Re: [secdir] Secdir review of draft-ietf-jose-json-web-signature-31
Tero Kivinen <kivinen@iki.fi> Tue, 23 September 2014 09:18 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 033751A6FBB; Tue, 23 Sep 2014 02:18:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.786, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gC5Ad2x7NIOd; Tue, 23 Sep 2014 02:18:04 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20D751A6FA0; Tue, 23 Sep 2014 02:18:03 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id s8N9Hx83004757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 23 Sep 2014 12:17:59 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id s8N9Hw1v016628; Tue, 23 Sep 2014 12:17:58 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21537.15046.788802.440800@fireball.kivinen.iki.fi>
Date: Tue, 23 Sep 2014 12:17:58 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Mike Jones <Michael.Jones@microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BA6811A@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <21512.21725.209461.976375@fireball.kivinen.iki.fi> <4E1F6AAD24975D4BA5B16804296739439AEABA21@TK5EX14MBXC292.redmond.corp.microsoft.com> <21528.638.485017.482257@fireball.kivinen.iki.fi> <4E1F6AAD24975D4BA5B16804296739439BA5A04D@TK5EX14MBXC286.redmond.corp.microsoft.com> <21536.10026.506235.155913@fireball.kivinen.iki.fi> <4E1F6AAD24975D4BA5B16804296739439BA6811A@TK5EX14MBXC286.redmond.corp.microsoft.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 19 min
X-Total-Time: 21 min
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/SmscKfQhFjQtl3wjgj_4LTUR7qI
Cc: "jose@ietf.org" <jose@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-jose-json-web-signature.all@tools.ietf.org" <draft-ietf-jose-json-web-signature.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-jose-json-web-signature-31
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Sep 2014 09:18:07 -0000
Mike Jones writes: > >> For your point "4) Thumbprint formats" if you or someone else wants to > >> define an additional thumbprint format for use in IoT contexts (or any > >> other contexts), I encourage you to write an Internet Draft that does > >> so, registering the new header parameter defined in the JSON Web > >> Signature and Encryption Header Parameters registry. > > > > That can of course be done, but I would have hoped the initial > > version of the specification would also be usable in the IoT > > context, where the use of raw public keys will most likely arise. > > If what you want is a thumbprint over a raw key, see the individual > submission draft > https://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-01, > which defines a method for doing this. The -01 version incorporates > working group feedback from Toronto. In Toronto, I'd asked whether > the working group wanted to adopt it as a working group draft and a > decision hasn't been made on that yet. If this would be useful for > IoT applications, that would be good to know. That looks ok for the jwk use, but for the hash over the SPKI parts of the X.509 is better because that is already used in other places. I.e. if you want to create fingerprint that can be used to match the key used in other protocols, they are not using that format defined in your draft, thus you need to regenerate the JWK format from their internal public/private key formats and generate new hash. For example DANE x 1 x format (i.e. 3 1 1 for SHA-256, or 3 1 2 for SHA-512) defined RFC6698 section 2.1.3 are calculated over the exact same binary object which is transmitted in the raw keys used in the TLS (RFC7250 section 3), which is again same binary object used in the in the IKEv2 (draft-kivinen-ipsecme-oob-pubkey). In the IoT context it will most likely be quite common to define the configuration of who can connect to you by using list of hashes of raw public keys. I.e. the device has list of hashes, and when connection comes (either over TLS or IKEv2 or whatever), then that raw public key sent inside the connection protocol is hashed and it is matched against that list of hashes. If match is found, the connection is allowed, if not the connection is dropped. Now json might be one way of this configuration could be transmitted to the IoT device, thus ability to be able to represent hashes in the format that makes it possible to match the binary blobs used on the wire, would be useful. One of the reasons the SPKI is used, that it can also be extracted from the self-signed certificate, i.e. early implementations might use self-signed certificates in the TLS (for example) before the RFC7250 implementations come out. The draft-jones-jose-jwk-thumbprint format is in such format that it is quite hard to match that against the binary blob we get from the wire, as to do so would require to format the public key received to JWK and then calculating the fingerprint of that newly created object. Parsing SPKI format (and parsing JSON also if we use that for configurations) is required in the implementations anyways, but in normal case the IoT devices do not need code for generating JSON objects. So I do not think the format you are specifying there is suitable for IoT uses, but I assume it will still be useful in the JWK in general. -- kivinen@iki.fi
- [secdir] Secdir review of draft-ietf-jose-json-we… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Mike Jones
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Richard Barnes
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Richard Barnes
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Richard Barnes
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Mike Jones
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Mike Jones
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Richard Barnes
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Mike Jones
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Jim Schaad
- Re: [secdir] [jose] Secdir review of draft-ietf-j… John Bradley
- Re: [secdir] [jose] Secdir review of draft-ietf-j… Mike Jones
- Re: [secdir] [jose] Secdir review of draft-ietf-j… Jim Schaad
- Re: [secdir] [jose] Secdir review of draft-ietf-j… John Bradley
- Re: [secdir] [jose] Secdir review of draft-ietf-j… Jim Schaad
- Re: [secdir] [jose] Secdir review of draft-ietf-j… John Bradley
- Re: [secdir] [jose] Secdir review of draft-ietf-j… Richard Barnes
- Re: [secdir] [jose] Secdir review of draft-ietf-j… John Bradley
- Re: [secdir] [jose] Secdir review of draft-ietf-j… John Bradley
- Re: [secdir] [jose] Secdir review of draft-ietf-j… Richard Barnes
- Re: [secdir] [jose] Secdir review of draft-ietf-j… Richard Barnes
- Re: [secdir] [jose] Secdir review of draft-ietf-j… John Bradley
- Re: [secdir] [jose] Secdir review of draft-ietf-j… Jim Schaad
- Re: [secdir] [jose] Secdir review of draft-ietf-j… Richard Barnes
- Re: [secdir] [jose] Secdir review of draft-ietf-j… Jim Schaad
- Re: [secdir] [jose] Secdir review of draft-ietf-j… Tero Kivinen
- Re: [secdir] [jose] Secdir review of draft-ietf-j… Richard Barnes
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Mike Jones
- Re: [secdir] [jose] Secdir review of draft-ietf-j… Mike Jones
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Mike Jones
- Re: [secdir] Secdir review of draft-ietf-jose-jso… Mike Jones