IETF Logo Mail Archive

Re: [OAUTH-WG] My review of draft-ietf-oauth-json-web-token-11

Mike Jones <Michael.Jones@microsoft.com> Mon, 03 March 2014 22:23 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C53E41A01FA for <oauth@ietfa.amsl.com>; Mon, 3 Mar 2014 14:23:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G1Kx38RHiQgA for <oauth@ietfa.amsl.com>; Mon, 3 Mar 2014 14:23:29 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0183.outbound.protection.outlook.com [207.46.163.183]) by ietfa.amsl.com (Postfix) with ESMTP id F3CA61A01E8 for <oauth@ietf.org>; Mon, 3 Mar 2014 14:23:28 -0800 (PST)
Received: from BL2PR03CA017.namprd03.prod.outlook.com (10.141.66.25) by BL2PR03MB114.namprd03.prod.outlook.com (10.255.230.14) with Microsoft SMTP Server (TLS) id 15.0.888.9; Mon, 3 Mar 2014 22:23:24 +0000
Received: from BY2FFO11FD033.protection.gbl (2a01:111:f400:7c0c::134) by BL2PR03CA017.outlook.office365.com (2a01:111:e400:c1b::25) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:23:25 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD033.mail.protection.outlook.com (10.1.14.218) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:23:24 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0158.001; Mon, 3 Mar 2014 22:22:45 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: oauth mailing list <oauth@ietf.org>
Thread-Topic: My review of draft-ietf-oauth-json-web-token-11
Thread-Index: Ac6vjw+PfFfBOYKFQc62YXcVMPsr5SHc/7fg
Date: Mon, 03 Mar 2014 22:22:45 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0A956A@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA347D1@USCHMBX001.nsn-intra.net>
In-Reply-To: <1373E8CE237FCC43BCA36C6558612D2AA347D1@USCHMBX001.nsn-intra.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0A956ATK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(199002)(189002)(53754006)(43784003)(13464003)(377454003)(54356001)(83322001)(19580405001)(19580395003)(95666003)(56776001)(85806002)(76796001)(77096001)(90146001)(74876001)(74706001)(85852003)(86612001)(76482001)(55846006)(94946001)(81686001)(44976005)(76786001)(54316002)(2656002)(512954002)(87936001)(15202345003)(80976001)(80022001)(19300405004)(95416001)(83072002)(6806004)(33656001)(74502001)(66066001)(56816005)(85306002)(65816001)(87266001)(92726001)(47446002)(63696002)(16236675002)(31966008)(74662001)(77982001)(59766001)(79102001)(4396001)(81542001)(47736001)(49866001)(15975445006)(74366001)(93516002)(93136001)(81342001)(20776003)(92566001)(84326002)(46102001)(53806001)(51856001)(94316002)(71186001)(69226001)(86362001)(47976001)(50986001); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR03MB114; H:mail.microsoft.com; CLIP:131.107.125.37; FPR:EC71FDE6.96EAD550.BFD3F14B.8EE8D242.207BA; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0139052FDB
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
X-OriginatorOrg: microsoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Vlp4YHRsF-cuZr5D4bcmzxRkdUE
Subject: Re: [OAUTH-WG] My review of draft-ietf-oauth-json-web-token-11
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 22:23:36 -0000

Hi Hannes,



My replies to your comments follow in-line.  Thanks again for writing these up.



                                                            -- Mike



-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Tschofenig, Hannes (NSN - FI/Espoo)
Sent: Thursday, September 12, 2013 1:07 AM
To: oauth mailing list
Subject: [OAUTH-WG] My review of draft-ietf-oauth-json-web-token-11



Hi Mike, Hi all,



As part of preparing the shepherd write-up I have read the draft and here are a few comments.



In general, the draft looks good. The comments are fairly minor.



1. Section 4: JWT Claims



In the first paragraph you write:

"

The Claim Names within a JWT Claims Set MUST be unique; recipients MUST either reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name "



I think what you want to write here is that the sender of a JWT must ensure that the claims are unique. If a JWT is, however, received with non-unique claims then some decision must be taken. You list two choices and I am wondering why not just have one. Let's just reject the JWT if that happens to ensure consistent behavior.



