Re: [jose] #20: Shorter names for JSON serialization

[Manger, James H]

RFC 4106 “GCM in IPsec ESP” uses the terms “IV” and “nonce”. It uses “nonce” 
for the 12-byte quantity used in the GCM algorithm, and “IV” for an 8-byte 
subset of that. That is, it uses “nonce” for the value JWE currently labels 
“iv”.

RFC 4106 section 2 “AES-GCM” says:
   For clarity, we refer to the AES-GCM IV as a
   nonce in the context of AES-GCM-ESP.  The same nonce and key
   combination MUST NOT be used more than once.
In section 4:

   The nonce passed to the GCM-AES encryption algorithm has the

   following layout:

There is some unavoidable historical confusion with the terms “iv” and “nonce” 
(even whether IV means initialization vector or initialization value). In my 
opionion, the RFCs that do the best job of avoiding confusion are the one using 
“nonce”.

--
James Manger

From: jose-boun...@ietf.org [mailto:jose-boun...@ietf.org] On Behalf Of Mike 
Jones
Sent: Wednesday, 8 May 2013 10:37 AM
To: Manger, James H; Richard Barnes; Jim Schaad
Cc: draft-ietf-jose-json-web-encrypt...@tools.ietf.org; jose issue tracker; 
jose@ietf.org
Subject: Re: [jose] #20: Shorter names for JSON serialization

http://tools.ietf.org/html/rfc4106 calls it “Initialization Vector (IV)” so I 
think the reasonable choices are either “initialization_vector” (the current 
name) or “iv” (the possible shortened name).  “Nonce” means very different 
things in other protocols, so I think we really should steer completely clear 
of it, to prevent confusion.

                                                            -- Mike

From: Manger, James H [mailto:james.h.man...@team.telstra.com]
Sent: Tuesday, May 07, 2013 5:34 PM
To: Mike Jones; Richard Barnes; Jim Schaad
Cc: 
draft-ietf-jose-json-web-encrypt...@tools.ietf.org<mailto:draft-ietf-jose-json-web-encrypt...@tools.ietf.org>;
 jose issue tracker; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: [jose] #20: Shorter names for JSON serialization

How about “nonce”, instead of “iv”?

“nonce” is used for the equivalent field in other RFCs about AEAD algorithms: 
RFC 5116 AEAD, RFC 5297 SIV, RFC 3610 CCM. Some of these use the name “IV” for 
different things than the AEAD nonce.
NIST 800-38D GCM does uses “IV”, though it is defined as “A nonce that is 
associated with an invocation of authenticated encryption on a particular 
plaintext and AAD”. RFC 5084 “CCM & GCM in CMS” even says:
  “To have a common set of terms for AES-CCM and AES-GCM, the AES-GCM IV is 
referred to as a nonce in the remainder of this document.”

--
James Manger

From: jose-boun...@ietf.org<mailto:jose-boun...@ietf.org> 
[mailto:jose-boun...@ietf.org] On Behalf Of Mike Jones
Sent: Wednesday, 8 May 2013 7:41 AM
To: Richard Barnes; Jim Schaad
Cc: 
draft-ietf-jose-json-web-encrypt...@tools.ietf.org<mailto:draft-ietf-jose-json-web-encrypt...@tools.ietf.org>;
 jose issue tracker; jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: [jose] #20: Shorter names for JSON serialization

What about “iv” and “tag”?  For the other names, I’d actually prefer staying 
with those that are full words rather than those that are abbreviations of 
words, since they’re more descriptive.  But I agree that 
“initialization_vector” and “authentication_tag” were overkill.

                                                            -- Mike

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose