IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] Re: WGLC for JWK Thumbprint URI document

Mike Jones <Michael.Jones@microsoft.com> Fri, 04 February 2022 15:30 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 739323A172A for <oauth@ietfa.amsl.com>; Fri, 4 Feb 2022 07:30:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.675
X-Spam-Level:
X-Spam-Status: No, score=-7.675 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5l8VPWyY94w4 for <oauth@ietfa.amsl.com>; Fri, 4 Feb 2022 07:30:03 -0800 (PST)
Received: from na01-obe.outbound.protection.outlook.com (mail-cusazlp170110003.outbound.protection.outlook.com [IPv6:2a01:111:f403:c111::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCBAC3A1729 for <oauth@ietf.org>; Fri, 4 Feb 2022 07:30:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kPK98rPePlcB7hxyO6kyyygXg8PDI4FtjBJxRN6K2jbjHH0VBEA1If9Pngqv/5Zdkf+yjIJm0K0KeZJP85ovg0WjE3RtR5PwSHZ5VbSUeKyfi+3k+GSBlaiVxLCLSeHozUFl/mNRE8plFpHh+XQzPgSjqUzNwF0Ews2JXnoZQvrD8d6DHX/0f6rsB3VQCgiuFNKaHRLuykiVMwjlWrkpSoB9/V488gKgeYU1bFaol/79nvYRVacOBK3BmPuSX2hq4t4gba2wjCrnxKgU4itOzhTdPx0oqoKXRJKCd/4HTbRT1xPR4JrtZRVM7xOR7UTb3VOs1pLJnTZVREKTKXSAJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BhKAgfUFaZsIVVeJb45Sy6WsS9pfi2+/xX9weA70+5s=; b=XQ7zEoY8+6K31GIFQDr/nW70qgKjbUH/GyXMRbiutDFyR7pa1tqyd+ucmSlGHH6+9+SO019pV3aFn4GEt/aU85njKkNHgMWft2pgtWFW6RAwrNcfpcfByEyVlyZLIG8ufZHzshSvUS2HP/QCv3raAJ5vQZSWaicfU+7NJi5/FJ0rgToQ5jNq88cMZcqVs0b4fT3EQlnWsqZJFs82BN7GLl7Vv22P88hYM54NnbVEqw4jwUMhiHVG+H28CduadbatdtgFLDuHSZ/8y6L2ra5ywinF89ri1RUnQGlhOIGYREeF6ewT2PGlRvKnwf+CQElEYfqpQ28k9mBuJaG4Qj/55A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BhKAgfUFaZsIVVeJb45Sy6WsS9pfi2+/xX9weA70+5s=; b=eWxX17KrqmlSXEhIs+kahCYWPyUS1qv2O0lJgzvkUY49Yge1hsBXi+VfZOVotf9t1FFmuPrp0pRUmM28D3dugOby7TunddNj8nKWxPjlMeN9IkZ+OyWRzI4vhQc8QE9ibGvrqZSC6K2tsizRMcU+KIk7gt+t6/3eqA4oDJmkSrs=
Received: from PH0PR00MB1000.namprd00.prod.outlook.com (2603:10b6:510:3a::13) by SN6PR00MB0446.namprd00.prod.outlook.com (2603:10b6:805:d::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4992.0; Fri, 4 Feb 2022 15:29:56 +0000
Received: from PH0PR00MB1000.namprd00.prod.outlook.com ([fe80::4954:ba70:33f1:a1c9]) by PH0PR00MB1000.namprd00.prod.outlook.com ([fe80::4954:ba70:33f1:a1c9%9]) with mapi id 15.20.4992.000; Fri, 4 Feb 2022 15:29:55 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [EXTERNAL] Re: [OAUTH-WG] WGLC for JWK Thumbprint URI document
Thread-Index: AQHYGVin0JNJeDjyPEmS1nm93gcM8KyC9xOAgACKdtA=
Date: Fri, 04 Feb 2022 15:29:55 +0000
Message-ID: <PH0PR00MB100064F25C23767D42595F16F5299@PH0PR00MB1000.namprd00.prod.outlook.com>
References: <CADNypP8UFAQPmb1GHZdFKiVA1xRhL5q6Zkz04y_jvvgL_H4BDw@mail.gmail.com> <ECF18101-C7C8-49D8-85AF-D9338E20D323@forgerock.com> <3fc186a8-4123-647c-8c5e-0ed757dec33f@connect2id.com>
In-Reply-To: <3fc186a8-4123-647c-8c5e-0ed757dec33f@connect2id.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-02-04T15:16:22Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=852ffd08-2148-423a-b990-7ccaa2189cf0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a0024aba-d1c8-4760-48e6-08d9e7f33255
