Re: [secdir] SecDir review of draft-ietf-jose-cookbook-06

Yaron Sheffer <yaronf.ietf@gmail.com> Tue, 09 December 2014 20:40 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A734E1A017C; Tue, 9 Dec 2014 12:40:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SwNLhHafTrsg; Tue, 9 Dec 2014 12:40:07 -0800 (PST)
Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3897F1A017A; Tue, 9 Dec 2014 12:40:07 -0800 (PST)
Received: by mail-wg0-f42.google.com with SMTP id z12so1922468wgg.15 for <multiple recipients>; Tue, 09 Dec 2014 12:40:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=ViWZdHn0Z6fMGb9+kC2rivumj9pCS7TJUV2j0aA61J4=; b=AKCqmMBFCbbKcWYY8+K+ikY1i5gHG9esZOwloBbLdAwujuQUAKhVZtGpJSOOdKG9vZ 19AnV6O9V1tLr6AAx1euIkzGNSKrXIVHQXSgfPfIY5eeLY6RFAOaZHv0J908Y0SAnaJu Ygh5Ik1KOfT2DP0fx1yQPgKqCSf/oNfiB7kYZq0LJ1t8qx8YGLU7NRFVxvNonro1wPsB LbQrQihb2rWuzTMAC+D9Ube6N3FO08NYUpZcsZUvwHllzlRJKP/xAM6N0fnRMRfjDeBH THznsZF2RSeMC9Nc94Jeg5PVQ8b37W5VUQ0lMoAc9HoTkb/VnDb/4sbU6A1T1YWT05X8 BMIQ==
X-Received: by 10.180.82.170 with SMTP id j10mr425597wiy.35.1418157605833; Tue, 09 Dec 2014 12:40:05 -0800 (PST)
Received: from [10.0.0.9] (bzq-79-176-33-71.red.bezeqint.net. [79.176.33.71]) by mx.google.com with ESMTPSA id u9sm3180410wjy.37.2014.12.09.12.40.04 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Dec 2014 12:40:04 -0800 (PST)
Message-ID: <54875E23.9080207@gmail.com>
Date: Tue, 09 Dec 2014 22:40:03 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: =?UTF-8?B?4oyYIE1hdHQgTWlsbGVy?= <mamille2@cisco.com>, IETF Security Directorate <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-jose-cookbook.all@tools.ietf.org
References: <5470E68D.3040204@gmail.com> <547E36ED.1020205@cisco.com> <5480CD20.6080300@gmail.com> <548740F1.4010607@cisco.com>
In-Reply-To: <548740F1.4010607@cisco.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/SlgfSa3qpttFmiavl5DaaeXzPoA
Subject: Re: [secdir] SecDir review of draft-ietf-jose-cookbook-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Dec 2014 20:40:09 -0000

Hi Matt,

Yes, I believe it does. I will respond to Jim's mail separately.

