Core 8.1: Revise example pairwise algorithms

Issue #1008 on hold
Vladimir Dzhuvinov created an issue

I recently saw people try to implement pairwise IDs by following the provided crypto examples 1:1. I think we can provide better guidance on that. I discussed that with Tim McLean, who you probably remember from his security review on JWT libs two years back.

On example 1:

Calculate sub = SHA-256 ( sector_identifier || local_account_id || salt )

Instead of suggesting that people build their own PRF, we could point them to standard HMAC.

On example 2:

Calculate sub = AES-128 ( sector_identifier || local_account_id || salt )

Similarly, here we could point developers to the existing standard on AES encryption in SIV mode (RFC 5297), which offers deterministic authenticated encryption:

Comments (2)

  1. John Bradley

    I think that using HMAC with salt as the key or AES SIV are valid alternate ways of doing the same thing. I don't think our examples are bad they explain the goal. I am OK with adding more examples. Not all implementations support SIV.

  2. Michael Jones

    This issue was discussed on the February 6, 2017 OpenID Connect working group call. The conclusion was that this doesn't appear to be a necessary errata action to apply to the current specification. If we ever do a Core 1.1 specification we can reopen this at that time.

    I'll also note that AES-SIV is not an algorithm defined for use with JOSE.

  3. Log in to comment