On Fri, Feb 24, 2017 at 7:40 AM, Antonio Sanso <[email protected]> wrote: > Thanks a lot guys for the suggestions. I will take a stub so and submit an > errata…
Thank you. List members - please review and I'll accept the errata once language is agreed to. I also think this is good for future document updates. > > regards > > antonio > > On Feb 22, 2017, at 4:32 AM, Jim Schaad <[email protected]> wrote: > > I would welcome an errata even for the people that might miss it from > reading the documents. If nothing else, it gives us some hints about what > things need to be dealt with in the (presumably) next revisions of the > documents. > > Jim > > > From: jose [mailto:[email protected]] On Behalf Of Brian Campbell > Sent: Tuesday, February 21, 2017 12:23 PM > To: John Bradley <[email protected]> > Cc: Antonio Sanso <[email protected]>; [email protected]; Vladimir Dzhuvinov > <[email protected]> > Subject: Re: [jose] Use of ECDH-ES in JWE > > > This seems similar in nature to some of the security consideration advice in > JWE https://tools.ietf.org/html/rfc7516#section-11.4 and > https://tools.ietf.org/html/rfc7516#section-11.5 and JWA > https://tools.ietf.org/html/rfc7518#section-8.3 and > https://tools.ietf.org/html/rfc7518#section-8.4 that an average implementer > (like myself) would very likely not be aware of unless some attention is > called to it. > > The point about people missing the errata is totally legit. But in the > absence of some other way to convey it, perhaps it'd be better to have it > written down as errata than not at all? Maybe Antonio would be the one to > submit an errata for RFC 7518 https://www.rfc-editor.org/errata.php ? > > Certification for JOSE/JWT libraries sounds interesting. Having an errata > for this would serve as a reminder for at least one negative test that > should be done in that, if/when it comes to pass. > > On Mon, Feb 13, 2017 at 8:34 AM, John Bradley <[email protected]> wrote: > > An errata is possible. There is no way to update the original RFC. > > The problem tends to be that most developers miss the errata when reading > specs if they ever look at the specs at all. > > We probably also need a more direct way to communicate this to library > developers as well. > > In the OIDF we are talking about developing a certification for JOSE/JWT > libraries like we have for overall server implementations. > > John B. > > > >> On Feb 13, 2017, at 7:57 AM, Antonio Sanso <[email protected]> wrote: >> >> hi Vladimir, >> >> thanks a lot for taking the time and verifying. >> I really think it should be mentioned somewhere. >> The problem is that Elliptic Curves are over the head of many >> people/developer and it should be at least >> some reference on the JOSE spec about defending against this attack. >> Said that I have so far reviewed 3 implementations and all 3 were somehow >> vulnerable. And counting…. >> >> regards >> >> antonio >> >> On Feb 13, 2017, at 7:41 AM, Vladimir Dzhuvinov <[email protected]> >> wrote: >> >>> Hi Antonio, >>> >>> Thank you for making us aware of this. >>> >>> I just checked the ECDH-ES section in JWA, and the curve check >>> apparently hasn't been mentioned: >>> >>> https://tools.ietf.org/html/rfc7518#section-4.6 >>> >>> It's not in the security considerations either: >>> >>> https://tools.ietf.org/html/rfc7518#section-8 >>> >>> >>> Vladimir >>> >>> On 09/02/17 12:39, Antonio Sanso wrote: >>>> hi all, >>>> >>>> this mail is highly inspired from a research done by Quan Nguyen [0]. >>>> >>>> As he discovered and mention in his talk there is an high chance the >>>> JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve >>>> attack. >>>> Now I read the JWA spec and I did not find any mention that the >>>> ephemeral public key contained in the message should be validate in order >>>> to >>>> be on the curve. >>>> Did I miss this advice in the spec or is it just missing? If it is not >>>> clear enough the outcome of the attack will be the attacker completely >>>> recover the private static key of the receiver. >>>> Quan already found a pretty well known JOSE library vulnerable to it. So >>>> did I. >>>> >>>> WDYT? >>>> >>>> regards >>>> >>>> antonio >>>> >>>> [0] https://research.google.com/pubs/pub45790.html >>>> [1] https://tools.ietf.org/html/rfc7518 >>>> _______________________________________________ >>>> jose mailing list >>>> [email protected] >>>> https://www.ietf.org/mailman/listinfo/jose >>> >>> >>> _______________________________________________ >>> jose mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/jose >> >> _______________________________________________ >> jose mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/jose > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > -- Best regards, Kathleen _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