Thanks,
	Yaron

On 12/09/2014 08:35 PM, ⌘ Matt Miller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello Yaron,
>
> I believe < https://tools.ietf.org/html/draft-ietf-jose-cookbook-07 >
> addresses most of your comments; the exceptions being those points
> still under discussion (see Jim Schaad's latest reply).  Please let me
> know if I missed anything I thought I fixed.
>
>
> Thank you,
>
> - --
> - - m&m
>
> Matt Miller < mamille2@cisco.com >
> Cisco Systems, Inc.
>
> On 12/4/14, 2:07 PM, Yaron Sheffer wrote:
>> Hi Matt,
>>
>> Please see my comments below. I have removed much of the original
>> text, and only left points that need further discussion.
>>
>> Thanks, Yaron
>>
>> On 12/03/2014 12:02 AM, ⌘ Matt Miller wrote: [...]
>>>>
>>>> • Unless I missed it, the document does not mention a machine
>>>> readable repository of these examples, which I am sure the
>>>> author has created while writing the draft. Making such a
>>>> repository publicly available would result in a much more
>>>> useful resource than the current document, which essentially
>>>> requires testers to scrape the document when creating their
>>>> test cases.
>>>>
>>>
>>> You did not miss it; I don't have a such a repository right now,
>>> but I can put one together.  Would something on github.com be
>>> acceptable, or is there a better suggestion?
>>
>> GitHub would be a great place.
>>
>>>
>>>> • (Not a comment to the current document:) I wonder why there
>>>> is nothing explicit to distinguish a public key from a private
>>>> key, and they are only distinguished by the presence or absence
>>>> of several parameters, something that will not be natural to
>>>> most developers. PEM is doing it very well: "-----BEGIN RSA
>>>> PRIVATE KEY-----".
>>>>
>>>> • 3.4: the text is contradictory re: zero-padding of the value
>>>> "d". Is it using the minimum number of octets, or exactly 256
>>>> octets (for a 2048-bit key)?
>>>>
>>>
>>> The intent is that "d" is not zero-padded, and I overqualified in
>>> my text.  Would the following be acceptable?
>>>
>>> For a 2048-bit key, the field "n" is 256 octets in length when
>>> decoded and the field "d" is not longer than 256 octets in length
>>> when decoded.
>>>
>>
>> Yes.
>>
>>>
>> [snip]
>>>
>>>> • 5.1.1: since this is a "cookbook", we should be using the
>>>> public key, not the private key. A private key would only be
>>>> used in rare cases. Similarly 5.2.1.
>>>>
>>>
>>> The private keys are included for both reproduction (which only
>>> needs the public key) and verification (which necessitates the
>>> private key).
>>>
>>> If I can put an online repository together, I can change the
>>> examples to just include the public keys; otherwise would the
>>> following in 5.1 (and 5.2) be sufficient?
>>>
>>> Note that only the RSA public key is necessary to perform the
>>> encryption.  However, the example includes the RSA private key
>>> to allow readers to validate the example's output.
>>>
>>
>> I'm fine with this new text.
>>
>>>
>>>> • 5.3.1: the "plaintext content" is a list of keys, which is
>>>> either confusing to the reader, or an actual error in the
>>>> document.
>>>>
>>>
>>> It is not in error.  The most common usecase for password-based
>>> encryption was the import and export of key sets, and the
>>> Working Group desired a thorough example.
>>>
>>> Would it help if the following is added to 5.3?
>>>
>>> A common use of password-based encryption is the import/export
>>> of keys.  Therefore this example uses a JWK Set for the
>>> plaintext content instead of the plaintext from figure 72.
>>>
>>
>> Yes, this would help.
>>
>>>
>>>> • 5.3.5: In the General Serialization version, I don't
>>>> understand why only the encrypted key is per-recipient. I would
>>>> expect the PBES2 parameters too (e.g., the salt)  to be
>>>> per-recipient. Presumably each of them is using a different
>>>> password, and there's no reason to use a common salt. Similarly
>>>> in 5.4.5.
>>>>
>>>
>>> For compatibility across serializations (compact, general JSON,
>>> flattened JSON), all of the parameters need to be in the JWE
>>> Protected Header.  In the general serialization, that means only
>>> the "encrypted_key" field is present for the (presumably) sole
>>> recipient.
>>>
>>> Would it be acceptable if the following were added to 5.3?
>>>
>>> Note that if password-based encryption is used for multiple
>>> recipients, it is expected that each recipient use different
>>> values for the PBES2 parameters "p2s" and "p2c".
>>>
>>
>> So I still don't understand: don't we need an example that
>> demonstrates how the JSON structure (or multiple structures) is
>> generated so that "each recipient use(s) different values"?
>>
>> In general I don't understand this "compatibility" thing.
>> Obviously there are some cases that cannot be expressed in all
>> serialization types. Otherwise why would we need three of them?
>>
>>>> • 5.7: same as above, it makes sense for the per-recipient key
>>>> to have an ID, rather than the content encryption key
>>>> (typically an ephemeral key). And then that ID should be in the
>>>> per-recipient data in 5.7.5. And similarly for 5.8. The later
>>>> Sec. 5.13 shows a syntax for multiple recipients that's
>>>> inconsistent with the single-recipient case, which would make
>>>> sense if we got rid of the array.
>>>>
>>>
>>> For compatibility across serializations (compact, general JSON,
>>> flattened JSON), all of the parameters need to be in the JWE
>>> Protected Header.  Also, the mixing of "recipients" and
>>> "encrypted_key"/"header" in the top-level object is not permitted
>>> for the general serialization.
>>>
>>
>> Still confused. Sorry.
>>
>>>> • 5.11: this example seems strange to me - why would anybody
>>>> NOT want to integrity-protect the key ID and algorithm? I would
>>>> prefer a more realistic example, or failing that, a
>>>> recommendation to developers to avoid this practice. Similarly
>>>> 5.12, which is an even worse idea.
>>>>
>>>
>>> Integrity protection was thoroughly discussed in the JOSE WG.
>>> While there are some limited attacks possible when some
>>> parameters are unprotected, the WG felt there were enough use
>>> cases where these attacks are mitigated through other means that
>>> integrity protection of the part of all of the header is not
>>> always required.
>>
>> So (personal opinion here) I think the WG took a security risk
>> that should not have been taken in 2014, for a minor performance
>> gain. We have seen too many protocols fail because of
>> integrity-protection shortcuts. Who would have thought you need to
>> integrity-protect the padding field! The fact that CMS took this
>> route back in 1999 is sort of irrelevant, as we've all learned a
>> lot since then.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> Comment: GPGTools - https://gpgtools.org
>
> iQEcBAEBCgAGBQJUh0DxAAoJEDWi+S0W7cO1yn8H/3qu51pBi99f8FmuI/ZyW+9+
> LJfToPCcaTlSWqLR14mzApvm2VTgX60R89+ykQzVcvRIqZZvr4gqtJFnNtSUsGgs
> PWEU837QEi0B/xfLADk6YF8om3B5XR6SX1xS4BSY4+oxh1XjIeRFoNqE2XLcFCd/
> P5NLs5NH3ZJS4khKFTgw7dzYBiSWUf+DEOZaPb8vcRVRUy7giJlKbax5u1jQgk9X
> 1e7+W72rpjSVfd9+cP7Jme4Atz/K7MKawebz+6UsTVRH3dImwg4qy2IggMrGxrba
> TZXdXE4wxVVlbc768cTjZJPtHwZ/HH/e/sgNrUK66WSrBveoBDf7v8NGu7+pS8w=
> =3XEs
> -----END PGP SIGNATURE-----
>