Re: [secdir] secdir review of draft-ietf-jose-jws-signing-input-options-06
Mike Jones <Michael.Jones@microsoft.com> Mon, 14 December 2015 07:14 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAE631B2D37; Sun, 13 Dec 2015 23:14:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0_mT3dqIl5r; Sun, 13 Dec 2015 23:14:27 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0130.outbound.protection.outlook.com [207.46.100.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40CBB1B2D35; Sun, 13 Dec 2015 23:14:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ziYkg2CemHGE9BShQlU/1liDkXa+7roqtzQOM1shWgA=; b=CUWiF2z5t0pnHk4fNrERFrTZcp62/DrZF4Fn3KZcyrvwAbTAqkasNfJaideL76hW68HE+js6uDFvCaKzB2HhiJdp3N/AkwSgzgWzBGC2bzvbH8c9nUxr+uCbe8uGecG9u8xvl5Wb+j1wE6367dJpLX/ibQVmerHN3JSxEp7pixE=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB443.namprd03.prod.outlook.com (10.141.141.152) with Microsoft SMTP Server (TLS) id 15.1.355.16; Mon, 14 Dec 2015 07:14:25 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0355.012; Mon, 14 Dec 2015 07:14:25 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: secdir review of draft-ietf-jose-jws-signing-input-options-06
Thread-Index: AQHRND5yABvUUZjq8E6qK5eNiUXF1Z7ILfEwgAAWPYCAAACDMIABi4UAgAAIwQCAAAHY0IAABCuAgAAEbgCAAAVAEIAAC9sAgAAhC4A=
Date: Mon, 14 Dec 2015 07:14:25 +0000
Message-ID: <BY2PR03MB4425AD0A97ABFDBBEA54D69F5ED0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <alpine.GSO.1.10.1512111248420.26829@multics.mit.edu> <BY2PR03MB442A7FF30189B4A39215B74F5EC0@BY2PR03MB442.namprd03.prod.outlook.com> <8C206A9F-8629-4D6C-9EEA-25B71BF586D9@gmail.com> <BY2PR03MB442EC5B63F046735CF13227F5EC0@BY2PR03MB442.namprd03.prod.outlook.com> <CAHbuEH6ONNAjmjZ+KvkEnCf28=sqveFc3Rkg4DEVmXqasnmneA@mail.gmail.com> <CAHbuEH4KTL7EKAsPt7fmmD7D0cRdBT_0Pg3t+uVXgGdzm_tGKg@mail.gmail.com> <BY2PR03MB442869845352C5E62CD33F4F5ED0@BY2PR03MB442.namprd03.prod.outlook.com> <CAHbuEH5rXhaRP1iZM25E5T+iYCpPtRzjyPPsntW4FYDgfY4isA@mail.gmail.com> <062f01d13625$f3cfb260$db6f1720$@augustcellars.com> <BY2PR03MB442CCF362A8C9E9A1069A92F5ED0@BY2PR03MB442.namprd03.prod.outlook.com> <995E3BF8-EDE9-45C7-AB40-83C167FE8BBA@gmail.com>
In-Reply-To: <995E3BF8-EDE9-45C7-AB40-83C167FE8BBA@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [188.92.133.18]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB443; 5:IAzIqZuYWDBMlB/3eSUjJ1ALlqaY89JupHDLAzbEaLkh2XZ0cqJ2KQx0DqDfoCgGlOxVOxFYSm8XqayxGzmcg0ktiOO+zR6J1/D48e+TBCfBLlB1HXoO+A6+baD71oommcQ/mLXDsqXeHnABX2FpIg==; 24:fP+n8KdgybfmE25iy+eC9m0eeKDrGmOXhZSmOh4Q8Ub4VpLqVkFxZOhV2Mxc0dj5P4vTn2sn7C2acbqSTaTbXe0Aa1hYc1UVhwt/FJVL01s=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443;
x-microsoft-antispam-prvs: <BY2PR03MB44310AF3516C19EB0AFD4A5F5ED0@BY2PR03MB443.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046)(61426038)(61427038); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443;
x-forefront-prvs: 0790FB1F33
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(164054003)(53754006)(52604005)(158454003)(51914003)(199003)(24454002)(189002)(377454003)(13464003)(74316001)(93886004)(2950100001)(33656002)(5003600100002)(2900100001)(5003630100001)(5002640100001)(92566002)(102836003)(10090500001)(101416001)(6116002)(77096005)(5008740100001)(5004730100002)(230783001)(3846002)(586003)(10290500002)(66066001)(10400500002)(106116001)(105586002)(1220700001)(99286002)(8990500004)(54356999)(76576001)(11100500001)(5005710100001)(122556002)(40100003)(50986999)(86362001)(19580405001)(97736004)(5001960100002)(81156007)(19580395003)(110136002)(87936001)(189998001)(76176999)(86612001)(1096002)(106356001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Dec 2015 07:14:25.2127 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/SLImZoIM9np1bl7Fq0g8bsRVO-E>
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, Jim Schaad <ietf@augustcellars.com>, "draft-ietf-jose-jws-signing-input-options.all@ietf.org" <draft-ietf-jose-jws-signing-input-options.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-jose-jws-signing-input-options-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2015 07:14:29 -0000
