In no place is SHA-1 or algorithms using it MTI. You can see the set of MTI
algorithms by looking at those marked “Required” in the registries.
A small set of required algorithms is present, with the choices based on a
detailed survey of what algorithms are widely deployed, to provide a basis for
implementations to interoperate. Recognizing that the set of algorithms that
will be appropriate to have as required will change over time, Sean Turner
suggested that we enable future drafts to update the Implementation
Requirements in the registries, with expert review. (So for instance, an
algorithm that might be “Required” today could be marked “Deprecated” in the
future.) We adopted Sean’s suggestion a good while ago.
This is another area that was widely discussed within the JOSE working group,
and there was never consensus to remove the implementation requirements, which
have always been present.
-- Mike
From: OAuth [mailto:[email protected]] On Behalf Of Kathleen Moriarty
Sent: Friday, June 13, 2014 12:14 PM
To: Hannes Tschofenig
Cc: [email protected]
Subject: Re: [OAUTH-WG] JWT review
Hi Hannes,
Thank you for going through the various reviews, since the JOSE ones should be
of interest to Oauth. I'll respond in-line.
On Thu, Jun 12, 2014 at 4:27 AM, Hannes Tschofenig
<[email protected]<mailto:[email protected]>> wrote:
Hi Kathleen,
on the first item I have a few minor remarks: You wrote:
"
As I read through the Algorithms (JWA) draft there are some changes that
will need to be made to avoid problems during the IESG review. This is
a pretty big change for the draft, but will help make the review and
approval faster. Typically, the lists of algorithms are handled through
a draft update as opposed to creating an IANA registry. A good example
is a recent update of a draft in the IPSECME working group so you can
see the structure and the precedence for this model.
"
FYI - this is from the start of a long thread that has been worked out already.
I had included a link to the JWA review only for the section on the security
consideratiosn section as many of the drafts in JOSE, and at least one in OAuth
start out with the same paragraph that could use some updating and correcting.
I wanted to make sure this working group was aware since JWT shares that same
paragraph. Mike is working through new text and has solicited help from the WG
(please respond on the JOSE list).
The IANA registry for the algorithm serves a different purpose than a
document recommending the specific algorithms. The reference to the
IPSECME document only provides the latter. It is also important to note
that the JWA not only defines the algorithm tags for the IANA registry
but also explains how they actually work with the JOSE defined JSON
structures (which is again a difference to the mentioned IPSECME document).
The discussion on having a registry versus a draft has been settled. The
possibility of an issue came to me through an AD and after discussion, it is
fine as it is. There were some considerations that needed to get surfaced, so
the document can remain as-is. Sorry for the confusion. I'll file this away
for the future reference.
Of course, the JWA document does both via the IANA registry and there is
the question about how these recommendations would then get updated and
what the consensus process is.
In an mail to the JOSE mailing list I argued against any MTI
recommendations since JOSE is a baseline technology that will be used in
a variety of different contexts and it is super likely that the
algorithm requirements will hugely vary.
I am just thinking about what algorithms I would recommend when using
the JOSE work in an IoT environment. My recommendations would deviate
from the currently given recommendations, which are largely impacted by
the Web community.
Here is the mail I sent to the JOSE list:
http://www.ietf.org/mail-archive/web/jose/current/msg04032.html
So, my recommendation is to
1) have no MTI requirements in the JWA spec
2) remove the 'JOSE Implementation Requirements' column from the IANA
registry.
Interesting. I do remember having these discussions with Sean and Richard
(see http://www.ietf.org/mail-archive/web/jose/current/msg04060.html). In
Jim's opinion, (from:
http://www.ietf.org/mail-archive/web/jose/current/msg04062.html), his view is
that even the MTI in JWA can be overridden in the spec. I wonder why you would
have an MTI then?
This closed out the discussion and it would be better to see it on the JOSE
list than here. If the point is to get Oauth people who are encountering
conflicts as a user of JOSE drafts to chime in, that should happen on the JOSE
list. I suspect this will be an issue for XMPP as well. They are phasing out
SHA-1, so if that's MTI for fingerprints, they may still feel like they have to
support SHA-1 for that purpose even though their work specifies that SHA-2
should be used everywhere.
Since JWA is getting closer to IESG review, I'll ask other ADs their thoughts
on how they like to see this sort of thing handled. Both Richard and Jim
raised valid points.
Thank you,
Kathleen
Ciao
Hannes
On 06/09/2014 06:17 PM, Kathleen Moriarty wrote:
> Hello,
>
> I am in process of working through the JOSE drafts and also read the
> Oauth JWT draft last week. There is some overlap in text that may
> require some joint work to correct.
>
> 1. For JWT, the Security Considerations section starts off with the same
> text that is in several of the JOSE drafts. In my review of the JWA
> draft, I asked for some fixes that will need to be made to this draft as
> well. Here is a link to that review and it may be easier to help with
> this work in one spot where text will be reused. Mike has asked the
> JOSE WG to assist, but it make make sense for Oauth folks to help as
> well. If it makes sense, a pointer to existing text is also fine.
>
> http://www.ietf.org/mail-archive/web/jose/current/msg04064.html
>
> 2. Sections 5.1 and 5.2 are a little confusing. However, the use of
> "typ" and "cty" appear in 3 drafts (at least), so this should get
> addressed with an approach that considers the joint text to reduce
> confusion for developers. The initial descriptions are in the JOSE JWS
> draft, so that may need most of the work, but it also appears in this
> draft and the JOSE JWK draft. In my writeup for the JWK review, I
> listed out some questions and would like to see improvements across
> these drafts. This will likely require some joint work and may be best
> in response to the JWK review to keep it in one place.
>
> http://www.ietf.org/mail-archive/web/jose/current/msg04172.html
>
> Thank you!
>
> --
>
> Best regards,
> Kathleen
>
>
> _______________________________________________
> OAuth mailing list
> [email protected]<mailto:[email protected]>
> https://www.ietf.org/mailman/listinfo/oauth
>
--
Best regards,
Kathleen
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
