Any thoughts, Kathleen? We'd like to update the draft to incorporate your
feedback before the telechat.
Thanks,
-- Mike
-----Original Message-----
From: Michael Jones <[email protected]>
Sent: Wednesday, March 26, 2025 5:46 PM
To: Kathleen Moriarty <[email protected]>; [email protected]
Cc: [email protected]; [email protected];
[email protected]
Subject: RE: Secdir last call review of
draft-ietf-jose-fully-specified-algorithms-08
Hi Kathleen,
Thanks for your review. We have a mitigation for your first issue. But before
we add it to the draft, I wanted to better understand your second issue.
Are you saying that an attacker could vary the algorithms used when signing
content? That's of course true, but the attack scenario is not clear to me.
Are you saying that an attacker might be identifiable from the algorithm it
chooses to use and that by changing algorithms, they could somewhat obscure
their identity? Can you describe an example of a scenario where this could
occur in practice, so I can better understand it?
Also, as you wrote, this consideration applies whether the algorithms are
fully-specified or polymorphic. So it seems like it may have broader
application than the specific algorithms defined in this document and this
documents advice to avoid polymorphic algorithms. Does it, for instance, apply
to all of JOSE and all of COSE and all of X.509? Without understanding the
attack better, I can't tell.
Thanks,
-- Mike
-----Original Message-----
From: Kathleen Moriarty via Datatracker <[email protected]>
Sent: Tuesday, March 25, 2025 5:33 AM
To: [email protected]
Cc: [email protected]; [email protected];
[email protected]
Subject: Secdir last call review of
draft-ietf-jose-fully-specified-algorithms-08
Reviewer: Kathleen Moriarty
Review result: Has Issues
Greetings!
Sorry for my late review. In reviewing the draft, there are 2 easily resolvable
findings. The first is that the term "cross mode" is used and never defined.
Tracing back to the reference provided, the closest I could find to "cross
mode" was the following text in RFC 9459:
"To avoid cross-protocol concerns, implementations MUST NOT use the
same keying material with more than one mode. For example, the same
keying material must not be used with AES-CTR and AES-CBC."
Matching the language or proving a definition would help to resolve this
concern.
Second, as I was reading the draft, anther security consideration became clear
and should be added. An attacker can easily avoid fingerprinting detection or
signature detection by rotating the ciphersuite whether it be defined or
polymorphic. If programmed to rotate, then the results will look different.
Awareness of flexibility in protocols to conduct attacks should be explicitly
stated so that OWASP can write up mitigations sooner rather than later when
attacks become prevalent.
Thank you for addressing the concerns! I did check the has issues, but do think
these are very easily addressed.
Best regards,
Kathleen
_______________________________________________
jose mailing list -- [email protected]
To unsubscribe send an email to [email protected]
