IETF Logo Mail Archive

[Secdispatch] Comments on draft-jordan-jws-ct-04.txt

Eric Rescorla <ekr@rtfm.com> Mon, 26 July 2021 16:28 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B14603A1DDB for <secdispatch@ietfa.amsl.com>; Mon, 26 Jul 2021 09:28:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnTbfzNCZmKi for <secdispatch@ietfa.amsl.com>; Mon, 26 Jul 2021 09:28:41 -0700 (PDT)
Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE2F73A1DD7 for <secdispatch@ietf.org>; Mon, 26 Jul 2021 09:28:11 -0700 (PDT)
Received: by mail-il1-x132.google.com with SMTP id y4so9566100ilp.0 for <secdispatch@ietf.org>; Mon, 26 Jul 2021 09:28:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=oTcDe4YxAwME2ZG8nE5Sg+BXd1M9bWbT+kQsU+P6rZ0=; b=PCpnd1yWbBRUiZxIxHVWF/yHw2MuLhyaCsO6/kLIZ0czzBfcLM1YPmYI+HYi3WgJnS FQ6Tuh5Jzn4xYx3Qz40Xx41C7vMZPG9pDOTIdt4FVbRYBWOo5gcFzLaBjt58+/NzpMiw d0t5iTH7Xx401tS+quuEdGnR+/ys25vzf21sT0NgIGgP/ppvU8hL3mvwMBdG4hkCIUTO /QVg3Vjz5IFQbPgaVBxEntPi1qAo4a2R/ARLrqRxt5qhHCJgQmEiQaaVBMz7uv77Y7UU hyWIBfc7RjXs/UZztpPdTNKMM7s9qaoxgES46GASo07Rph6ZT8Rz5R82waTWIIVCMxq3 ZZyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=oTcDe4YxAwME2ZG8nE5Sg+BXd1M9bWbT+kQsU+P6rZ0=; b=N4lMTCuVzNoOYk4WFBCNVNVtij4nd0Xv4sRXHNkGWY3TxUzHkSAo9LYFIAuMhIwGtL g/tClx1l5FjUdiLiOcG960yRHrKBx/4OAW4NKX9eLgKvIhgugAa35dS5DiJhvRE3MTyo 0iBN6fXCWUKw372JADKJY4vCXKOasnEOYWU3RhPDPKieAk3JIzMjCLnHNIAWST5i+rKq 8NJePTzVXfHv9BZ6QHpz9elj1zHfJ6HI4Uj5ml8S0/WVxaymBbY8EQPGp6xhr/zlz0/T fPEvQpZ+K14fVKS5WLEWERqTZR1WShKSJFa0gQ1MlDu2JmfGWxsViz+rORgtyjolnVy9 Gmkg==
X-Gm-Message-State: AOAM533lekdFLa2eQfXBI4fACsds52f2bwSD6iIoBiY7OgafpnGvFBsL +iKtq2DqzxhvVv7xWyHBtVEi5I+stT6qZMFbuqooByWF+2wOYoIz
X-Google-Smtp-Source: ABdhPJyL+px1Y+Y+lr9iwTqVG8CJxR0ATpf8n/l9JWjvYn7nKdsdLfp2yXMbAUeE0qKM74hylVDhPCnO71O/NcEm7ro=
X-Received: by 2002:a05:6e02:13d3:: with SMTP id v19mr14006182ilj.167.1627316890105; Mon, 26 Jul 2021 09:28:10 -0700 (PDT)
MIME-Version: 1.0
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 26 Jul 2021 09:27:33 -0700
Message-ID: <CABcZeBObr7ExGwCPMLJFqg3tdTegwmnmSVcr2pZ8uGoj=EBpyg@mail.gmail.com>
To: IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002c0c8005c8093d16"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/4ytfDlgwVVk95eO4jPZJCwjEH7w>
Subject: [Secdispatch] Comments on draft-jordan-jws-ct-04.txt
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2021 16:28:46 -0000

I took a quick look at this document and I continue to have the same
concerns about the overall approach I had previously, namely that
having allegedly signed data available in the "clear" is not in fact a
feature because we want people to validate the signature before
accessing the data and the validation process can then emit the
validated signed data. For these reasons, I do not believe that this
should be published by the IETF. If you feel it is important to have
an RFC, I would suggest the Independent Stream.


With that said, a few other finer-grained comments below.


S 2.

   Note that this document is not on the IETF standards track.  However,
   a conformant implementation is supposed to adhere to the specified
   behavior for security and interoperability reasons.  This text uses
   BCP 14 to describe that necessary behavior.

Is the point here that you don't want a ST document or are you
merely acknowledging that it is not one?


S 3.1.2.
I understand why canonicalization is required if you want to move
around cleartext JSON (ignoring the wisdom of this), but IMO
you're doing this at the wrong layer. Rather than having the
signing/validation system do canonicalization, instead
require that your system pass JSON "unmodified". This leaves
the implementor with two choices:

- Actually have a clear path through the system
- Canonicalize at the beginning and the end (thus effectively
  undoing whatever damage was done)

You can then define the signature system as just operating on the
text as given without requiring it to depend on canonicalization.


S 3.1.4.
It's not a good design to mix the metadata for the signed
object with the object itself as you do in S 3.1.3. This
makes the problem of the user understanding what is authenticated
and what is not even more difficult (for instance, what if
you need a key identifier or some other thing that isn't the
signature?).

I get that you want to decorate existing structures, but for
the reasons above, I think that's bad and you should instead
nest them as JWS contemplates. If we must decorate, we
should instead have a single standardized key which holds
its own structure that contains all signature-related
data.

v2.23.0 | Report a Bug | By Email