Re: [Acme] JOSE usage (was Re: WG meeting at IETF 93)

Richard Barnes <rlb@ipv.sx> Mon, 06 July 2015 15:59 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DA131B2F34 for <acme@ietfa.amsl.com>; Mon, 6 Jul 2015 08:59:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5E70zi0QLBqf for <acme@ietfa.amsl.com>; Mon, 6 Jul 2015 08:59:04 -0700 (PDT)
Received: from mail-vn0-f53.google.com (mail-vn0-f53.google.com [209.85.216.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 225F31B2F17 for <acme@ietf.org>; Mon, 6 Jul 2015 08:59:04 -0700 (PDT)
Received: by vnav203 with SMTP id v203so4989496vna.5 for <acme@ietf.org>; Mon, 06 Jul 2015 08:59:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=TGDRjcxZs+ksLnBaZuILWQlM2zwix2TQPwy4YZaXevU=; b=YmzeZ4pll7aBKWZm9hxODcFxJBD7Fl01KcprGveNrumgnHqhvVS+h7TNd8GgiznCZI keMzv5trMP+x3l936RPpwOrGowebQhaThdxz/rFyjxTwvONGJjVVUSpshAJWyOmyZ+8z qJM7qO/v+l86fNDC3OVdfN7zt5kQe317OEqEJ6LaOkg8jc2bh4Ue7cKiTzojRWQXLcc4 sQADS8ZkPIBePfEhWSr3sBBe6iuSsxwKJRYy/GmBQn1DPOozrbtMH21RJadNGnlDgMqS eU4P7W/cs38vz6lQwmz1Ks0TIXNrNbpgeBYT7rSloI9WAsVCzFkASuW+j83HRnHdxdSo BMOg==
X-Gm-Message-State: ALoCoQk528p5acQ90Fu8iDswOOga3p3pvcvp8CuOGjJfrSnHZlvegtp8ddcgyvUeNRVHj9FqItxQ
MIME-Version: 1.0
X-Received: by 10.52.163.243 with SMTP id yl19mr50696926vdb.51.1436198343376; Mon, 06 Jul 2015 08:59:03 -0700 (PDT)
Received: by 10.31.164.207 with HTTP; Mon, 6 Jul 2015 08:59:03 -0700 (PDT)
In-Reply-To: <CAMm+LwhZy9HvF6T+9=U2ihUq6353gh6mcXgDPbt=FgA0A8RUjw@mail.gmail.com>
References: <CAL02cgTG50h_XYT6vSh+QczGEPfeh0ueBu=cK5dBeN8-=HpR-A@mail.gmail.com> <CAMm+LwhZy9HvF6T+9=U2ihUq6353gh6mcXgDPbt=FgA0A8RUjw@mail.gmail.com>
Date: Mon, 6 Jul 2015 11:59:03 -0400
Message-ID: <CAL02cgR53PvY6p0m4UCqQwwOepk594GdGJE0FX=183mg1zY9UA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/0vewlFpcoPfXir3TFEtVahAGrbg>
Cc: "Salz, Rich" <rsalz@akamai.com>, Ted Hardie <ted.ietf@gmail.com>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] JOSE usage (was Re: WG meeting at IETF 93)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 15:59:10 -0000

On Mon, Jul 6, 2015 at 11:19 AM, Phillip Hallam-Baker
<phill@hallambaker.com>; wrote:
> Not sure why you think that, can you elaborate?
>
> All that is being proposed here is to get rid of the base64 armor which is
> unnecessary in http because it is 8-bit clean by definition.

If you look at that draft, it doesn't make JOSE simpler, it makes it
wildly more complicated.  It doesn't remove the base64 armor -- it
adds an *option* to, which has major implications, like changing the
signed value.

And unfortunately, the "remove the armor because HTTP is clean" option
isn't the whole story.  If you did something like a Content-Signature
header with a detached signature, maybe.  But if the whole JWS is in
the body, you have to have some framing in order to separate header /
payload / signature, and if you want that to be JSON, you're going to
have to Base64-encode.


> The intention is that this will be part of JOSE as-is.

Given that the JOSE formats are already RFCs and therefore immutable,
and that there are already pretty mature JOSE libraries, it seems like
that ship has sailed.

--Richard


>
>
>
>
>
> On Mon, Jul 6, 2015 at 10:35 AM, Richard Barnes <rlb@ipv.sx>; wrote:
>>
>> Dealing with JOSE nuances is not germane to this WG.
>>
>> Yes, JOSE has failings -- pretty much all of which were pointed out
>> during the JOSE WG process, and dismissed at the time.  They are not
>> so bad, however, as to render JOSE as-is unusable.  Certainly the cure
>> described in draft-jones-jose-jws-signing-input-options is much worse
>> than the disease.  Either let's scrap JOSE and re-design more cleanly,
>> or let's just use it with the flaws it has.
>>
>>
>>
>>
>> On Mon, Jul 6, 2015 at 10:14 AM, Phillip Hallam-Baker
>> <phill@hallambaker.com>; wrote:
>> > Another point I think should be considered on the agenda is how to use
>> > JOSE
>> > in the spec.
>> >
>> > I think it would be a very good idea to adopt the approach Mike Jones
>> > and
>> > myself have been suggesting of using JOSE without base64 armoring for
>> > authenticating requests and responses at the Web Service level.
>> >
>> > http://tools.ietf.org/html/draft-jones-jose-jws-signing-input-options-00
>> >
>> >
>> > I really hope that ACME is not going to be the last JSON based security
>> > spec
>> > IETF does and I would really like all the specs to end up with something
>> > approaching a uniform style.
>> >
>> >
>> >
>> > On Tue, Jun 30, 2015 at 4:12 PM, Ted Hardie <ted.ietf@gmail.com>; wrote:
>> >>
>> >> Just to bump this up on people's lists, Rich and I will put up a
>> >> preliminary agenda next Monday.  If you want time for something other
>> >> than
>> >> draft-barnes-acme, please let us know.
>> >>
>> >> thanks,
>> >>
>> >> Ted and Rich
>> >>
>> >> On Fri, Jun 26, 2015 at 10:54 AM, Ted Hardie <ted.ietf@gmail.com>;
>> >> wrote:
>> >>>
>> >>> Howdy,
>> >>>
>> >>> As you've seen from the IESG announcement, ACME has been approved as a
>> >>> working group, so our meeting in Prague will be as a working group
>> >>> rather
>> >>> than a BoF.  The IETF agenda is still tentative, but we're currently
>> >>> scheduled for Thursday, July 23rd, 15:20-17:20, in Karlin I/II.
>> >>> (There is
>> >>> still a chance that will change, though, so please do not tailor
>> >>> travel to
>> >>> just that time frame!)
>> >>>
>> >>> Our charter lists draft-barnes-acme as a starting point, and Rich and
>> >>> I
>> >>> are asking the authors to produce an update for the meeting.  We
>> >>> expect some
>> >>> of the working group time in Prague to be a document review/discussion
>> >>> of
>> >>> that draft.
>> >>>
>> >>> If you have other agenda items you'd like to request time for, please
>> >>> send them to the list.
>> >>>
>> >>> thanks,
>> >>>
>> >>> Ted and Rich
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Acme mailing list
>> >> Acme@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/acme
>> >>
>> >
>> >
>> > _______________________________________________
>> > Acme mailing list
>> > Acme@ietf.org
>> > https://www.ietf.org/mailman/listinfo/acme
>> >
>
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>