Skip to main content

Minutes for JOSE at IETF-88
minutes-88-jose-4

Meeting Minutes Javascript Object Signing and Encryption (jose) WG
Date and time 2013-11-07 17:00
Title Minutes for JOSE at IETF-88
State Active
Other versions plain text
Last updated 2013-12-08

minutes-88-jose-4
Minutes for JOSE WG @ IETF 88
Thursday 7 November 2013, 0900-1130 PST

Jim Schaad and Karen O'Donoghue called the meeting to
order. The Note Well was presented, and the blue sheets
circulated. Peter Yee agreed to take the minutes, and
Joe Hildebrand volunteered as the jabber scribe.

The chairs covered the current status of the working
group. The use cases document has been sent to the IESG.
The JWS, JWE, JWK, and JWA have had a total of 185
issues (many with multiple parts) entered against them.
There are 129 closed issues. The co-chairs and editor
have had several meetings this week and previously
resulting in agreements for 49 issues. These issues are
either awaiting editor implementation, awaiting
implementation verification, or awaiting external input
or verification. The remaining 7 issues will be
discussed today.

#54 (JWA), #55 (JWA), #141 (JWS)
All three of these are related to the concat issue. Jim
Schaad wants to separate nonce from PartyUName and is
concatenated to it to form the PartyUInfo.  Default
PartyUName and PartyVName should be 'Sender' and
'Recipient' respectively, to deal with the NIST Concat
algorithm specification.  The current scheme is that the
nonce is built into the PartyUName and PartyUInfo is the
same as PartyUName.  And currently, PartyUName and
PartyVName default to empty strings.  Mike Jones and
Richard Barnes disagree with the nonce scheme.  While
JOSE has already deviated from the NIST specification,
the question comes down to whether a FIPS-compliant
usage is possible.  Sean Turner doesn't feel hard over
on the point.  Schaad's changes are not adopted,
although one edit to [do something] will be made.

#74-C (JWK)
If a JWK has only an x5u member in it, is this a legal
construct and how does one say this matches a bare
public key?  What is the minimum set of fields must be
present in the JWK.  Barnes: a JWK for private/public
key should always specify the public key fields.   Matt
Miller: the kty should be specified.  And having the
full key is of great benefit.  Jones: the document
already says that use of the key types is required and
for specific algorithms the required fields are listed,
so X.509 carriage doesn't contravene those requirements.

#77
'x5c' requirements are that certs are in chain but don't
have to form a complete chain.  An incomplete chain
requires cert chain building.  Should we just say the
certs are in a bag and not a chain except that the first
cert must be the end-entity cert.  Barnes: TLS does
something similar to what's in our document now.
Schaad: does TLS require a full chain to be present.
Barnes: everything except the self-signed root (which
you already have) must be included (paraphrased by
Schaad).  Miller: the chain just needs to be present up
to the point where the software has sufficient data to
complete the chain or agree that it trusts the chain.
Bags would be much worse without a lot of benefits.
John Bradley: chain checking is hard enough now; bags
won't make that easier.  Schaad: the language will not
be changed but will checked to see that it is clear in
the case of partial chains.

#93
Non-normative appendix to JWS that summarizes the ways
to find a key based on fields in messages and JWK
structures.  Schaad's proposal enumerates the ways he
has been told that keys could be found, but he may have
missed something.  Barnes gave a smaller set of ways
that he believes are sufficient if not as complete.
Brian Campbell: clarification: finding a key is not the
same as trusting a key.  Miller: good point.  For trust,
make sure keys are fetched over HTTPS unless they were
integrity protected within the message.  Barnes'
proposal is pretty solid and software that doesn't
understand x5u and x5t should drop processing them.
Barnes: The focus for this spec is making the crypto
work.  Authentication systems can be layered on top of
that.  Campbell: I'm not looking for exhaustive trust
establishment text, just a note of caution.  Jones: From
Turner: a key is only as trusted as the method by which
it was obtained.  Miller: I agree with Jones.  Maybe the
topic of trust should be addressed at the beginning of
the paragraph.  How to establish trust in keys is a big
rathole. Robin Wilton: we need to be sensitive to the
idea that an EE platform notices a software agent
looking for key stores might be indistinguishable from
an attack.  Jones: Agreed, we don't want to down the
rathole of specifying trust methods.  Turner: don't say
how it is done, but say that it should be done and to
what level it should be done.  Schaad: this item will
stay open until a volunteer supplies text.

#114-C Section 4.1.10 'crit'
If an extensions is place in a 'crit' header, must that
extension be signed?  Currently there is no statement
requiring that.  Bradley: it makes as much sense as
saying can optionally not be integrity protected.  Not
terribly enthusiastic.  Certainly the 'crit' field has
to be protected or it doesn't mean anything, but not
sure of enforcing that the extension is integrity
protected.  But I could also go with integrity protected
everything.  Joe Hildebrand: I could see protecting
everything.  Barnes: I don't see a need for normative
protection, but guidance okay.  Jones: people seem to be
saying that guidance that should say 'crit' could be
integrity protected.  Bradley: there is a community that
says you should always protect everything, but there are
others who don't think this is required.  A
recommendation for integrity protection unless there's a
need not to would be pretty well received.  Jones: in
Denver we came to a compromise that maximize consensus
and I'm against reopening the point for this particular
questions.  Hildebrand: agreed, no need to relitigate
this point.  Schaad: so this one will be closed as
'won't fix'.

Next steps:
Jones will get a version of the document out in the next
week with all changes he has to date.  Jones: there are
hundreds of changes to be made, but I will get out a
version that covers the changes to the normative text,
especially in regards to the MtI text.  We would then be
done with changing normative requirements.  Schaad: The
full document with edits is targeted for mid-December.
Jones: Agreed.  O'Donoghue: mid-December would be when
we close all issues except for the one that Brian will
open today and #93 which needs text.  Jones: I don't
want to make promises I can't keep due to other
commitments, so I'll get the near-term changes next week
and the full version of the document by the end of the
year.  Schaad: an interim meeting makes sense after the
full document is out.  Proposing January 13, 2014 for a
virtual interim meeting.

Cookbook Document:
Schaad: our charter calls for a cookbook document, which
hasn't shown up yet.  Our AD requested this.  Not sure
what goes into it.  We need to decide to do about that
charter requirement.  Miller: I was one of the ones
asked to work on it and I have batted ideas around with
Barnes.  There would be solid examples of the large
number of permutations that are possible.  Turner: one
example of how to make an interoperable system suffices.
Two is fine but not necessary.  Barnes: this would be a
document showing how to use all of the different
features we have in our documents.  There might be
guidance on how to create an application using the JOSE
tools.  Turner: this document just needs to get us
through the IESG process, it doesn't have to be
encyclopedia.  Miller: will get together with Turner to
discuss further.

 Jones: Signing detached content came up on the mailing
list and should be discussed here.  Schaad: I sent out
to the list on this idea.  Jones had a different way of
doing things.  Schaad replied with some minor edits to
Jones' text.  Barnes: this is too complicated.  It
should be just you slice off the payload and tell people
how to put it back.  There's no need to this 'hash
thing', but it's really more complicated than necessary.
Jones: we had discussed that with the hash-based method,
the application has to know which hash function to use.
That would require JOSE names for those functions.  I
had thought we could do that, but it seems like
undesirable scope creep.  I would be amenable to
dropping my second method.  Schaad's method has no
normative effect on JOSE libraries, so it should be an
appendix.  Schaad: an appendix is fine.  Barnes: agreed,
this is suggestions on how to build an application.  It
could even go in the cookbook.  Miller: +1.  Schaad: the
indirect signature version will be removed and the
detached signature version will be placed in an
appendix.
 Barnes: once the cookbook is done, are we finished?

 Turner: use case document going forward is great for
the IESG.  Will the rest of the documents go forward at
once.  Schaad: only the cookbook may be late.  Turner:
good.  Barnes: would the cookbook make the other four
documents be easier for the IESG to understand?  Turner:
probably, but I'm willing to push it as I'm a lame duck.
Barnes: not so worried about IESG concerns, but we could
try to accelerate the cookbook document to help with
getting the other documents through the IESG.  Schaad:
when could you have a rough draft ready.  Miller: if we
sit down this week, we could probably have enough time
to have an outline before we leave the meeting.  The
actual document could be ready in January.

The meeting adjourned.