Last Call Review of draft-ietf-jose-fully-specified-algorithms-08
review-ietf-jose-fully-specified-algorithms-08-secdir-lc-moriarty-2025-03-25-00
| Request | Review of | draft-ietf-jose-fully-specified-algorithms |
|---|---|---|
| Requested revision | No specific revision (document currently at 13) | |
| Type | IETF Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2025-03-07 | |
| Requested | 2025-02-21 | |
| Authors | Michael B. Jones , Orie Steele | |
| I-D last updated | 2025-05-13 (Latest revision 2025-05-11) | |
| Completed reviews |
Secdir IETF Last Call review of -08
by Kathleen Moriarty
(diff)
Genart IETF Last Call review of -07 by Vijay K. Gurbani (diff) Artart IETF Last Call review of -07 by Jiankang Yao (diff) |
|
| Assignment | Reviewer | Kathleen Moriarty |
| State | Completed | |
| Request | IETF Last Call review on draft-ietf-jose-fully-specified-algorithms by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/QIcm7NwIllF-GRjgOg3zdXnT5Co | |
| Reviewed revision | 08 (document currently at 13) | |
| Result | Has issues | |
| Completed | 2025-03-25 |
review-ietf-jose-fully-specified-algorithms-08-secdir-lc-moriarty-2025-03-25-00
Greetings! Sorry for my late review. In reviewing the draft, there are 2 easily resolvable findings. The first is that the term "cross mode" is used and never defined. Tracing back to the reference provided, the closest I could find to "cross mode" was the following text in RFC 9459: "To avoid cross-protocol concerns, implementations MUST NOT use the same keying material with more than one mode. For example, the same keying material must not be used with AES-CTR and AES-CBC." Matching the language or proving a definition would help to resolve this concern. Second, as I was reading the draft, anther security consideration became clear and should be added. An attacker can easily avoid fingerprinting detection or signature detection by rotating the ciphersuite whether it be defined or polymorphic. If programmed to rotate, then the results will look different. Awareness of flexibility in protocols to conduct attacks should be explicitly stated so that OWASP can write up mitigations sooner rather than later when attacks become prevalent. Thank you for addressing the concerns! I did check the has issues, but do think these are very easily addressed. Best regards, Kathleen