Re: [secdir] [jose] SECDIR review of draft-ietf-jose-json-web-key-31

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 25 September 2014 14:25 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1A6B1A6F0B; Thu, 25 Sep 2014 07:25:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xdteSdJd7qUw; Thu, 25 Sep 2014 07:25:07 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A65F81A6FE9; Thu, 25 Sep 2014 07:25:06 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id p9so12097721lbv.17 for <multiple recipients>; Thu, 25 Sep 2014 07:25:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DvfXRLI2wLcRBHEGzt6egmef5+kWWdzOiuI3kjmdd/8=; b=mHI1eeqHVaREzGufD90OyI+yfbdsgEZcLRbofPqHBhognq/f60YlQRFogT7XS+Q+4g a1lgNtSG3jTjSOQFnF1+5MlDYjLX9jTk9qkjEYOCU8Kjc3JFAYO+Pp9STcRvuv4iRo7o SSZEVl5kZ6MYifUjcgV5dQotfDuJiNufCR7xKmW47SlsupicyullzpnuSKZGSK8FPLyD OYtsth2/uZN1OltS3Gfa/QId1LYRsIGIz7I+ltNDbwKyaqDMxbQ1MvxT7nIkKwluyroh oZSKa0C7sXOG/YgcYt4H39elQcBdav+FC290TF2X8TMpkve/l4Bnt5d5PQp6yr0oD/ej KMpA==
MIME-Version: 1.0
X-Received: by 10.152.4.165 with SMTP id l5mr13841621lal.49.1411655104889; Thu, 25 Sep 2014 07:25:04 -0700 (PDT)
Received: by 10.112.41.233 with HTTP; Thu, 25 Sep 2014 07:25:04 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BA6F3C8@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739439AEB89F6@TK5EX14MBXC292.redmond.corp.microsoft.com> <5411BC12.9040808@bbn.com> <4E1F6AAD24975D4BA5B16804296739439BA6F3C8@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Thu, 25 Sep 2014 10:25:04 -0400
Message-ID: <CAHbuEH4UAmC9eJeW+DRF5hYqiJBy1irkddNdrtKDLu6gA4JVVQ@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="089e0141a1a01289800503e4914d"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/qOWTZ_-tIVrlHZqnbN1O0HSemNY
Cc: "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "Moriarty, Kathleen" <kathleen.moriarty@emc.com>, "jose@ietf.org" <jose@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] [jose] SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2014 14:25:12 -0000

Hi Mike,

It appears that the explanation for thumprints/fingerprints was not
included in the current version and was agreed to.  This came up several
times in reviews and I think it would be helpful for the reader.  Let me
know if I missed something or if this was an oversight and it will be
addressed in the next revision.

Also, there is some suggested text from Steve on "alg" members.  Where does
that stand?  I think I am missing the resolution.

These issues are in the email thread right next to each other.

Thanks!

On Tue, Sep 23, 2014 at 7:40 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

