-everyone-should-avoid >>> >>> >>> - Mike >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] More Criticism of JOSE Mike Schwartz
- Re: [OAUTH-WG] More Criticism of JOSE Sergey Beryozkin
- Re: [OAUTH-WG] More Criticism of JOSE Mike Jones
- Re: [OAUTH-WG] More Criticism of JOSE Antonio Sanso
- Re: [OAUTH-WG] More Criticism of JOSE Mike Jones
- Re: [OAUTH-WG] More Criticism of JOSE Carsten Bormann
- Re: [OAUTH-WG] More Criticism of JOSE Antonio Sanso
- Re: [OAUTH-WG] More Criticism of JOSE Mike Jones