[104attendees] Side-meeting: Canonical JSON, Signed REST
Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 27 March 2019 05:52 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: 104attendees@ietfa.amsl.com
Delivered-To: 104attendees@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 501E812024C for <104attendees@ietfa.amsl.com>; Tue, 26 Mar 2019 22:52:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48mzoIXje59E for <104attendees@ietfa.amsl.com>; Tue, 26 Mar 2019 22:52:44 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3413120243 for <104attendees@ietf.org>; Tue, 26 Mar 2019 22:52:43 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id q16so14872255wmj.3 for <104attendees@ietf.org>; Tue, 26 Mar 2019 22:52:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=pm0m04aS2dUuLYEnrYLc5IWOuuJdo2iF5FqzDGJLbHg=; b=XkEURtW6K7N6iQ+65DQyUUxBDDx4kaQOstur3XYKL1ojaOhS66r3G0NmgUyjhaPXQz DYMuBLAnUpS10pDeZBHNKvvSDbXqmc12VcicmaYZLy2QCA2FjjypZo/FN/oPDO8y1X28 K+lTtJDnY+5eCJN77TlC5DfPMm1bUAcbHwWxpS03BBE8xFib25R3M8gT40AZM3R5yREx no1vHAfmTdBRVpPzdBQaeZT2NBiY2w6MhFLLHUp/VVSW0gXPsToynHLkKtuC2n3Y8Phx fWmpXhsMiXiP8OS4qHfmQwXMeP4/CYHrS92DVQwQPNSHYOcqve4dspX1F/u2EPc3KTv+ LSDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=pm0m04aS2dUuLYEnrYLc5IWOuuJdo2iF5FqzDGJLbHg=; b=Yexr3LyFbCnOR3zLjSe03CQ8Pg+SUlsGlCyRQGCsGZMxK5xQvAlDqrgir164J52sUK 9AVeMd2KpHsU36uBS97Y7nvKVB3W2XUmi4p1N/bIe3RswsXZ4dUXKnMaf4E+7sM01O0P zV3ThIGnLTGGwug2VlZpXNflXUtwTV1nvelqWPNEq+7OpsSTsJDmf/dm/tGkzSSo+w5d bulwFlHMyPLRuujEY3uL4+aIzmD2hTiaXIydqlet8Kj7f+IM0X0oWvv2O7LjWoWDuHw+ iU+kVPdtqYWU3yAy5FkWNMnQ+dIM2twXPvQzEg5jJfCyPrpragaZkm36Vn6btExnmmJB aH/w==
X-Gm-Message-State: APjAAAX6XBOO8obgAoNHRZe85LLwcYa6J23FkaLPxni/SdDandFEou5n WUwiKmpIiOugUDl5rVm5slwiz7MjlKo=
X-Google-Smtp-Source: APXvYqyO54fiwEFvaVaBrJHtboMAYMMnC3rsn+k0aYLYl9XzW6g5ysoOHKGM1CblpBzOgUH4UmSyXw==
X-Received: by 2002:a1c:f10f:: with SMTP id p15mr17492761wmh.27.1553665961974; Tue, 26 Mar 2019 22:52:41 -0700 (PDT)
Received: from [10.0.0.58] ([194.228.79.73]) by smtp.googlemail.com with ESMTPSA id w11sm10525530wre.15.2019.03.26.22.52.40 for <104attendees@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Mar 2019 22:52:40 -0700 (PDT)
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: 104Attendees <104attendees@ietf.org>
Message-ID: <4944d01f-4565-9688-8833-1c8b287c6ae0@gmail.com>
Date: Wed, 27 Mar 2019 06:52:39 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/104attendees/z86lMWSc9mQ3PwRx5t_n_0Et_5w>
Subject: [104attendees] Side-meeting: Canonical JSON, Signed REST
X-BeenThere: 104attendees@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list of all 104 attendees for official communication <104attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/104attendees>, <mailto:104attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/104attendees/>
List-Post: <mailto:104attendees@ietf.org>
List-Help: <mailto:104attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/104attendees>, <mailto:104attendees-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 05:52:46 -0000
Wednesday 14-15 in Paris. My presentations at IETF-104 couldn't go into details, so here some additional facts and motivations. The lack of canonicalized JSON have had quite practical implications in IETF security protocols like in this one: https://tools.ietf.org/html/draft-ietf-teep-opentrustprotocol-02 "The top element "<name>[Signed][Request|Response]" cannot be fully trusted to match the content because it doesn't participate in the signature generation. However, a recipient can always match it with the value associated with the property "payload". It purely serves to provide a quick reference for reading and method invocation" That is, the TEEP folks were forced adding a redundant (and IMO pretty ugly) JSON layer in order to tag objects since the JWS signature scheme dresses the payload in Base64Url. This scheme also introduces an additional validation step. This is sort of the opposite to my own work in this space, where canonicalization is also applied to the JWS container itself (aka clear text signatures). Here an example from "Saturn": { "requestHash": { "alg": "S256", "val": "cA-QNdJHcynjuM44ty-zXgXwx100AZVRFLmYx1So0Xc" }, "domainName": "demomerchant.com", "paymentMethod": "https://bankdirect.net", "accountId": "8645-7800239403", "timeStamp": "2019-03-23T10:33:02+01:00", "signature": { "alg": "ES256", "jwk": { "kty": "EC", "crv": "P-256", "x": "rQ4WXMB6_wQKHSiY_mbJ4QkGpfWLssF7hvIiiFpDEx8", "y": "Fh2rl0LGTtvaomOuhuRNo9Drz9o0--WXV2ITvdVQFRY" }, "val": "j2LL9pr2RyrPxvFlj8IzMhno5vvgGIgf2xi23dA5u_XwjYlIvT9qwIVKaCKYwjb26J5mMUL5zV02lqQGjZRClw" } } Recent proposal addressing Signed/JSON/REST since this apparently still is missing: https://tools.ietf.org/html/draft-rundgren-signed-http-requests-00 https://datatracker.ietf.org/meeting/104/materials/slides-104-hotrfc-3-signed-http-requests-shreq-00 Bring your rotten tomatoes if you want :-) Cheers, Anders
- [104attendees] Side-meeting: Canonical JSON, Sign… Anders Rundgren
- Re: [104attendees] Side-meeting: Canonical JSON, … Bret Jordan