Re: [secdir] sector review of draft-ietf-jose-jwk-thumbprint-05

"Jim Schaad" <ietf@augustcellars.com> Fri, 12 June 2015 00:00 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 064B11B34B8; Thu, 11 Jun 2015 17:00:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JspVYVCzYINV; Thu, 11 Jun 2015 17:00:01 -0700 (PDT)
Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86E271B34BB; Thu, 11 Jun 2015 17:00:00 -0700 (PDT)
Received: from hebrews (unknown [50.109.226.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 4AE7438EF3; Thu, 11 Jun 2015 16:59:59 -0700 (PDT)
From: "Jim Schaad" <ietf@augustcellars.com>
To: "'Mike Jones'" <Michael.Jones@microsoft.com>, "'Adam W. Montville'" <adam.w.montville@gmail.com>, "'The IESG'" <iesg@ietf.org>, <secdir@ietf.org>, <draft-ietf-jose-jwk-thumbprint.all@ietf.org>
References: <A1BD2DB0-A7D9-4635-8A3B-074303AF2E55@gmail.com> <BY2PR03MB442BD780448D808BA10D657F5BC0@BY2PR03MB442.namprd03.prod.outlook.com> <003d01d0a496$f2ee7d70$d8cb7850$@augustcellars.com> <BY2PR03MB442CD9880676AAC2D0B3F05F5BC0@BY2PR03MB442.namprd03.prod.outlook.com>
In-Reply-To: <BY2PR03MB442CD9880676AAC2D0B3F05F5BC0@BY2PR03MB442.namprd03.prod.outlook.com>
Date: Thu, 11 Jun 2015 17:00:06 -0700
Message-ID: <004801d0a4a2$be5e1b40$3b1a51c0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQH/CRWIcZSXbJbM2kM+qRSrEj4cCAIc57yoAlPx0JQCobgd4Z0Snnug
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Umm3aa8q-hAQZfYxgossOa7nfPg>
Cc: jose@ietf.org
Subject: Re: [secdir] sector review of draft-ietf-jose-jwk-thumbprint-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2015 00:00:04 -0000

I would do this by including an IANA considerations section that states you are updating the expert review instructions for a registry.  They will then include that in the list of references for the registry itself.

Jim


> -----Original Message-----
> From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> Sent: Thursday, June 11, 2015 3:49 PM
> To: Jim Schaad; 'Adam W. Montville'; 'The IESG'; secdir@ietf.org; draft-ietf-jose-
> jwk-thumbprint.all@ietf.org
> Cc: jose@ietf.org
> Subject: RE: sector review of draft-ietf-jose-jwk-thumbprint-05
> 
> The registration instructions don't appear to be stored with the registry at
> http://www.iana.org/assignments/jose/jose.xhtml.  The closest there is there is
> the Reference field, which specifies [RFC7515], which I assume is how the
> designated experts are expected to retrieve the instructions.
> 
> Does anyone on the thread know if it's possible to add a copy of the registration
> instructions in the registry itself?  If so, then we'd have a mechanism by which
> we could update them, as Jim suggested.
> 
> 				-- Mike
> 
> -----Original Message-----
> From: Jim Schaad [mailto:ietf@augustcellars.com]
> Sent: Thursday, June 11, 2015 3:36 PM
> To: Mike Jones; 'Adam W. Montville'; 'The IESG'; secdir@ietf.org; draft-ietf-jose-
> jwk-thumbprint.all@ietf.org
> Cc: jose@ietf.org
> Subject: RE: sector review of draft-ietf-jose-jwk-thumbprint-05
> 
> 
> 
> > -----Original Message-----
> > From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> > Sent: Thursday, June 11, 2015 2:25 PM
> > To: Adam W. Montville; The IESG; secdir@ietf.org; draft-ietf-jose-jwk-
> > thumbprint.all@ietf.org
> > Cc: jose@ietf.org
> > Subject: RE: sector review of draft-ietf-jose-jwk-thumbprint-05
> >
> > Hi Adam,
> >
> > Thanks for the secdir review.
> >
> > > From: Adam W. Montville [mailto:adam.w.montville@gmail.com]
> > > Sent: Monday, June 08, 2015 8:46 AM
> > > To: The IESG; secdir@ietf.org;
> > > draft-ietf-jose-jwk-thumbprint.all@ietf.org
> > > Subject: sector review of draft-ietf-jose-jwk-thumbprint-05
> >
> > > Hi,
> >
> > > I have reviewed this document as part of the security directorate's
> > > ongoing
> > effort to review all IETF documents being processed by the IESG. These
> > comments were written primarily for the benefit of the security area directors.
> > Document editors and WG chairs should treat these comments just like
> > any other last call comments.
> > >
> > > I believe the document is ready with (potential) issues.  The “with
> > > issues” might
> > be due to ignorance on my part.  The draft does a very good job of
> > explaining the canonical form of a JSON Web Key that can be used for
> > establishing a thumbprint under varying circumstances, complete with
> > what I found to be helpful examples.
> > >
> > > The primary issue I have is that it’s unclear how relying parties
> > > are going to
> > know which hash algorithm has been used.  The examples use SHA-256,
> > but I’m not seeing where SHA-256 might be specified as a MUST or even a
> SHOULD.
> > Moreover, the example output ultimately shows only the Base-64
> > encoding of the resulting hash, which says nothing about the algorithm
> > used to identify a key.
> >
> > Earlier drafts had included fields whose names were intended to
> > communicate the information about the hash function used - see the
> > "jkt" field definitions in
> > http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-01#section-4
> > - but several working group reviewers suggested that these fields were
> > unnecessary and that the typical usage would be as "kid" (key ID)
> > field values.  With that removal, it falls onto the application to
> > specify the hash algorithm for its particular usage.
> >
> > This isn't as bad as you might think, however, because typically the
> > consumer of the "kid" doesn't need to know the algorithm because it
> > won't be reproducing the computation.  It just relies on the fact that
> > a unique key ID value was generated for the key and compares "kid"
> > values as opaque strings to find the appropriate key.  In this usage,
> > the producer of the key is the only party that needs to know the hash
> algorithm that it is using.  I hope this helps.
> >
> > > Additionally, in Section 4, “JSON and Unicode Considerations” some
> > > “should”s
> > are used, but I’m not reading them as SHOULDs.  Should they be
> > SHOULDs?  For example, the start of the third paragraph in that
> > section: “if new JWK members are defined that use non-ASCII member
> > names, their definitions should specify the exact Unicode code point
> > sequences used to represent them.”  It’s not clear to me whether this
> > is a strong statement or just a recommendation - it seems that this
> > draft could help the future by making stronger statements to encourage future
> interoperability.
> >
> > For the other JOSE specifications, our chair Jim Schaad took the
> > position that RFC 2119 keywords should be reserved for testable
> > protocol behaviors and that other uses of the English word "should"
> > should not use "SHOULD".  The authors followed that convention in this
> > document.  I do understand that other authors and working groups have
> > taken different positions in this regard.  If there are particular
> > uses that you still feel should be changed to use RFC 2119 keywords, please
> call them out.
> 
> If we really wanted to make sure that the recommendation was followed, then
> it would make sense to adjust the IANA reviewers instructions for the registry.
> Putting a SHOULD or a MUST in this document would not have any effect since it
> does not define a protocol and might not be seen by anybody defining a new
> header field.
> 
> Jim
> 
> >
> > > Kind regards,
> > > Adam
> >
> > 				Thanks again!
> > 				-- Mike
>