Done in -07. -----Original Message----- From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] Sent: Sunday, December 13, 2015 9:16 PM To: Mike Jones <Michael.Jones@microsoft.com> Cc: Jim Schaad <ietf@augustcellars.com>; jose-chairs@tools.ietf.org; Benjamin Kaduk <kaduk@mit.edu>; iesg@ietf.org; secdir@ietf.org; draft-ietf-jose-jws-signing-input-options.all@ietf.org Subject: Re: secdir review of draft-ietf-jose-jws-signing-input-options-06 Sent from my iPhone > On Dec 13, 2015, at 11:34 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > > Kathleen - do you now concur with Jim that we should leave the Updates clause for 7519 in? Let me know and then I'll post the resolutions to the Gen-Art and Sec-Dir comments. Yes, that's fine. Thanks, Jim. Kathleen > > -- Mike > > -----Original Message----- > From: Jim Schaad [mailto:ietf@augustcellars.com] > Sent: Sunday, December 13, 2015 8:15 PM > To: 'Kathleen Moriarty' <kathleen.moriarty.ietf@gmail.com>; Mike Jones > <Michael.Jones@microsoft.com>; jose-chairs@tools.ietf.org > Cc: 'Benjamin Kaduk' <kaduk@mit.edu>; iesg@ietf.org; secdir@ietf.org; > draft-ietf-jose-jws-signing-input-options.all@ietf.org > Subject: RE: secdir review of > draft-ietf-jose-jws-signing-input-options-06 > > Please note that the write up addresses two different updates. > > 7519 which was in the document and updates JWT with the statement > that says - don't do this > 7515 which would be an update of JWS - however it was determined that updating the registry is sufficient without updating the document itself. > > While I don't know that there is a need to update 7519 - there is not really a strong statement to be made either way, so I did not ask for it to be removed. I was more worried about the question of having an update to 7515 which was not present. Karen and I determined that we probably did not need to have this document updated so there were no changes to be made to the document. > > I would keep the 7519 update since that was seen by the WG. And not put in an update to 7515 since, again, that was what the WG saw. > > Jim > > >> -----Original Message----- >> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] >> Sent: Sunday, December 13, 2015 7:59 PM >> To: Mike Jones <Michael.Jones@microsoft.com>; >> jose-chairs@tools.ietf.org >> Cc: Benjamin Kaduk <kaduk@mit.edu>; iesg@ietf.org; secdir@ietf.org; >> draft- ietf-jose-jws-signing-input-options.all@ietf.org >> Subject: Re: secdir review of >> draft-ietf-jose-jws-signing-input-options-06 >> >> Jim & Karen, >> >> I see the updates in the last 2 versions in both the header and >> abstract, prior to when the shepherd report was posted. I see in the >> shepherd report that you do not agree that this draft updates RFC7519. >> Is there a reason this change was not already made to the draft? >> Please confirm that removing this is the right action, it seems to be >> from your shepherd report reasoning. >> >> Best regards, >> Kathleen >> >> On Sun, Dec 13, 2015 at 10:50 PM, Mike Jones >> <Michael.Jones@microsoft.com> >> wrote: >>> To confirm, you want me to remove the Updates 7519 clause, and the >>> second >> paragraph of the abstract, which says: >>> >>> This specification updates RFC 7519 by prohibiting the use of the >>> unencoded payload option in JSON Web Tokens (JWTs). >>> >>> Correct? I'll do that then shortly. >>> >>> Thanks, >>> -- Mike >>> >>> -----Original Message----- >>> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] >>> Sent: Sunday, December 13, 2015 7:37 PM >>> To: Mike Jones <Michael.Jones@microsoft.com> >>> Cc: Benjamin Kaduk <kaduk@mit.edu>; iesg@ietf.org; secdir@ietf.org; >>> draft-ietf-jose-jws-signing-input-options.all@ietf.org >>> Subject: Re: secdir review of >>> draft-ietf-jose-jws-signing-input-options-06 >>> >>> Mike, >>> >>> Sorry, I take that back. The chairs make a good point in the shepherd writeup. >> This really doesn't update 7519, so it should not say that in the