This was extensively discussed within JOSE and the language used is the same.  Ideally, yes, we'd reject duplicate names, but both the old and new JSON specs allow duplication, so if we're to use existing deployed parsers, that isn't really a practical option.  (We used to require rejection of duplicate names, but objections were raised to that.)



I believe it might be good to clarify that unique here means that claims may appear more than once in a JWT but you are concerned about having two claims that actually have a different semantic. Correct?



No, the issue is that either parsers will only return one (they will overwrite each other) or duplicates will cause a parsing error.  Therefore, for things to always work regardless of parser, producers can't include any duplicates.



You write: "However, in the absence of such requirements, all claims that are not understood by implementations SHOULD be ignored."



The 'SHOULD' is not good enough here. Either you ignore claims that you don't understand or you do something else. Since there does not seem to be a way to declare claims as "critical" to understand I suggest to turn this into a MUST.



Agreed.  I made this change in -18.



With every claim you add "Use of this claim is OPTIONAL.". I would suggest to move that sentence to the front and avoid repeating it with every claim. In fact you have that necessary sentence currently in Section 4.1 "None of the claims defined below are intended to be mandatory to use, but rather, provide a starting point for a set of useful, interoperable claims."



For what it's worth, Jim Schaad had requested the opposite - that the "OPTIONAL" statements be on a per-name basis - so each definition could be easily read in isolation.



Since you describe the "use" there is obviously the question about the "implementation". So, what claims in this document are mandatory to implement? All? None?



None.  It's up to the application what claims are MTI for its use case.  I added text clarifying this.



Claim Types: You distinguish between three types of claims, namely Reserved Claim Names, Public Claim Names, and Private Claim Names.



- Reserved claims are those that are registered with IANA.

 - Public Claims are (interestingly enough) also registered via IANA or use a Collision Resistant Namespace.

 - Private Claims are those that may produce collisions



Clear I would suggest to change the definition of a public claim. Let's just call the claims that are registered via IANA reserved claims.



"Reserved" was changed to "registered", both here and in JOSE, as a result of review comments from both working groups.



I also wonder why we need private claims at all when it is so easy to construct public claims?



In practice, people will use unregistered names in some contexts.  (There was a 1/2 hour presentation in AppsAWG today about this very thing!)  Given we really can't prevent this and it will happen, it's better to clearly describe the downsides and alternatives than to pretend that private names won't be used.  At least this way, people will have been warned about the consequences of their choices.



Section 4.1.1: "iss" (Issuer) Claim



You write:

"

The iss (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific.

"



Would it be useful to say what people use this claim for. It might also be useful to indicate that this value cannot be relied on for any trust or access control decisions without proper cryptographic assurance. I can already see people who base their security decisions on this value without any relationship to the actual crypto of the JWT. So, one might wonder what the relationship of the crypto and the iss claim is.



I added language about making trust decisions in the Security Considerations section.  Did you have particular language in mind about what the claim is used for, beyond stating that it identifies the issuer?



Section 4.1.3: "aud" (Audience) Claim



You write:

"

The aud (audience) claim identifies the audiences that the JWT is intended for.

"



That's not a good description. You could instead write: "The aud (audience) claim identifies the recipient the JWT is intended for."



Agreed - done.



You write:

"

In the special case when the JWT has one audience, the aud value MAY be a single case sensitive string containing a StringOrURI value.

"



Shouldn't this read:

"

In the special case when the JWT has one audience, the aud value is a single case sensitive string containing a StringOrURI value.

"



No - because either "aud":"foo" or "aud":["foo"] are legal and mean the same thing.



Section 4.1.8. "typ" (Type) Claim



You write:

"

The typ (type) claim MAY be used to declare a type for the contents of this JWT Claims Set in an application-specific manner in contexts where this is useful to the application. The typ value is a case sensitive string. Use of this claim is OPTIONAL.



The values used for the typ claim come from the same value space as the typ header parameter, with the same rules applying.