x-ms-traffictypediagnostic: SN6PR00MB0446:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <SN6PR00MB0446BEB897107529E8B44AEFF5299@SN6PR00MB0446.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IyFbHSlUjcok2fHhc2L8q+nzDMrhMmDRbZhfRVQ80z6oetuCFuwkP5v63KRIiPPOS0ixFYyZG/UBXo2TpoClEJtdgo13hAjjbIW3XlTe6AKYL7Rf7dAnAlIy1lAYGHKXqNFeO/qVafF1DXudk4wDprhBtpqs4SCn+zRMowhml4B+61HYb4zrvBTD0o5qRfkM6aSH/XPuwKd6jHzcxwbMgaWVh6jDZbqSBLCIcbMF27Yk0WZcHlgNkTLdptJPeeupiMqRz5mCPOurHdgZEg9A2MjQh7j2DDVbwf196YXKL3ZL4GNyWAsnxEFkzewSScub1N0m07J4v9Jxcj1YsVbMB5U6vscWqnyci0rTKfyZ5N8knNvDRQ+opwtsowuGxVmpGW2yv7aOCT9BkHauwg3Plne2608Cps17bFjqaTJk71mUdw/1Xe6V3WljjfbSx1eK2zMysmZwcuONuYMfU9q4yXTcywJtg+8i9KeyZtUapQ7M8sVPBlK4x9i1fU9qx7F9CKHapcFjsU32x7J8/IwN8I372k0Rsnny1nnq/FqpNJl8Ra4aa8+ML49NgUNvrIV3Gh9fGx6lXKu6kJKlAvvMXSDaenHnBiLebtjYpmNjylZsbdWtwd+iu0Jp8kyaUOceNSbLi3xJWtSLT/1JAgrqeHmTedU8uBtNXeW504pHzhrguwGfLaSodzSIZWqCco2OgdhB/r2+rvm2/SJikE7inZKOTCu3Jp7LkxOlBs4J6or72/1QuojvEOV44mmMLOLAwCZBfwWPefT9z9qPt4yjUx5PYfJ4QQGNlmyw/L8d03h/wUzjadKrlZiRjypNNMB3Yig8fbbm0fURI2u09daoRQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR00MB1000.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(71200400001)(33656002)(76116006)(21615005)(8936002)(66946007)(66556008)(66476007)(66446008)(122000001)(4326008)(52536014)(8990500004)(38070700005)(83380400001)(186003)(9686003)(8676002)(64756008)(6506007)(53546011)(7696005)(5660300002)(166002)(966005)(6916009)(508600001)(38100700002)(2906002)(82950400001)(82960400001)(55016003)(10290500003)(316002)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: niBAhDjsQ/8TkLdkiovukt4Wa//4ttx+Hn4inzcxGGuzTWLV92G9NRwlJ1hJUrrz1M5lJZwqmH81Loth2JYNR5McNtFi3pa75uF9mAVJHuPBcA3wqOaCgeVqQolp6E67c2fkxQyqlVmPqblR3mcQyyd6rKK7mKBsw8T7Z+XJ+DjtLSNs7S1/BsPz+j1+DO86QuNh7F16HOvA5fNoPe7nQAtegboxghy1OvkZ2Q0iWdxYqfJMc+cbiujdANhtsNVWQJrmZT47LElkeLEDfyQpmTFLmCXF70q/EDfHey5rNnre/V+zAmctMSi/BAUXMkzefolTFLF8XQTjkLfvT8ws6Baqd7/EHYZ20za2MDQvmVcr0TGKbjih4iuQCSSvsV0d5ViZS7CQJ2Ekzus3+VAr79ddLSqG00Im1ISJBt/Ltob4Wg3GaC4CY7C7y0g1PwI0op93FxblhfhjNMqEQbRhg/D1k5+21fsTCY3yBK4xoDWbiSPZUqXTdMoCH2xnHeZL4zZRD2xb7W9XLkgSKRIMErfYFKcSJw9oPC4gCsbFHBcGeNKlw1SG1Iapj2feZ3RYGk0LMF++qmpbPEjuODZ/eK4PCZil0jUe5Cdvo97yBYjPQMZzIjxLyOT0RiOQKlGZbxcJI0/aiRs6F7y9cjCZ9grgsSQCbx86xGzDzMANB+9jeIru7vkUoQdfG/ih1QUoTqna5iFeJeyoxi4UFjW0vJMzUTejI0JOcAv2V01eYZO4uX6PH+yAkLH1cRZV10mc5+4bu6YMPHihLisUw4W2gyb1pgCwUNiIFkD420O4oMAboafwQ5ySAYgL6dEKn3HdpwoduS81VwnfWYGlhFPMYFGeL7MOI7/WwIp1+ONqb1akLRbwjPsojfhIDOS9lhyuhP+8sehAUebn6aql/9tZaRDAC41gWvxnJ81cd//fkEG3ILErQBK3pjEUDpyDXT6iSkBNtl0KBLrIfnwE6+WmNF067tduinXdGfk+IDCEjeEAcNxQ5502FV1eN4huOrheNmUWDSsnCZXHBxJxmeheCrgNhM9sJ8y3sQl1tKm+FxZMJF0O36LByZGbg1lmwW6szaysOFLTfbL/UdJHK9oGyhG7BQxjH6SkG/i1HGU0cUTv0A5rrVGU8i7Y/D5U9AcO1yj7aK5Wf+zcgx1sUYsfCwKQAzkklZrC6jM6JOypGo8yzY2yBchYe2rpK/mPKuwDrS9+QRUv7sH19+FEbPECRf6YPd80fEqv+nSNuEdIl7idZugmzDMfqMfePSonyN8rB+B04LW0g/cVirUCcy72xwWPUVYY6lUu51bATc/GfN9XNUtg4bNE7cmNqnZNFknmHia/vnMSKsQUrmSBnww/+8FSsxhxfOaPq0v1EXit5fD6+bGzh2eSofuVZSkSJmMDTXsffq9VJnddHuoG5NWjUBl8KygcKWMi2MYyuS0CKey/wLyCwIyPD5BdHTdTLzlU7dYMREFaaRxDp3xrmOPSYvVtnUe/bOZsCB795gbcvXuYtpgSYyCXmjs/apYgiHY16lEp2jZ0Mmjg8C+K4Fy06PsbYqO51gWYIhVJnYIF+Pswk/J280SJamdJtY/YSkgWtcV1Cj6dHE+6Lb8+EEiqgMwxzCJNLdVO6ox5shbNGAp5pN7NG2IpKqKAEuD/cisC1EXyMo7yYnSx5wTl2GH/fnAQgvk02tEBcfGuShRegWs=
Content-Type: multipart/alternative; boundary="_000_PH0PR00MB100064F25C23767D42595F16F5299PH0PR00MB1000namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR00MB1000.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a0024aba-d1c8-4760-48e6-08d9e7f33255
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Feb 2022 15:29:55.4305 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1NoZhxdXW8Cq/9r8+mzabv1wwQGplZKNNJs3mXkXXGc/hGUveY9EW9HP5aLhuCF+F4CB/AJQeqLVxzqg7oOXyQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR00MB0446
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8-pI9IEnysplJfBWi5Y7yd_ARXA>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: WGLC for JWK Thumbprint URI document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Feb 2022 15:30:09 -0000

