My problem is that MUST NOT send means nothing to an attacker. Esp. if the attacker is the message originator. The only meaningful enforcement of any of this is going to be by the recipient. If the recipient cannot enforce this restriction, then it will always be open to some type of attack from duplicate keys.
I would note that the MUST NOT for reordering of fields is not a JSON requirement but only a JavaScript requirement. So an intermediate agent can read in and re-order the fields if it writes them out and not have a problem with the JSON specifications. Jim From: jose [mailto:[email protected]] On Behalf Of Tim Bray Sent: Monday, September 15, 2014 2:21 PM To: John Bradley Cc: [email protected]; Stephen Kent; [email protected]; [email protected]; Kathleen Moriarty; Michael Jones; [email protected] Subject: Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31 On Mon, Sep 15, 2014 at 12:18 PM, John Bradley <[email protected]> wrote: Are you recommending that: That receivers MUST reject JOSE objects with duplicate keys. This would require compliant implementations to write there own parsers (perhaps not a good idea), or wait for I-JSON parsers (perhaps sometime soonish) Agree, sigh. Or that JOSE require producers not to send dup keys, and receivers SHOULD reject them if possible based on the parser. Yeah… MUST NOT send malformed JSON (I argue that an economical way to do that would be to reference I-JSON if the schedule works). As for the receiver, I like SHOULD reject, but I’m wondering if we can get away with that given that a high proportion of receiving software will have no way to detect the error. For JWE and JWS the header is integrity protected so we are talking about duplicate keys inserted by a bad producer rather than an attacker modifying the message after signing.. Whatever. If you get a busted message, something is wrong somewhere upstream. I suspect the important issue is taking care that when producing a JWE/JWS you are not accepting arbitrary elements for the header without verifying that they are not JOSE parameters. Hm, for ID Tokens, didn’t we do exactly the opposite, and end up with a Must-Ignore policy? John B. On Sep 15, 2014, at 3:54 PM, Tim Bray <[email protected]> wrote: When I talk about existing software I’m referring to generic JSON parsers such as are included in the basic library set of every programming language now, and which are unfortunately idiosyncratic and inconsistent in their handling of dupe keys, but in almost no cases actually inform the calling software whether or not dupe keys were encountered. On Mon, Sep 15, 2014 at 11:51 AM, Stephen Kent <[email protected]> wrote: OK, I'm a bit confused. I thought the JOSE specs were intended to create standards for transport of keys, and for sigs, MACs, and encryption of JSON objects. What is the existing software to which you and Tim refer, when referring to keys (vs. JSON parsing in general)? Steve -- - Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray) _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose -- - Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray)
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