"



I believe the first sentence should say: "The typ (type) claim is used to declare a type for the contents of this JWT Claims Set ....". I don't understand what the "MAY" here was supposed to indicate since if it does not declare the type of the claims then what else does it do?



Why is the typ claim actually there when there is already the same claim in the header?



The "typ" claim was removed as part of the JOSE change to use MIME type names for "typ" and "cty" header parameter values.


Section 5.1. "typ" (Type) Header Parameter



You write:

"

The typ (type) header parameter MAY be used to declare the type of this JWT in an application-specific manner in contexts where this is useful to the application. This parameter has no effect upon the JWT processing. If present, it is RECOMMENDED that its value be either JWT or urn:ietf:params:oauth:token-type:jwt to indicate that this object is a JWT.

"



Here again I would write: " The typ (type) header parameter is used to declare the type of this JWT in an application-specific manner in contexts where this is useful to the application."



Why doesn't this value have any impact on the processing? It appears to be useless? Would it be good to mandate that it is set to JWT or urn:ietf:params:oauth:token-type:jwt when the content is a JWT? Why do you leave two options for what the value is set to? Why would anyone use the longer string?



The URN value was removed as part of the JOSE change to use MIME type names for "typ" and "cty" header parameter values.



Section 5.2. "cty" (Content Type) Header Parameter



What is the relationship between cty and typ?



As described in the JOSE specs that define them, "typ" is the type of the entire object, whereas "cty" is the type of the message contained in the JWS or JWE.  Both are now MIME type values.  "cty" is used by JWTs in the specific way specified whereas "typ" can be used as needed by applications using JWTs.



Section 5.3. Replicating Claims as Header Parameters



I am not sure why you would want to have encryption of the claims and then again include them in cleartext. That would defeat the purpose of encryption. Then, you could as well just provide them in cleartext (only signed, for example).



Putting the sub value into the header does not seem to be a good idea since this may be personal data.



This showed up in a use case that Dick Hardt had, in which case he wanted to route the contents of the JWT to the recipient without being able to read the contents of the JWT itself.  In his case, there was an intermediary handling the JWT that did not have the decryption key.



It's application-specific whether the audience is private information or not.



Putting these fields into the header in general does not strike me as a good idea since you loose the ability to sign these values. They will be exposed to all security threats since they cannot be protected. Why not use a nested JWT instead?



They are still integrity-protected, because JWE uses only authenticated encryption.  They are protected from tampering or alteration.



The 'SHOULD' in this sentence particularly makes me nervous: "If such replicated Claims are present, the application receiving them SHOULD verify that their values are identical." This essentially means that if you have protected claims and someone adds unprotected stuff into the header it may mean that an application would accept that. Not a good idea!



Per the above, you can't add stuff, because of the authenticated encryption used.



Section 6 Plaintext JWTs



Why do we want plaintext JWTs? I thought that the threat analysis concluded that sending this stuff of information around without any security protection is a bad idea.



The JWT can either be cryptographically protected by a signature and/or encryption in the JWT itself or by signature and/or encryption of a data structure in which the JWT is conveyed.  For instance, if it is returned from an OAuth Token Endpoint, it is integrity protected by the channel's use of TLS and so may not need to be signed and/or encrypted in some application contexts.  OpenID Connect uses this capability in several places, for instance, as does Phil Hunt's OAuth Authentication draft.



Section 7. Rules for Creating and Validating a JWT



I am curious why this section is so extensive given that we are essentially just applying JWS and JWE here. Wouldn't a pointer to the JWS/JWE spec be sufficient?



It's longer because the JWT adds two things:  First, the contents can be either a JWS or JWE, and so there's logic described for the slightly different actions taken in the two cases.  Second, the JWT can be nested, so the logic for nesting and detecting nested JWTs is defined.  It *does* just rely on JWS and JWE for the creation and verification aspects of the JWS and JWE aspects of JWTs.



That said, I did remove a step that was actually a pure duplication of a corresponding JWS/JWE step.



Ciao

Hannes













_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth

v2.31.3 | Report a Bug | By Email | System Status