>  Thanks again for your review, Stephen.  The resolutions discussed below
> have been incorporated in draft -32.
>
>
>
> See the thread “JWK member names, was: [jose] SECDIR review of
> draft-ietf-jose-json-web-key-31” for the status of that particular issue.
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* Stephen Kent [mailto:kent@bbn.com]
> *Sent:* Thursday, September 11, 2014 8:13 AM
> *To:* Mike Jones; secdir@ietf.org; jose-chairs@tools.ietf.org; Moriarty,
> Kathleen
> *Cc:* jose@ietf.org
> *Subject:* Re: SECDIR review of draft-ietf-jose-json-web-key-31
>
>
>
> Mike,
>
> Thanks for the reply to my comments.
>
> I've retained your replies and responded to them, below.
>
>
> I agree that “employing countermeasures to” is more accurate than
> “preventing”.  I also agree that the “avoiding mistakes” language is not
> actionable – I propose to just remove it.
>
> Great.
>
>    Actually, it was spoken by then-Security AD Sean Turner. ;-)
>
> gee, I thought Sean was wise, but I didn't realize he was a Jedi ;-).
>
>  How about changing “data associated with a key” to “data
> cryptographically secured by a key”?  (And of course, deleting the
> extraneous “than”.)
>
> OK.
>
>   The wording above is needlessly awkward. Nonetheless, this says that
> key sets containing symmetric or private keys should be encrypted by
> embedding them in another JSON crypto format (JWE). It would be nice to add
> that this implies a that there is secure way to deliver the needed
> decryption key for the JWE, else this recommendation just adds a layer of
> indirection, and does not solve the problem.
>
>  Fair enough.  I propose that we add something along those lines.
>
> OK, I look forward to seeing the revised wording here.
>
>  Section 9.3 discusses a countermeasure against a specific attack on RSA
> key use. This seems unduly narrow, since this spec is intended for use with
> RSA, DH, DSS, and ECDH keys. Why devote a long paragraph to this one issue,
> while saying nothing about equally serious concerns that arise for other
> algorithms?
>
>
>
> This particular attack is described both because the countermeasure
> requires specific key representation actions and because a working group
> member asked it to be included.  For what it’s worth, I expect that
> additional security considerations will be added when resolving Russ
> Housley’s gen-art review of the JWS specification.
>
> If comparable alg-specific countermeasures are added based on Russ's
> comments then
> this may be OK, but in isolation this RSA-specific attack seem out of
> place.
>
>   These non-goals were agreed to by the working group from the very
> beginning, while the working group was still being chartered.  The group
> wanted to build something simple and easily deployable to represent keys in
> JSON – not reinvent all the work that the PKIX working group did on
> certificates and certificate chains, etc.  Do any working group members
> want to suggest specific wording to try to capture this sentiment?
>
> OK.
>
>   The example that comprises Section 3 should include an explanation of
> the parameters, else it’s not a great example.
>
>
>
> The parameters and values of them are explained in the paragraph preceding
> the example text.  It says:
>
>
>
>    The following example JWK
>
>    declares that the key is an Elliptic Curve [DSS <https://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#ref-DSS>] key, it is used with
>
>    the P-256 Elliptic Curve, and its x and y coordinates are the
>
>    base64url encoded values shown.  A key identifier is also provided
>
>    for the key.
>
>
>
> Each statement above corresponds to a parameter in the example, and in the
> same order.
>
> OK. I missed that.
>
>  I suppose that one option is to be more verbose above and add
> parenthetical remarks after each statement above saying which parameter
> does this.  So for instance, the parenthetical phrase “(“kty” parameter)”
> could be added before the first comma.  Do others in the working group
> think that would make the example easier to read, harder to read, or do any
> of you have an alternative suggestion?
>
> I defer to the WG on this presentation issue.
>
>    In addition to the common parameters, each JWK will have members that
>
>   are algorithm-specific.
>
>
>
> They’re not algorithm-specific – they’re key type-specific.  Another way
> of eliminating the repeated use of the word “parameters” is to replace the
> second sentence with “These members represent the key value”.  Would that
> work for you (and the working group)?
>
> Yes, I meant key-type specific. But if one were to use that term instead
> of "algorithm specific"
> I still think my wording is better.
>
>  This topic has been heavily discussed by the working group, and while
> the specs used to just say that objects with duplicate member names MUST be
> rejected, working group members, including Tim Bray (the editor of the JSON
> spec), prevailed on us to weaken this so that parsers that implement the
> ECMAscript behavior of returning only the last member name may be legally
> used.  (The argument was made that there was more security downside in
> effectively requiring people to write and debug their own strict parsers
> than in using laxer, but well-supported and debugged parsers.)
>
> I find that argument unpersuasive, but I defer to the cognizant Ad on this.
>
>  However, we also intentionally require that producers use only one
> instance of each member name, so that legally produced objects will never
> exercise the ambiguities that are present in real JSON parsers.  That
> seemed to be the most practical solution to the working group.
>
> Based on year of experience in PKIX that is not a great solution. If the
> consumer of a data
> structure fails to strictly enforce the requirement imposed on the
> producer of the data structure,
> the result is that non-conforming producers do not receive "appropriate"
> feedback.
>
>
> The term "Collision-Resistant Name" is already present in the Terminology
> section.  However, previous reviewers had requested that definitions not be
> repeated in multiple specs, so it’s incorporated by reference, rather than
> repeating the definition here.  The notion is that of an implementation
> wants to use a collision-resistant name such as “
> http://names.example.com/the-name”, it can do so without having to create
