Use of same key for different operations should not be encouraged
Issue #740
resolved
Several places in the Connect suite [1] have language that says the jwk/x509_url can also be used for encryption keys, if the jwk/x509_encryption_url isn't provided or registered.
I suggest we drop this fallback option and explicitly require encryption keys to be provided or registered when encryption is used. Two main reasons for this:
1) While I imagine the fallback approach was intended as a simplification, it actually makes most implementations more complicated as they need to support two ways of finding the keys. A wise man recently said, "having two ways to do something almost always hurts interop and always makes implementations bigger" [2]. I wholeheartedly agree and say Connect should have only one way.
2) More importantly, using the same key for signing and encryption is terribly insecure. I'm no cryptographer but am told this concern is no longer just theoretical and will point out that the W3C XML SEC folks recently published some best practices including an explicit recommendation to use distinct keys for different operations [3] citing signature forgery as a potential consequence of ignoring the recommendation.
Yes, Connect does recommend against it (to varying levels) but signature forgery is really bad. Despite the few SHOULDs suggesting that separate keys be used, just having the option of dual use is tacitly approving of it at some level. Let's just get rid of that.
[1] These 3 at least and maybe more: http://openid.net/specs/openid-connect-messages-1_0-15.html#sigenc.key http://openid.net/specs/openid-connect-discovery-1_0-12.html#ProviderConfigurationResponse http://openid.net/specs/openid-connect-registration-1_0-14.html#ClientRegistration
[2] and that man was our very own Mike Jones
http://www.ietf.org/mail-archive/web/oauth/current/msg10633.html
[3] XML Signature Best Practice 27: Signers: When encrypting and signing use distinct keys http://www.w3.org/TR/xmldsig-bestpractices/#signers-separate-keys
Comments (9)
-
-
reporter
Yes, a single place to look that utilized a required (but maybe default to singing) key use attribute per key would be good.
-
Account Deleted
(Reply via bren...@gmail.com):
+1 On Jan 31, 2013 4:09 PM, "Brian Campbell" issues-reply@bitbucket.org wrote:
-
-
assigned issue to
Michael Jones
We agreed not to allow the same key be used. It's fine for the URLs to point to the same JWK Set. It is RECOMMENDED to use the "use" parameter to distinguish between the multiple keys if they are in the same place.
-
assigned issue to
-
reporter
- changed title to Use of same key for different operations should not be encouraged
-
reporter
Attempting to catalyze some discussion/resolution on the WG mail list:
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20130204/003088.htmlrelating to
https://bitbucket.org/openid/connect/issue/740 and https://bitbucket.org/openid/connect/issue/703 and https://bitbucket.org/openid/connect/issue/704
-
-
reporter
-
- changed status to resolved
This is now addressed in the specifications.
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- All
- Milestone
- Implementer's Draft
- Version
- –
- Votes
- 0
- Watchers
- 0
It is a fight against common practice in SAML people don't regularly use separate keys.
I made a point of making them separable. I would be OK with requiring both be specified.
I would also prefer to do that with the JWK key use rather than in Connect. The issue with that is that we don't yet have a similar mechanism for x5u.
If we had a single place to look with key use attributes would that make you happier as an implementer.
I agree that you should never use the same kay for two different algs. The loophole is that for RSA pkcs 1.5 it is the same alg for signing and encrypting. So people take the short cut that sort of works for those two. If you are using RSA with PSS and OAEP then you defiantly need separate keys to avoid some possible pain.