Re: [secdir] SecDir review of draft-ietf-jose-cookbook-06

⌘ Matt Miller <> Tue, 02 December 2014 22:02 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8B0801A7002; Tue, 2 Dec 2014 14:02:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.211
X-Spam-Status: No, score=-14.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0MXFy9JbZRDY; Tue, 2 Dec 2014 14:02:42 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1E17E1A1BC4; Tue, 2 Dec 2014 14:02:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=7183; q=dns/txt; s=iport; t=1417557762; x=1418767362; h=message-id:date:from:mime-version:to:subject:references: in-reply-to:content-transfer-encoding; bh=iHMc3G24EV9q30nQtrL/Gm5S9Ln+OOBKP8QeLUP6XAs=; b=OmNfTxLW2Opx/xfeHO+Mn2XrLoGTTnljjpfqaYGCFafulT0dOS2PkPaM lnapTsSz1ZoInKaJ2mM5mZEpDcMckJCLINrV/oRElsUsOYRuEKksYph6m W2iTCjDtCaVDTLiGSltl2umSRRrJ49MPsHOg8GG5yDCV1ugkv5/TyRym4 g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.07,503,1413244800"; d="scan'208";a="377078549"
Received: from ([]) by with ESMTP; 02 Dec 2014 22:02:20 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id sB2M2KXq013140 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 2 Dec 2014 22:02:20 GMT
Received: from [] ( by ( with Microsoft SMTP Server (TLS) id; Tue, 2 Dec 2014 16:02:19 -0600
Message-ID: <>
Date: Tue, 2 Dec 2014 15:02:21 -0700
From: =?UTF-8?B?4oyYIE1hdHQgTWlsbGVy?= <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Yaron Sheffer <>, IETF Security Directorate <>, The IESG <>, <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Originating-IP: []
Subject: Re: [secdir] SecDir review of draft-ietf-jose-cookbook-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Dec 2014 22:02:48 -0000

Hash: SHA512

Hello Yaron,

Thank you very much for the review.  My other comments are inline.

On 11/22/14, 12:39 PM, Yaron Sheffer wrote:
> I have reviewed this document as part of the security
> directorate's ongoing effort to review all IETF documents being
> processed by the IESG. These comments were written primarily for
> the benefit of the security area directors.  Document editors and
> WG chairs should treat these comments just like any other last call
> comments.
> This document contains a large set of examples of JOSE objects:
> JWK, JWS and JWE. The document is purely informational, though in
> "real life", I would expect developers to use it as an
> authoritative source.
> Summary
> The document is ready to be published, with some issues.
> By the way, I really appreciate the large effort that surely went
> into creating this document.

Thank you!  It's always great to hear one's efforts are appreciated!

> Details
> • Unless I missed it, the document does not mention a machine
> readable repository of these examples, which I am sure the author
> has created while writing the draft. Making such a repository
> publicly available would result in a much more useful resource than
> the current document, which essentially requires testers to scrape
> the document when creating their test cases.

You did not miss it; I don't have a such a repository right now, but I
can put one together.  Would something on be acceptable, or
is there a better suggestion?

> • (Not a comment to the current document:) I wonder why there is
> nothing explicit to distinguish a public key from a private key,
> and they are only distinguished by the presence or absence of
> several parameters, something that will not be natural to most
> developers. PEM is doing it very well: "-----BEGIN RSA PRIVATE
> KEY-----".
> • 3.4: the text is contradictory re: zero-padding of the value "d".
> Is it using the minimum number of octets, or exactly 256 octets
> (for a 2048-bit key)?

The intent is that "d" is not zero-padded, and I overqualified in my
text.  Would the following be acceptable?

   For a 2048-bit key, the field "n" is 256 octets in length when
   decoded and the field "d" is not longer than 256 octets in
   length when decoded.

> • Why invent a new term "octet key", for a simple "symmetric key"?

Very good point.  Will fix in the next revision.

> • 4.2: the first sentence discusses PS256, the actual example is
> PS384.

Silly error that I thought I fixed long ago /-:

Will fix in the next revision.

> • 4.7: "only the JSON serialization" - please clarify which of the
> three serializations is meant. Ditto top of 4.8.

Will fix in the next revision.

> • 5.1.1: since this is a "cookbook", we should be using the public
> key, not the private key. A private key would only be used in rare
> cases. Similarly 5.2.1.

The private keys are included for both reproduction (which only needs
the public key) and verification (which necessitates the private key).

If I can put an online repository together, I can change the examples
to just include the public keys; otherwise would the following in 5.1
(and 5.2) be sufficient?

   Note that only the RSA public key is necessary to perform the
   encryption.  However, the example includes the RSA private key to
   allow readers to validate the example's output.

> • 5.3.1: the "plaintext content" is a list of keys, which is
> either confusing to the reader, or an actual error in the
> document.

It is not in error.  The most common usecase for password-based
encryption was the import and export of key sets, and the Working
Group desired a thorough example.

Would it help if the following is added to 5.3?

   A common use of password-based encryption is the import/export of
   keys.  Therefore this example uses a JWK Set for the plaintext
   content instead of the plaintext from figure 72.

> • 5.3.5: In the General Serialization version, I don't understand
> why only the encrypted key is per-recipient. I would expect the
> PBES2 parameters too (e.g., the salt)  to be per-recipient.
> Presumably each of them is using a different password, and there's
> no reason to use a common salt. Similarly in 5.4.5.

For compatibility across serializations (compact, general JSON,
flattened JSON), all of the parameters need to be in the JWE Protected
Header.  In the general serialization, that means only the
"encrypted_key" field is present for the (presumably) sole recipient.

Would it be acceptable if the following were added to 5.3?

   Note that if password-based encryption is used for multiple
   recipients, it is expected that each recipient use different
   values for the PBES2 parameters "p2s" and "p2c".

> • 5.7: same as above, it makes sense for the per-recipient key to
> have an ID, rather than the content encryption key (typically an
> ephemeral key). And then that ID should be in the per-recipient
> data in 5.7.5. And similarly for 5.8. The later Sec. 5.13 shows a
> syntax for multiple recipients that's inconsistent with the
> single-recipient case, which would make sense if we got rid of the
> array.

For compatibility across serializations (compact, general JSON,
flattened JSON), all of the parameters need to be in the JWE Protected
Header.  Also, the mixing of "recipients" and "encrypted_key"/"header"
in the top-level object is not permitted for the general serialization.

> • 5.11: this example seems strange to me - why would anybody NOT
> want to integrity-protect the key ID and algorithm? I would prefer
> a more realistic example, or failing that, a recommendation to
> developers to avoid this practice. Similarly 5.12, which is an even
> worse idea.

Integrity protection was thoroughly discussed in the JOSE WG.  While
there are some limited attacks possible when some parameters are
unprotected, the WG felt there were enough use cases where these
attacks are mitigated through other means that integrity protection of
the part of all of the header is not always required.

> Thanks, Yaron
> _______________________________________________ secdir mailing
> list 
> wiki:

And thanks again for the thorough review.

- -- 
- - m&m

Matt Miller < >
Cisco Systems, Inc.
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools -