Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 787E21A00BB; Thu, 11 Sep 2014 08:13:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.852 X-Spam-Level: X-Spam-Status: No, score=-5.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XPsi0r0wEgQD; Thu, 11 Sep 2014 08:13:36 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 485301A02DD; Thu, 11 Sep 2014 08:13:36 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:52628 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1XS63u-000CEg-Ox; Thu, 11 Sep 2014 11:13:31 -0400 Message-ID: <5411BC12.9040808@bbn.com> Date: Thu, 11 Sep 2014 11:13:22 -0400 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Mike Jones , "secdir@ietf.org" , "jose-chairs@tools.ietf.org" , "Moriarty, Kathleen" References: <4E1F6AAD24975D4BA5B16804296739439AEB89F6@TK5EX14MBXC292.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439AEB89F6@TK5EX14MBXC292.redmond.corp.microsoft.com> Content-Type: multipart/alternative; boundary="------------070805010902070802040207" Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/nY8jIYgleF8v-M-dLvlxVtx88tY Cc: "jose@ietf.org" Subject: Re: [secdir] SECDIR review of draft-ietf-jose-json-web-key-31 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2014 15:13:45 -0000 This is a multi-part message in MIME format. --------------070805010902070802040207 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Mike, Thanks for the reply to my comments. I've retained your replies and responded to them, below. > > ** > I agree that "employing countermeasures to" is more accurate than > "preventing". I also agree that the "avoiding mistakes" language is > not actionable -- I propose to just remove it. > Great. > > Actually, it was spoken by then-Security AD Sean Turner. ;-) > gee, I thought Sean was wise, but I didn't realize he was a Jedi ;-). > > How about changing "data associated with a key" to "data > cryptographically secured by a key"? (And of course, deleting the > extraneous "than".) > OK. > > The wording above is needlessly awkward. Nonetheless, this says that > key sets containing symmetric or private keys should be encrypted by > embedding them in another JSON crypto format (JWE). It would be nice > to add that this implies a that there is secure way to deliver the > needed decryption key for the JWE, else this recommendation just adds > a layer of indirection, and does not solve the problem. > > Fair enough. I propose that we add something along those lines. > OK, I look forward to seeing the revised wording here. > > Section 9.3 discusses a countermeasure against a specific attack on > RSA key use. This seems unduly narrow, since this spec is intended for > use with RSA, DH, DSS, and ECDH keys. Why devote a long paragraph to > this one issue, while saying nothing about equally serious concerns > that arise for other algorithms? > > This particular attack is described both because the countermeasure > requires specific key representation actions and because a working > group member asked it to be included. For what it's worth, I expect > that additional security considerations will be added when resolving > Russ Housley's gen-art review of the JWS specification. > If comparable alg-specific countermeasures are added based on Russ's comments then this may be OK, but in isolation this RSA-specific attack seem out of place. > > These non-goals were agreed to by the working group from the very > beginning, while the working group was still being chartered. The > group wanted to build something simple and easily deployable to > represent keys in JSON -- not reinvent all the work that the PKIX > working group did on certificates and certificate chains, etc. Do any > working group members want to suggest specific wording to try to > capture this sentiment? > OK. > > The example that comprises Section 3 should include an explanation of > the parameters, else it's not a great example. > > The parameters and values of them are explained in the paragraph > preceding the example text. It says: > > The following example JWK > declares that the key is an Elliptic Curve [DSS ] key, it is used with > the P-256 Elliptic Curve, and its x and y coordinates are the > base64url encoded values shown. A key identifier is also provided > for the key. > > Each statement above corresponds to a parameter in the example, and in > the same order. > OK. I missed that. > > I suppose that one option is to be more verbose above and add > parenthetical remarks after each statement above saying which > parameter does this. So for instance, the parenthetical phrase > "("kty" parameter)" could be added before the first comma. Do others > in the working group think that would make the example easier to read, > harder to read, or do any of you have an alternative suggestion? > I defer to the WG on this presentation issue. > > In addition to the common parameters, each JWK will have members that > > are algorithm-specific. > > They're not algorithm-specific -- they're key type-specific. Another > way of eliminating the repeated use of the word "parameters" is to > replace the second sentence with "These members represent the key > value". Would that work for you (and the working group)? > Yes, I meant key-type specific. But if one were to use that term instead of "algorithm specific" I still think my wording is better. > > This topic has been heavily discussed by the working group, and while > the specs used to just say that objects with duplicate member names > MUST be rejected, working group members, including Tim Bray (the > editor of the JSON spec), prevailed on us to weaken this so that > parsers that implement the ECMAscript behavior of returning only the > last member name may be legally used. (The argument was made that > there was more security downside in effectively requiring people to > write and debug their own strict parsers than in using laxer, but > well-supported and debugged parsers.) > I find that argument unpersuasive, but I defer to the cognizant Ad on this. > > However, we also intentionally require that producers use only one > instance of each member name, so that legally produced objects will > never exercise the ambiguities that are present in real JSON parsers. > That seemed to be the most practical solution to the working group. > Based on year of experience in PKIX that is not a great solution. If the consumer of a data structure fails to strictly enforce the requirement imposed on the producer of the data structure, the result is that non-conforming producers do not receive "appropriate" feedback. > > > The term "Collision-Resistant Name" is already present in the > Terminology section. However, previous reviewers had requested that > definitions not be repeated in multiple specs, so it's incorporated by > reference, rather than repeating the definition here. The notion is > that of an implementation wants to use a collision-resistant name such > as "http://names.example.com/the-name", it can do so without having to > create a public specification and register the name with IANA. > I found the definition by reading one of the other specs, but I didn't see a clear explanation of why this is a reasonable alternative to using an IANA registry. The text above does still does not provide a rationale. > > I agree that the "SHOULD" language is awkward. Rather than saying > "SHOULD be used", we could change it to just say "is used". OK. > > Would the language "The "alg" member can be used to specify the > cryptographic operation that the key is intended to be used for" work > better for you? Or would people like to just see the parenthetical > remark deleted? > How about: The "alg" member is used to specify the algorithm with which the key is to be used. > Section 4.5 defines the key_ops parameter. It's not clear how this > parameters and "use" relate. There is also an odd sentence at the end > of the first paragraph: > > The "key_ops" parameter is intended for use cases in which public, > > private, or symmetric keys may be present. > > This seems to encompass all of the types of keys that JWK carries, so > the sentence seems to add no useful qualification for when this > parameter is intended to be used. > > This is in contrast to the related statement in the "use" definition: > > The "use" parameter is intended for use cases in which > > it is useful to distinguish between public signing keys and public > > encryption keys. > Too subtle for me, and the language above seems a bit wimpy. Why not say: The "use" parameter is employed to indicate whether a public key is for encrypting data or verifying the signature on data. > If you want to see this parameter name changed, you'll need to file a > bug against the WebCrypto spec and get it changed there. Then I'm > sure that JOSE will gladly follow. > My request is directed to the IESG, suggesting that they take this action. > > > This specification will be used both in open environments, in which > multiple organizations will need to have a common understanding of any > extensions used, and closed environments, which the producing and > consuming organization will always be the same and private values > could be safely used. IANA registration is definitely the right thing > to do for open environments. It's probably unnecessary for > deployments in closed environments. Then say this. > > Same answer as for Section 4. > ibid. > > "Can" is being used as a non-2119 synonym for "MAY" here. That being > said, we could just change "can be" to "is", since it's explicitly > said that its use is optional at the end of the paragraph. please revise accordingly. > > It's the inclusion of other metadata about the key that might improve > interoperability that's being referred to -- not the inclusion of the > cert reference. For instance, including "use" or "alg" parameters > might be useful to applications that can't process the certificate. that's not what the text said, hence my confusion. > > As for the cert vs. cert chain question, in the general case, a chain > may be required to establish trust. However, a chain of length one (a > single certificate) will also be sufficient in some use cases. We're > not inventing anything new here. The data format is specified in RFC 1421. > could you point specifically to where 1421 uses two names to identify equivalent data structures for transport of certs/cert chains? I trued a quick search of the text and didn't locate the text to which you appear to refer. > > I had thought there were uses of RSA keys where the same key is used > both for signing and encryption (even though this is a deprecated > practice). > Yes, that practice is frowned upon, and we prefer that certs use an OID that makes it clear how a key is to be used. How about the following text: Similarly, if the "alg" member is present, it MUST be consistent with the algorithm specified in the certificate. > But we could change this to "Similarly, if the "alg" member is > present, it SHOULD correspond to the algorithm specified in the > certificate." Or is that overly strong for some certificates and uses > of them? > I prefer this text. > > Also, the name seems misleading since the chain MAY contain additional > certs, and hence may not be a chain at all! > > I'm not sure if I'm following you here. Are you suggesting the > possibility of having multiple certificates not chaining to one > another in the representation? This isn't allowed by the > specification, as written. Are you suggesting that it needs to be > allowed? > > Thumbprint is the term used in the Windows libraries, such as > http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.thumbprint(v=vs.110).aspx > . > Whereas OpenSSL uses fingerprint > http://www.openssl.org/docs/apps/x509.html. I know that there would be > an uproar if we tried to make a breaking change to the "x5t" name at > this point, because it's in widespread production use. However, we > could add language saying that certificate thumbprints are also known > as certificate fingerprints, so people familiar with either term will > know what this is. > Yes, do add that explanatory text. > > The term "base64url" is incorporated by reference in the terminology > section (Section 2). > > Actually, Appendix C in JWS is not normative. It's just example > code. The normative definition of the encoding is in Section 5 of RFC > 4648. > Then 4648 should be cited. > > It used to be a "SHOULD" but the working group felt that the "MUST ... > unless" wording was a more accurate statement of the requirement. > I defer to the cognizant AD here, but the notion of SHOULD is really MUST ... unless ... > > Section 8 (IANA Considerations) establishes a two-week review period > for creating new (IANA) registry items. This seems too short; some > people take multi-week vacations. I note that the same text appears in > the JWS and JWE documents. > > This text was taken from RFC 6749. > I didn't review that RFC. My comment still stands. > > Aren't appendices normally informative? > normally, but not always. > > We could be more explicit and talk about performing authenticated > encryption. > please do. Steve --------------070805010902070802040207 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Mike,