abstract. >>> >>> Thanks. >>> >>> On Sun, Dec 13, 2015 at 10:05 PM, Kathleen Moriarty >> <kathleen.moriarty.ietf@gmail.com> wrote: >>>> Mike, >>>> >>>> Please do add that to the abstract and post as soon as you can with >>>> all updates from last call received so far and agreed upon. >>>> >>>> Thanks, >>>> Kathleen >>>> >>>> On Sat, Dec 12, 2015 at 10:30 PM, Mike Jones >>>> <Michael.Jones@microsoft.com> wrote: >>>>> Sounds good. Thanks, Kathleen. >>>>> >>>>> -- Mike >>>>> >>>>> -----Original Message----- >>>>> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] >>>>> Sent: Saturday, December 12, 2015 7:28 PM >>>>> To: Mike Jones <Michael.Jones@microsoft.com> >>>>> Cc: Benjamin Kaduk <kaduk@MIT.EDU>; iesg@ietf.org; >>>>> secdir@ietf.org; >>>>> draft-ietf-jose-jws-signing-input-options.all@ietf.org >>>>> Subject: Re: secdir review of >>>>> draft-ietf-jose-jws-signing-input-options-06 >>>>> >>>>> >>>>> >>>>> Sent from my iPhone >>>>> >>>>>> On Dec 12, 2015, at 9:33 PM, Mike Jones >>>>>> <Michael.Jones@microsoft.com> >> wrote: >>>>>> >>>>>> Hi Ben, >>>>>> >>>>>> Thanks for the useful review. Replies are inline below... >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Benjamin Kaduk [mailto:kaduk@MIT.EDU] >>>>>>> Sent: Friday, December 11, 2015 10:05 AM >>>>>>> To: iesg@ietf.org; secdir@ietf.org; >>>>>>> draft-ietf-jose-jws-signing-input- >>>>>>> options.all@ietf.org >>>>>>> Subject: secdir review of >>>>>>> draft-ietf-jose-jws-signing-input-options-06 >>>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I have reviewed this document as part of the security >>>>>>> directorate's ongoing effort to review all IETF documents being >>>>>>> processed by the IESG. These comments were written primarily >>>>>>> for the benefit of the security area directors. Document >>>>>>> editors and WG chairs should treat these comments just like any >>>>>>> other last call >> comments. >>>>>>> >>>>>>> This document is Ready. >>>>>>> >>>>>>> The main JWS spec (RFC 7515) required that the signed payload >>>>>>> was base64url-encoded prior to signing. This results in a >>>>>>> noticeable size expansion; in some circumstances it is desirable >>>>>>> to avoid this expansion and reencoding. I did not follow the >>>>>>> JWS document closely at the time, but I believe this issue was >>>>>>> raised at the time and consensus reached on the published >>>>>>> version because it is always >> safe for applications to use. >>>>>>> This document provides an opt-in mechanism for application >>>>>>> (protocol)s to avoid the extra encoding and expansion, leaving >>>>>>> the burden on the application to determine whether it is safe to >>>>>>> do so and perform the relevant input checking/sanitization. The >>>>>>> security considerations correctly describe the implications of >>>>>>> the loss of encoding and the restrictions on the signed content >>>>>>> when detached payloads are not used, interoperability concerns >>>>>>> for applications not supporting the b64 header parameter, and >>>>>>> proposes >> appropriate countermeasures. >>>>>> >>>>>> Thanks for letting us know that the security considerations were >>>>>> clear= >
- [secdir] secdir review of draft-ietf-jose-jws-sig… Benjamin Kaduk
- Re: [secdir] secdir review of draft-ietf-jose-jws… Mike Jones
- Re: [secdir] secdir review of draft-ietf-jose-jws… Kathleen Moriarty
- Re: [secdir] secdir review of draft-ietf-jose-jws… Mike Jones
- Re: [secdir] secdir review of draft-ietf-jose-jws… Kathleen Moriarty
- Re: [secdir] secdir review of draft-ietf-jose-jws… Benjamin Kaduk
- Re: [secdir] secdir review of draft-ietf-jose-jws… Kathleen Moriarty
- Re: [secdir] secdir review of draft-ietf-jose-jws… Mike Jones
- Re: [secdir] secdir review of draft-ietf-jose-jws… Kathleen Moriarty
- Re: [secdir] secdir review of draft-ietf-jose-jws… Jim Schaad
- Re: [secdir] secdir review of draft-ietf-jose-jws… Mike Jones
- Re: [secdir] secdir review of draft-ietf-jose-jws… Kathleen Moriarty
- Re: [secdir] secdir review of draft-ietf-jose-jws… Mike Jones