Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

Tim Bray <tbray@textuality.com> Tue, 16 September 2014 15:47 UTC

Return-Path: <tbray@textuality.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 877321A0B7B for <secdir@ietfa.amsl.com>; Tue, 16 Sep 2014 08:47:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JOjSHwUA5X09 for <secdir@ietfa.amsl.com>; Tue, 16 Sep 2014 08:47:54 -0700 (PDT)
Received: from mail-vc0-f173.google.com (mail-vc0-f173.google.com [209.85.220.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 297631A0B06 for <secdir@ietf.org>; Tue, 16 Sep 2014 08:47:54 -0700 (PDT)
Received: by mail-vc0-f173.google.com with SMTP id le20so35138vcb.32 for <secdir@ietf.org>; Tue, 16 Sep 2014 08:47:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=evPn7b9Wxh4eUG4x4s7bgbkHiBwU/vlVzDrMF6u4ahc=; b=Da6VEZrUCDnp6A0TOLZLlViXV2DZ8sOuySL0CwLgcBX7CvLPk3bcctuVRVH2+mrrIH NEqqFrEjfXGst4OI95AgJ9oxJG0QNR/fOJXGJtEOeJsqsXBd4acj9kwE73/6985sRSge Mzwmzk9nrKUazkSh9/yRhQEPa1NufLkC2hjHDZL6IQAo2zhncZmh+HHE6YIArYsFcvLz vA5zjKDn6zkAa1axztEPrFJcRiK5YoQL+VPb1BK5jSPQwi0neaEnKCDrUtmEKXUm6Ii9 x/HU0OkhFuv4fZQeJB/FQ5TwicCTdxD3udQCRuNswsw1SgxjeuLyWrRKhqHJ2KYE5JWx Qvrg==
X-Gm-Message-State: ALoCoQkTi1dF9YVgg0LQWhGyET2hASeJlzYwXiMPZ2Pw/a1nN7P8dPbfG/y6Y2ASzxJAGR9TjxZX
X-Received: by 10.220.2.133 with SMTP id 5mr21383448vcj.48.1410882473188; Tue, 16 Sep 2014 08:47:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.214.4 with HTTP; Tue, 16 Sep 2014 08:47:32 -0700 (PDT)
X-Originating-IP: [24.84.235.32]
In-Reply-To: <54184DB4.2050708@bbn.com>
References: <CAHbuEH4Ccn2Z=8kEECzvgjmtshwsFoa-EH_NpkJPos7zirGeaQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AEC00DB@TK5EX14MBXC292.redmond.corp.microsoft.com> <5416FE10.3060608@bbn.com> <CAHBU6iu3GfsLCAint3z7risZUnVW4EK0WrGVW6Dv=gvppiHSxQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AECCCDD@TK5EX14MBXC292.redmond.corp.microsoft.com> <54173546.5000400@bbn.com> <CAHBU6ivb3BeEufcnJB+eSk8wgETMx+qzH3miE6Z1jtrQkXNR3w@mail.gmail.com> <54184DB4.2050708@bbn.com>
From: Tim Bray <tbray@textuality.com>
Date: Tue, 16 Sep 2014 08:47:32 -0700
Message-ID: <CAHBU6ivBgYjMGAXu6g8rAhb=WJt5t2KFUnRKzD89qUOOJSGgJQ@mail.gmail.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary=001a11c3dbe4a2b6ec050330ac20
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/CNyxeh3HkaiB6OLxS1LE8-e0RFw
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-jose-json-web-key.all@tools.ietf.org" <draft-ietf-jose-json-web-key.all@tools.ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2014 15:47:56 -0000

On Tue, Sep 16, 2014 at 7:48 AM, Stephen Kent <kent@bbn.com> wrote:

Thanks for the clarifying comments. I am still a bit puzzled, though. I
> thought JWK was
> a proposal to establish JSON formats for key transport. Are you saying
> that the formats we are
> about to standardize have been in use in JSON for a while and that's why
> parsers are not
> prepared to reject dupe keys?  Or is this a lower layer, JS issue re
> partsing?
>

​I’m not clear on the history, but I have heard that dupe keys are
sometimes generated by software that’s producing output on a streaming
basis, that can’t afford to keep track of every key it’s already generated.
 It is also my impression that for essentially all software that receives
and parses JSON, dupe keys are useless and perhaps damaging, since JSON
objects are invariably stuffed into hash-table-flavored things that don’t
support dupe keys.

It’s just that in the JOSE context, there is (justified) concern​ that
there are attack vectors based on the use of dupe keys.  Everyone agrees (I
think) that it would be desirable for such messages to be rejected.  It’s
just that current production software doesn’t make this easy.



>
> Steve
>



-- 
- Tim Bray (If you’d like to send me a private message, see
https://keybase.io/timbray)