Re: [secdir] secdir review of draft-ietf-jose-jws-signing-input-options-06
"Jim Schaad" <ietf@augustcellars.com> Mon, 14 December 2015 04:17 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6B811A8955; Sun, 13 Dec 2015 20:17:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPQ65EtQdv9U; Sun, 13 Dec 2015 20:17:25 -0800 (PST)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82B541A8848; Sun, 13 Dec 2015 20:17:25 -0800 (PST)
Received: from hebrews (c-24-21-96-37.hsd1.or.comcast.net [24.21.96.37]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 4CA3C2C9FE; Sun, 13 Dec 2015 20:17:23 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Kathleen Moriarty' <kathleen.moriarty.ietf@gmail.com>, 'Mike Jones' <Michael.Jones@microsoft.com>, jose-chairs@tools.ietf.org
References: <alpine.GSO.1.10.1512111248420.26829@multics.mit.edu> <BY2PR03MB442A7FF30189B4A39215B74F5EC0@BY2PR03MB442.namprd03.prod.outlook.com> <8C206A9F-8629-4D6C-9EEA-25B71BF586D9@gmail.com> <BY2PR03MB442EC5B63F046735CF13227F5EC0@BY2PR03MB442.namprd03.prod.outlook.com> <CAHbuEH6ONNAjmjZ+KvkEnCf28=sqveFc3Rkg4DEVmXqasnmneA@mail.gmail.com> <CAHbuEH4KTL7EKAsPt7fmmD7D0cRdBT_0Pg3t+uVXgGdzm_tGKg@mail.gmail.com> <BY2PR03MB442869845352C5E62CD33F4F5ED0@BY2PR03MB442.namprd03.prod.outlook.com> <CAHbuEH5rXhaRP1iZM25E5T+iYCpPtRzjyPPsntW4FYDgfY4isA@mail.gmail.com>
In-Reply-To: <CAHbuEH5rXhaRP1iZM25E5T+iYCpPtRzjyPPsntW4FYDgfY4isA@mail.gmail.com>
Date: Sun, 13 Dec 2015 20:14:38 -0800
Message-ID: <062f01d13625$f3cfb260$db6f1720$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Content-Language: en-us
Thread-Index: AQG6tIZnrou72CdNvIZtQKk61WL5FALChNxMAduZhGwC/dFLUgHU4wNWAmmRJKEBx3b12gK6sEKonnP9jlA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/nURuiYuCoEKSV-6X3-BD0k_zSkM>
Cc: secdir@ietf.org, draft-ietf-jose-jws-signing-input-options.all@ietf.org, iesg@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-jose-jws-signing-input-options-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2015 04:17:27 -0000
Please note that the write up addresses two different updates. 7519 which was in the document and updates JWT with the statement that says - don't do this 7515 which would be an update of JWS - however it was determined that updating the registry is sufficient without updating the document itself. While I don't know that there is a need to update 7519 - there is not really a strong statement to be made either way, so I did not ask for it to be removed. I was more worried about the question of having an update to 7515 which was not present. Karen and I determined that we probably did not need to have this document updated so there were no changes to be made to the document. I would keep the 7519 update since that was seen by the WG. And not put in an update to 7515 since, again, that was what the WG saw. Jim > -----Original Message----- > From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > Sent: Sunday, December 13, 2015 7:59 PM > To: Mike Jones <Michael.Jones@microsoft.com>; jose-chairs@tools.ietf.org > Cc: Benjamin Kaduk <kaduk@mit.edu>; iesg@ietf.org; secdir@ietf.org; draft- > ietf-jose-jws-signing-input-options.all@ietf.org > Subject: Re: secdir review of draft-ietf-jose-jws-signing-input-options-06 > > Jim & Karen, > > I see the updates in the last 2 versions in both the header and abstract, prior to > when the shepherd report was posted. I see in the shepherd report that you do > not agree that this draft updates RFC7519. > Is there a reason this change was not already made to the draft? > Please confirm that removing this is the right action, it seems to be from your > shepherd report reasoning. > > Best regards, > Kathleen > > On Sun, Dec 13, 2015 at 10:50 PM, Mike Jones <Michael.Jones@microsoft.com> > wrote: > > To confirm, you want me to remove the Updates 7519 clause, and the second > paragraph of the abstract, which says: > > > > This specification updates RFC 7519 by prohibiting the use of the > > unencoded payload option in JSON Web Tokens (JWTs). > > > > Correct? I'll do that then shortly. > > > > Thanks, > > -- Mike > > > > -----Original Message----- > > From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > > Sent: Sunday, December 13, 2015 7:37 PM > > To: Mike Jones <Michael.Jones@microsoft.com> > > Cc: Benjamin Kaduk <kaduk@mit.edu>; iesg@ietf.org; secdir@ietf.org; > > draft-ietf-jose-jws-signing-input-options.all@ietf.org > > Subject: Re: secdir review of > > draft-ietf-jose-jws-signing-input-options-06 > > > > Mike, > > > > Sorry, I take that back. The chairs make a good point in the shepherd writeup. > This really doesn't update 7519, so it should not say that in the abstract. > > > > Thanks. > > > > On Sun, Dec 13, 2015 at 10:05 PM, Kathleen Moriarty > <kathleen.moriarty.ietf@gmail.com> wrote: > >> Mike, > >> > >> Please do add that to the abstract and post as soon as you can with > >> all updates from last call received so far and agreed upon. > >> > >> Thanks, > >> Kathleen > >> > >> On Sat, Dec 12, 2015 at 10:30 PM, Mike Jones > >> <Michael.Jones@microsoft.com> wrote: > >>> Sounds good. Thanks, Kathleen. > >>> > >>> -- Mike > >>> > >>> -----Original Message----- > >>> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > >>> Sent: Saturday, December 12, 2015 7:28 PM > >>> To: Mike Jones <Michael.Jones@microsoft.com> > >>> Cc: Benjamin Kaduk <kaduk@MIT.EDU>; iesg@ietf.org; secdir@ietf.org; > >>> draft-ietf-jose-jws-signing-input-options.all@ietf.org > >>> Subject: Re: secdir review of > >>> draft-ietf-jose-jws-signing-input-options-06 > >>> > >>> > >>> > >>> Sent from my iPhone > >>> > >>>> On Dec 12, 2015, at 9:33 PM, Mike Jones <Michael.Jones@microsoft.com> > wrote: > >>>> > >>>> Hi Ben, > >>>> > >>>> Thanks for the useful review. Replies are inline below... > >>>> > >>>>> -----Original Message----- > >>>>> From: Benjamin Kaduk [mailto:kaduk@MIT.EDU] > >>>>> Sent: Friday, December 11, 2015 10:05 AM > >>>>> To: iesg@ietf.org; secdir@ietf.org; > >>>>> draft-ietf-jose-jws-signing-input- > >>>>> options.all@ietf.org > >>>>> Subject: secdir review of > >>>>> draft-ietf-jose-jws-signing-input-options-06 > >>>>> > >>>>> Hi all, > >>>>> > >>>>> I have reviewed this document as part of the security > >>>>> directorate's ongoing effort to review all IETF documents being > >>>>> processed by the IESG. These comments were written primarily for > >>>>> the benefit of the security area directors. Document editors and > >>>>> WG chairs should treat these comments just like any other last call > comments. > >>>>> > >>>>> This document is Ready. > >>>>> > >>>>> The main JWS spec (RFC 7515) required that the signed payload was > >>>>> base64url-encoded prior to signing. This results in a noticeable > >>>>> size expansion; in some circumstances it is desirable to avoid > >>>>> this expansion and reencoding. I did not follow the JWS document > >>>>> closely at the time, but I believe this issue was raised at the > >>>>> time and consensus reached on the published version because it is always > safe for applications to use. > >>>>> This document provides an opt-in mechanism for application > >>>>> (protocol)s to avoid the extra encoding and expansion, leaving the > >>>>> burden on the application to determine whether it is safe to do so > >>>>> and perform the relevant input checking/sanitization. The > >>>>> security considerations correctly describe the implications of the > >>>>> loss of encoding and the restrictions on the signed content when > >>>>> detached payloads are not used, interoperability concerns for > >>>>> applications not supporting the b64 header parameter, and proposes > appropriate countermeasures. > >>>> > >>>> Thanks for letting us know that the security considerations were > >>>> clear=
- [secdir] secdir review of draft-ietf-jose-jws-sig… Benjamin Kaduk
- Re: [secdir] secdir review of draft-ietf-jose-jws… Mike Jones
- Re: [secdir] secdir review of draft-ietf-jose-jws… Kathleen Moriarty
- Re: [secdir] secdir review of draft-ietf-jose-jws… Mike Jones
- Re: [secdir] secdir review of draft-ietf-jose-jws… Kathleen Moriarty
- Re: [secdir] secdir review of draft-ietf-jose-jws… Benjamin Kaduk
- Re: [secdir] secdir review of draft-ietf-jose-jws… Kathleen Moriarty
- Re: [secdir] secdir review of draft-ietf-jose-jws… Mike Jones
- Re: [secdir] secdir review of draft-ietf-jose-jws… Kathleen Moriarty
- Re: [secdir] secdir review of draft-ietf-jose-jws… Jim Schaad
- Re: [secdir] secdir review of draft-ietf-jose-jws… Mike Jones
- Re: [secdir] secdir review of draft-ietf-jose-jws… Kathleen Moriarty
- Re: [secdir] secdir review of draft-ietf-jose-jws… Mike Jones