> a public specification and register the name with IANA.
>
> I found the definition by reading one of the other specs, but I didn't see
> a clear explanation of
> why this is a reasonable alternative to using an IANA registry. The text
> above does still does
> not provide a rationale.
>
>   I agree that the “SHOULD” language is awkward.  Rather than saying
> “SHOULD be used”, we could change it to just say “is used”.
>
> OK.
>
>  Would the language “The “alg” member can be used to specify the
> cryptographic operation that the key is intended to be used for” work
> better for you?  Or would people like to just see the parenthetical remark
> deleted?
>
> How about:
>
> The "alg" member is used to specify the algorithm with which the key is to
> be used.
>
>   Section 4.5 defines the key_ops parameter. It’s not clear how this
> parameters and “use” relate. There is also an odd sentence at the end of
> the first paragraph:
>
>
>
>    The "key_ops" parameter is intended for use cases in which public,
>
>    private, or symmetric keys may be present.
>
>
>
> This seems to encompass all of the types of keys that JWK carries, so the
> sentence seems to add no useful qualification for when this parameter is
> intended to be used.
>
>
>
> This is in contrast to the related statement in the “use” definition:
>
>
>
>    The "use" parameter is intended for use cases in which
>
>    it is useful to distinguish between public signing keys and public
>
>    encryption keys.
>
> Too subtle for me, and the language above seems a bit wimpy. Why not say:
>
> The "use" parameter is employed to indicate whether a public key is for
> encrypting
> data or verifying the signature on data.
>
>   If you want to see this parameter name changed, you’ll need to file a
> bug against the WebCrypto spec and get it changed there.  Then I’m sure
> that JOSE will gladly follow.
>
> My request is directed to the IESG, suggesting that they take this action.
>
>
>
>  This specification will be used both in open environments, in which
> multiple organizations will need to have a common understanding of any
> extensions used, and closed environments, which the producing and consuming
> organization will always be the same and private values could be safely
> used.  IANA registration is definitely the right thing to do for open
> environments.  It’s probably unnecessary for deployments in closed
> environments.
>
> Then say this.
>
>  Same answer as for Section 4.
>
> ibid.
>
>  “Can” is being used as a non-2119 synonym for “MAY” here.  That being
> said, we could just change “can be” to “is”, since it’s explicitly said
> that its use is optional at the end of the paragraph.
>
> please revise accordingly.
>
>   It’s the inclusion of other metadata about the key that might improve
> interoperability that’s being referred to – not the inclusion of the cert
> reference.  For instance, including “use” or “alg” parameters might be
> useful to applications that can’t process the certificate.
>
> that's not what the text said, hence my confusion.
>
>  As for the cert vs. cert chain question, in the general case, a chain
> may be required to establish trust.  However, a chain of length one (a
> single certificate) will also be sufficient in some use cases.  We’re not
> inventing anything new here.  The data format is specified in RFC 1421.
>
> could you point specifically to where 1421 uses two names to identify
> equivalent data structures
> for transport of certs/cert chains? I trued a quick search of the text and
> didn't locate the
> text to which you appear to refer.
>
>   I had thought there were uses of RSA keys where the same key is used
> both for signing and encryption (even though this is a deprecated practice).
>
> Yes, that practice is frowned upon, and we prefer that certs use an OID
> that makes it clear
> how a key is to be used. How about the following text:
>
>
>     Similarly, if the "alg" member is present, it MUST be consistent with
>
>    the algorithm specified in the certificate.
>
>
>
>  But we could change this to “Similarly, if the “alg” member is present,
> it SHOULD correspond to the algorithm specified in the certificate.”  Or is
> that overly strong for some certificates and uses of them?
>
> I prefer this text.
>
>   Also, the name seems misleading since the chain MAY contain additional
> certs, and hence may not be a chain at all!
>
>
>
> I’m not sure if I’m following you here.  Are you suggesting the
> possibility of having multiple certificates not chaining to one another in
> the representation?  This isn’t allowed by the specification, as written.
> Are you suggesting that it needs to be allowed?
>
>
>
>  Thumbprint is the term used in the Windows libraries, such as
> http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.thumbprint(v=vs.110).aspx.
> Whereas OpenSSL uses fingerprint
> http://www.openssl.org/docs/apps/x509.html.  I know that there would be
> an uproar if we tried to make a breaking change to the “x5t” name at this
> point, because it’s in widespread production use.  However, we could add
> language saying that certificate thumbprints are also known as certificate
> fingerprints, so people familiar with either term will know what this is.
>
> Yes, do add that explanatory text.
>
>  The term “base64url” is incorporated by reference in the terminology
> section (Section 2).
>
>
>
> Actually, Appendix C in JWS is not normative.  It’s just example code.
> The normative definition of the encoding is in Section 5 of RFC 4648.
>
> Then 4648 should be cited.
>
>
>
> It used to be a “SHOULD” but the working group felt that the “MUST …
> unless” wording was a more accurate statement of the requirement.
>
> I defer to the cognizant AD here, but the notion of SHOULD is really MUST
> ... unless ...
>
>
>
> Section 8 (IANA Considerations) establishes a two-week review period for
> creating new (IANA) registry items. This seems too short; some people take
> multi-week vacations. I note that the same text appears in the JWS and JWE
> documents.
>
>
>
> This text was taken from RFC 6749.
>
> I didn't review that RFC. My comment still stands.
>
>  Aren’t appendices normally informative?
>
> normally, but not always.
>
>   We could be more explicit and talk about performing authenticated
> encryption.
>
> please do.
>
> Steve
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>


-- 

Best regards,
Kathleen