Thanks for the reply to my comments.

I've retained your replies and responded to them, below.

 
I agree that “employing countermeasures to” is more accurate than “preventing”.  I also agree that the “avoiding mistakes” language is not actionable – I propose to just remove it.

Great.

  Actually, it was spoken by then-Security AD Sean Turner. ;-)

gee, I thought Sean was wise, but I didn't realize he was a Jedi ;-).

How about changing “data associated with a key” to “data cryptographically secured by a key”?  (And of course, deleting the extraneous “than”.)

OK.

 The wording above is needlessly awkward. Nonetheless, this says that key sets containing symmetric or private keys should be encrypted by embedding them in another JSON crypto format (JWE). It would be nice to add that this implies a that there is secure way to deliver the needed decryption key for the JWE, else this recommendation just adds a layer of indirection, and does not solve the problem.

Fair enough.  I propose that we add something along those lines.

OK, I look forward to seeing the revised wording here.

Section 9.3 discusses a countermeasure against a specific attack on RSA key use. This seems unduly narrow, since this spec is intended for use with RSA, DH, DSS, and ECDH keys. Why devote a long paragraph to this one issue, while saying nothing about equally serious concerns that arise for other algorithms?

 

This particular attack is described both because the countermeasure requires specific key representation actions and because a working group member asked it to be included.  For what it’s worth, I expect that additional security considerations will be added when resolving Russ Housley’s gen-art review of the JWS specification.

If comparable alg-specific countermeasures are added based on Russ's comments then
this may be OK, but in isolation this RSA-specific attack seem out of place.

 These non-goals were agreed to by the working group from the very beginning, while the working group was still being chartered.  The group wanted to build something simple and easily deployable to represent keys in JSON – not reinvent all the work that the PKIX working group did on certificates and certificate chains, etc.  Do any working group members want to suggest specific wording to try to capture this sentiment?

OK.

 The example that comprises Section 3 should include an explanation of the parameters, else it’s not a great example.

 

The parameters and values of them are explained in the paragraph preceding the example text.  It says:

 

   The following example JWK
   declares that the key is an Elliptic Curve [DSS] key, it is used with
   the P-256 Elliptic Curve, and its x and y coordinates are the
   base64url encoded values shown.  A key identifier is also provided
   for the key.

 

Each statement above corresponds to a parameter in the example, and in the same order.

OK. I missed that.

I suppose that one option is to be more verbose above and add parenthetical remarks after each statement above saying which parameter does this.  So for instance, the parenthetical phrase “(“kty” parameter)” could be added before the first comma.  Do others in the working group think that would make the example easier to read, harder to read, or do any of you have an alternative suggestion?

I defer to the WG on this presentation issue.

  In addition to the common parameters, each JWK will have members that

  are algorithm-specific.

 

They’re not algorithm-specific – they’re key type-specific.  Another way of eliminating the repeated use of the word “parameters” is to replace the second sentence with “These members represent the key value”.  Would that work for you (and the working group)?

Yes, I meant key-type specific. But if one were to use that term instead of "algorithm specific"
I still think my wording is better.

This topic has been heavily discussed by the working group, and while the specs used to just say that objects with duplicate member names MUST be rejected, working group members, including Tim Bray (the editor of the JSON spec), prevailed on us to weaken this so that parsers that implement the ECMAscript behavior of returning only the last member name may be legally used.  (The argument was made that there was more security downside in effectively requiring people to write and debug their own strict parsers than in using laxer, but well-supported and debugged parsers.)

I find that argument unpersuasive, but I defer to the cognizant Ad on this.

However, we also intentionally require that producers use only one instance of each member name, so that legally produced objects will never exercise the ambiguities that are present in real JSON parsers.  That seemed to be the most practical solution to the working group.

Based on year of experience in PKIX that is not a great solution. If the consumer of a data
structure fails to strictly enforce the requirement imposed on the producer of the data structure,
the result is that non-conforming producers do not receive "appropriate" feedback.


The term "Collision-Resistant Name" is already present in the Terminology section.  However, previous reviewers had requested that definitions not be repeated in multiple specs, so it’s incorporated by reference, rather than repeating the definition here.  The notion is that of an implementation wants to use a collision-resistant name such as “http://names.example.com/the-name”, it can do so without having to create a public specification and register the name with IANA.

I found the definition by reading one of the other specs, but I didn't see a clear explanation of
why this is a reasonable alternative to using an IANA registry. The text above does still does
not provide a rationale.

 I agree that the “SHOULD” language is awkward.  Rather than saying “SHOULD be used”, we could change it to just say “is used”.
OK.

Would the language “The “alg” member can be used to specify the cryptographic operation that the key is intended to be used for” work better for you?  Or would people like to just see the parenthetical remark deleted?

How about:
The "alg" member is used to specify the algorithm with which the key is to be used.

 Section 4.5 defines the key_ops parameter. It’s not clear how this parameters and “use” relate. There is also an odd sentence at the end of the first paragraph:

 

   The "key_ops" parameter is intended for use cases in which public,

   private, or symmetric keys may be present.

 

This seems to encompass all of the types of keys that JWK carries, so the sentence seems to add no useful qualification for when this parameter is intended to be used.

 

This is in contrast to the related statement in the “use” definition:

 

   The "use" parameter is intended for use cases in which

   it is useful to distinguish between public signing keys and public

   encryption keys.

Too subtle for me, and the language above seems a bit wimpy. Why not say:

The "use" parameter is employed to indicate whether a public key is for encrypting
data or verifying the signature on data.

 If you want to see this parameter name changed, you’ll need to file a bug against the WebCrypto spec and get it changed there.  Then I’m sure that JOSE will gladly follow.

My request is directed to the IESG, suggesting that they take this action.


This specification will be used both in open environments, in which multiple organizations will need to have a common understanding of any extensions used, and closed environments, which the producing and consuming organization will always be the same and private values could be safely used.  IANA registration is definitely the right thing to do for open environments.  It’s probably unnecessary for deployments in closed environments.
Then say this.

Same answer as for Section 4.

ibid.

“Can” is being used as a non-2119 synonym for “MAY” here.  That being said, we could just change “can be” to “is”, since it’s explicitly said that its use is optional at the end of the paragraph.
please revise accordingly.

 It’s the inclusion of other metadata about the key that might improve interoperability that’s being referred to – not the inclusion of the cert reference.  For instance, including “use” or “alg” parameters might be useful to applications that can’t process the certificate.
that's not what the text said, hence my confusion.

As for the cert vs. cert chain question, in the general case, a chain may be required to establish trust.  However, a chain of length one (a single certificate) will also be sufficient in some use cases.  We’re not inventing anything new here.  The data format is specified in RFC 1421.

could you point specifically to where 1421 uses two names to identify equivalent data structures
for transport of certs/cert chains? I trued a quick search of the text and didn't locate the
text to which you appear to refer.

 I had thought there were uses of RSA keys where the same key is used both for signing and encryption (even though this is a deprecated practice).

Yes, that practice is frowned upon, and we prefer that certs use an OID that makes it clear
how a key is to be used. How about the following text:

   Similarly, if the "alg" member is present, it MUST be consistent with

   the algorithm specified in the certificate.


But we could change this to “Similarly, if the “alg” member is present, it SHOULD correspond to the algorithm specified in the certificate.”  Or is that overly strong for some certificates and uses of them?

I prefer this text.

 Also, the name seems misleading since the chain MAY contain additional certs, and hence may not be a chain at all!

 

I’m not sure if I’m following you here.  Are you suggesting the possibility of having multiple certificates not chaining to one another in the representation?  This isn’t allowed by the specification, as written.  Are you suggesting that it needs to be allowed?


Thumbprint is the term used in the Windows libraries, such as http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.thumbprint(v=vs.110).aspx.  Whereas OpenSSL uses fingerprint http://www.openssl.org/docs/apps/x509.html.  I know that there would be an uproar if we tried to make a breaking change to the “x5t” name at this point, because it’s in widespread production use.  However, we could add language saying that certificate thumbprints are also known as certificate fingerprints, so people familiar with either term will know what this is.

Yes, do add that explanatory text.

The term “base64url” is incorporated by reference in the terminology section (Section 2).

 

Actually, Appendix C in JWS is not normative.  It’s just example code.  The normative definition of the encoding is in Section 5 of RFC 4648.

Then 4648 should be cited.

 

It used to be a “SHOULD” but the working group felt that the “MUST … unless” wording was a more accurate statement of the requirement.

I defer to the cognizant AD here, but the notion of SHOULD is really MUST ... unless ...

 

Section 8 (IANA Considerations) establishes a two-week review period for creating new (IANA) registry items. This seems too short; some people take multi-week vacations. I note that the same text appears in the JWS and JWE documents.

 

This text was taken from RFC 6749.

I didn't review that RFC. My comment still stands.

Aren’t appendices normally informative?

normally, but not always.

 We could be more explicit and talk about performing authenticated encryption.

please do.

Steve
--------------070805010902070802040207--