Neil, thanks for your review.  First, you wrote:

> Using a (hash of a) public key as an identifier is an idea that has historically been subject to various attacks such as unknown key share attacks, as well as issues due to malleable signature schemes or key exchange schemes - where the same proof of identity is valid under many public keys. The security considerations should mention these issues, and potential suggest countermeasures (eg including the full public key JWK in the input to be signed etc).

I’m not all that familiar with the attacks you’re referencing.  Is there I write-up on them that you could refer me and the other working group members to so we can better understand them?  And ideally, could you write up a paragraph or two on them that you’d like us to include in the Security Considerations?

Second, you asked that the hash algorithm be made explicit, as did Vladimir.  I’ll consult with Kristina on that today and respond to that suggestion in a subsequent message.

                                                       Thanks again,
                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Vladimir Dzhuvinov
Sent: Thursday, February 3, 2022 11:00 PM
To: oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] WGLC for JWK Thumbprint URI document


The original JWK thumbprint RFC 7638 essentially describes the method for composing the hash input from a JWK and that the output is base64url encoded. SHA-256 is mentioned, but there is no default implied hash function. This leaves it to applications / other specs to determine.

https://www.rfc-editor.org/rfc/rfc7638.html#section-3.4

The URN gives us now a natural possibility to encode the hash function alongside the fact that it's a JWK thumbprint, so let's include it. This will make things more explicit and self-contained.

What do the authors think about this possibility?

~Vladimir

Vladimir Dzhuvinov
On 04/02/2022 01:47, Neil Madden wrote:
The draft doesn’t specify which hash function is being used. I assume it is SHA-256, but it should either say that is the only algorithm allowed or perhaps encode the hash algorithm into the URI. Otherwise the value is ambiguous.

Using a (hash of a) public key as an identifier is an idea that has historically been subject to various attacks such as unknown key share attacks, as well as issues due to malleable signature schemes or key exchange schemes - where the same proof of identity is valid under many public keys. The security considerations should mention these issues, and potential suggest countermeasures (eg including the full public key JWK in the input to be signed etc).

— Neil


On 2 Feb 2022, at 12:19, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com><mailto:rifaat.s.ietf@gmail.com> wrote:

All,

The JWK Thumbprint URI document is a simple and straightforward specification.

This is a WG Last Call for this document:
https://www.ietf.org/archive/id/draft-ietf-oauth-jwk-thumbprint-uri-00.html

Please, provide your feedback on the mailing list by Feb 16th.

Regards,
 Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email