Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

John Bradley <ve7jtb@ve7jtb.com> Mon, 15 September 2014 19:19 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 685371A002F for <secdir@ietfa.amsl.com>; Mon, 15 Sep 2014 12:19:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hTuvOY4NaAg4 for <secdir@ietfa.amsl.com>; Mon, 15 Sep 2014 12:19:08 -0700 (PDT)
Received: from mail-qg0-f47.google.com (mail-qg0-f47.google.com [209.85.192.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5281B1A0026 for <secdir@ietf.org>; Mon, 15 Sep 2014 12:19:08 -0700 (PDT)
Received: by mail-qg0-f47.google.com with SMTP id i50so4336576qgf.20 for <secdir@ietf.org>; Mon, 15 Sep 2014 12:19:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=8uygKMleTb5hoRj0JsxlFdMYie8QtNNb7VSTfSqs+vY=; b=BW3ICHdkTOAuCf0gBSC6poUFFEsBwGXwvRW3zkYCffuG3ePlz+7ObKSnI/06AurFS8 68UnkL7n/pXjPAdBDN7g/qkdatuDS9txR61ieJHzn6EnjkU1zRVqkmb6sbWIQdjhKq8M WP3VrK0H7vQQRdzNATeWUkAEs+mzp3I+o753PS4zS38xmhO0IqIX20JhD6+IE8U1psAJ vamZyHyvbznUuhWYv0GZp53WKXuR22xZlj8Elc4EE99fDGHePuK9sz2mxle1awmu7kzd yzJODjXOAtvTg+8Kcm3wbwe/9XcIQqQSe2MaiKNZEaRQ3vZf3KzcK5Q7hSuZ7XOkWEdw tUCQ==
X-Gm-Message-State: ALoCoQl5pth7lT6ceqGyULu0Y/lB5oUZv1nHxz+9CvOSHFI7TDi57MQ6TGLM2eDr3DzkmUtONjew
X-Received: by 10.224.80.65 with SMTP id s1mr38084147qak.41.1410808745300; Mon, 15 Sep 2014 12:19:05 -0700 (PDT)
Received: from [192.168.1.38] (186-106-144-90.baf.movistar.cl. [186.106.144.90]) by mx.google.com with ESMTPSA id g52sm10142250qgg.17.2014.09.15.12.19.02 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 15 Sep 2014 12:19:04 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_6237CE3F-B6C0-4323-AE32-1BCBFF7C40C9"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAHBU6ivb3BeEufcnJB+eSk8wgETMx+qzH3miE6Z1jtrQkXNR3w@mail.gmail.com>
Date: Mon, 15 Sep 2014 16:18:59 -0300
Message-Id: <EB1515F8-95D4-4F9F-B2EC-F6B0D54C1CC2@ve7jtb.com>
References: <CAHbuEH4Ccn2Z=8kEECzvgjmtshwsFoa-EH_NpkJPos7zirGeaQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AEC00DB@TK5EX14MBXC292.redmond.corp.microsoft.com> <5416FE10.3060608@bbn.com> <CAHBU6iu3GfsLCAint3z7risZUnVW4EK0WrGVW6Dv=gvppiHSxQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AECCCDD@TK5EX14MBXC292.redmond.corp.microsoft.com> <54173546.5000400@bbn.com> <CAHBU6ivb3BeEufcnJB+eSk8wgETMx+qzH3miE6Z1jtrQkXNR3w@mail.gmail.com>
To: Tim Bray <tbray@textuality.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/hFxSWfDDtfOvqO7W6by7AEo3mag
X-Mailman-Approved-At: Mon, 15 Sep 2014 13:41:52 -0700
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-jose-json-web-key.all@tools.ietf.org" <draft-ietf-jose-json-web-key.all@tools.ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Michael Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Sep 2014 19:19:10 -0000

Tim,

To clarify.

Are you recommending that:
That receivers MUST reject JOSE objects with duplicate keys.  

This would require compliant implementations to write there own parsers (perhaps not a good idea), or wait for I-JSON parsers (perhaps sometime soonish)

Or that JOSE require producers not to send dup keys, and receivers SHOULD reject them if possible based on the parser.

For JWE and JWS the header is integrity protected so we are talking about duplicate keys inserted by a bad producer rather than an attacker modifying the message after signing..

The concern is if something at the application layer is tricked into inserting a parameter with a duplicate name or one that otherwise changes the message verification.

I suspect the important issue is taking care that when producing a JWE/JWS you are not accepting arbitrary elements for the header without verifying that they are not JOSE parameters.

John B.


On Sep 15, 2014, at 3:54 PM, Tim Bray <tbray@textuality.com> wrote:

> ​When I talk about existing software I’m referring to generic JSON parsers such as are included in the basic library set of every programming language now, and which are unfortunately idiosyncratic and inconsistent in their handling of dupe keys, but in almost no cases actually inform the calling software whether or not dupe keys were encountered.
> 
> On Mon, Sep 15, 2014 at 11:51 AM, Stephen Kent <kent@bbn.com> wrote:
> OK, I'm a bit confused.
> 
> I thought the JOSE specs were intended to create standards for transport of keys, and for sigs,
> MACs, and encryption of JSON objects.
> 
> What is the existing software to which you and Tim refer, when referring to keys (vs.
> JSON parsing in general)?
> 
> Steve
> 
> 
> 
> 
> -- 
> - Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray)
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose