Re: [jose] Proposal about the SPI proposal

Mon, 11 Feb 2013 11:55:32 -0800 

+1 to SPI being a separate I-D, for discussion purposes.

Having thought about this, I feel like there are a number unanswered questions 
about this proposal, and that writing it up concretely would be useful to help 
the working group identify and address them and determine the best path forward.

These questions/issues include:
  - What are the security implications of repeatedly reusing the same CMK and 
IV and how can/should they be mitigated?
  - Is having the absence of an "alg" field, paired with the presence of an 
"spi" field the best way to handle this?
  - What are the complexity implications of having JWEs no longer contain a 
fixed set of field?
  - Would JWSs similarly have a different number of fields?
  - Indeed, is the proposal even applicable in the JWS case, or does it only 
make sense for JWEs?
  - What are the motivating use cases for this functionality?
  - What syntax would be used for the "spi" parameter?  Unrestricted Unicode 
strings?  Base64url-encoded byte strings?  UUIDs? ...

                                                                Thanks,
                                                                -- Mike

From: [email protected] [mailto:[email protected]] On Behalf Of John 
Bradley
Sent: Monday, February 11, 2013 11:45 AM
To: Brian Campbell
Cc: [email protected]
Subject: Re: [jose] Proposal about the SPI proposal

I agree that doing it as a new I-D is better than trying to fit it in without 
sufficient thought.

John B.

On 2013-02-08, at 8:01 PM, Brian Campbell 
<[email protected]<mailto:[email protected]>> wrote:


Maybe this was apparent from my comments/questions on the SPI proposal over the 
last couple days[1] but I have concerns that run the gamut from operational 
complexity and fragility to security problems. I believe strongly that, without 
considerably more analysis and specification detail, the current SPI work is 
much too risky to consider go in the current base JOSE WG drafts.
As an alternative I'd like to request/propose that the SPI stuff be submitted 
as new I-D to help facilitate that additional discussion and analysis that I 
think it needs.

Thanks,
Brian

[1] http://www.ietf.org/mail-archive/web/jose/current/msg01500.html
_______________________________________________
jose mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/jose


_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to