>> Comments on JWK thumbprints: >> http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 >> >> draft-jones-jose-jwk-thumbprint needs to be much clearer about the >> properties of a thumbprint and the circumstances where it is appropriate and >> inappropriate to use. Superficially a thumbprint looks like both an >> unambiguous id and a unique id for a key, but I doubt the latter property >> can be relied upon. >> >> For instance, it would be dangerous to use these thumbprints in a blacklist >> of revoked keys. It looks fairly easy for a malicious party to modify the >> representation of a key to give a different thumbprint for the same key (eg >> change "e":"AQAB" to "e":"AAEAAQ").
> Thanks for pointing this out and for the example. This is now discussed in a > new Security Considerations paragraph in WG draft -02 (which, in fact, uses > your example). Mike & Nat, The extra Security Consideration paragraph is okay, but it should explicitly mention that JWK thumbprints are not suitable (or MUST NOT be used) in blacklists. I would also drop the phrase about being lax in validating. I don’t think we can blame an implementation (by calling it lax) if it doesn't notice and reject "e":"AAEAAQ". I’m sure we can't call it lax if it doesn’t notice and reject "n":"<3 * n>", even though such a key would still "work" a third of the time. --current text A JWK Thumbprint will only uniquely identify a particular key if a single unambiguous JWK representation for that key is defined and used when computing the JWK Thumbprint. (Such representations are defined for all the key types defined in JSON Web Algorithms (JWA) [JWA].) For example, if an RSA key were to use "e":"AAEAAQ" (representing [0, 1, 0, 1]) rather than the specified correct representation of "e":"AQAB" (representing [1, 0, 1]), a different thumbprint value would be produced for what could be effectively the same key, at least for implementations that are lax in validating the JWK values that they accept. Thus, JWK Thumbprint values can only be relied upon to be unique for a given key if the implementation also validates that the correct representation of the key is used. --alternative suggestion JWK Thumbprints are not suitable for use in blacklists to identify unwanted JWKs. An attacker may be able to use an unusual JWK representation for a key that will result in a different thumbprint. For example, if an RSA key were to use "e":"AAEAAQ" (representing [0, 1, 0, 1]) rather than the specified correct representation of "e":"AQAB" (representing [1, 0, 1]), a different thumbprint value would be produced for effectively the same key. -- James Manger _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
