Responses to the Security Considerations wording issue are inline below (with the text unrelated to this issue removed for brevity)…
From: Kathleen Moriarty [mailto:[email protected]] Sent: Friday, June 13, 2014 2:08 PM To: Mike Jones Cc: [email protected] Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms On Fri, Jun 13, 2014 at 4:26 PM, Mike Jones <[email protected]<mailto:[email protected]>> wrote: I didn’t reword the introductions. I thought that your issue was that you wanted additional security considerations to be described, which has now been done. I’ll go back and re-read your comments and see if I can work out what additional changes you were requesting there. Thank you, when you go back you'll see the request was two-fold. Thanks, I think it will help the intro read better! >> Security Considerations: While it is true the content is covered in >> other places, this section could benefit from improvement before it >> goes to the SecDir review. The second sentence in the first >> paragraph >> says the >> following: >> >> Among these issues are >> protecting the user's private and symmetric keys, preventing >> various >> attacks, and helping the user avoid mistakes such as inadvertently >> encrypting a message for the wrong recipient. >> > >> It would be helpful if you could expand the text and make it more >> descriptive and applicable to this document. For example, shouldn’t >> the first section say user’s private asymmetric and symmetric keys? >> I >> assume that is what was intended with private, but it reads funny to >> me without that. The only ‘attack’ or caution mentioned in the >> document is for the application to prevent a user from selecting the >> wrong key. Please include some attacks that developers and >> implementers should be aware and cautioned on, or state that specific >> attacks and considers are detailed in the subsections to follow. >> >> Mike> OK, I can work on expanding that. There are some other attacks >> mentioned in the other drafts, such as timing attacks, which can >> probably at least be mentioned here. I’ll send draft text to the >> list >> and consult with you before doing anything to the actual drafts. >> Specific suggestions from working group participants would also be >> highly appreciated. The Security Considerations section requires updating, let me know when this has been done. Thanks! Mike> The current introduction to all the JOSE security considerations sections says: All of the security issues faced by any cryptographic application must be faced by a JWS/JWE/JWK agent. Among these issues are protecting the user's private and symmetric keys, preventing various attacks, and helping the user avoid mistakes such as inadvertently encrypting a message for the wrong recipient. The entire list of security considerations is beyond the scope of this document, but some significant considerations are listed here. (And the JWT Security Considerations introduction is the same, other than also speaking about JWTs.) Now that the -27 drafts contain beefed-up text describing specific security considerations apropos to each draft, I believe that the best way to address the other part of your two-fold comment is simply to delete the second sentence (beginning “Among these issues”). I agree with you that it doesn’t add any value at this point. Do you agree with that proposed resolution, Kathleen? Best regards, Kathleen Have a good weekend! -- Mike
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
