Re: [Acme] JOSE usage (was Re: WG meeting at IETF 93)
Richard Barnes <rlb@ipv.sx> Mon, 06 July 2015 15:59 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DA131B2F34 for <acme@ietfa.amsl.com>; Mon, 6 Jul 2015 08:59:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5E70zi0QLBqf for <acme@ietfa.amsl.com>; Mon, 6 Jul 2015 08:59:04 -0700 (PDT)
Received: from mail-vn0-f53.google.com (mail-vn0-f53.google.com [209.85.216.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 225F31B2F17 for <acme@ietf.org>; Mon, 6 Jul 2015 08:59:04 -0700 (PDT)
Received: by vnav203 with SMTP id v203so4989496vna.5 for <acme@ietf.org>; Mon, 06 Jul 2015 08:59:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=TGDRjcxZs+ksLnBaZuILWQlM2zwix2TQPwy4YZaXevU=; b=YmzeZ4pll7aBKWZm9hxODcFxJBD7Fl01KcprGveNrumgnHqhvVS+h7TNd8GgiznCZI keMzv5trMP+x3l936RPpwOrGowebQhaThdxz/rFyjxTwvONGJjVVUSpshAJWyOmyZ+8z qJM7qO/v+l86fNDC3OVdfN7zt5kQe317OEqEJ6LaOkg8jc2bh4Ue7cKiTzojRWQXLcc4 sQADS8ZkPIBePfEhWSr3sBBe6iuSsxwKJRYy/GmBQn1DPOozrbtMH21RJadNGnlDgMqS eU4P7W/cs38vz6lQwmz1Ks0TIXNrNbpgeBYT7rSloI9WAsVCzFkASuW+j83HRnHdxdSo BMOg==
X-Gm-Message-State: ALoCoQk528p5acQ90Fu8iDswOOga3p3pvcvp8CuOGjJfrSnHZlvegtp8ddcgyvUeNRVHj9FqItxQ
MIME-Version: 1.0
X-Received: by 10.52.163.243 with SMTP id yl19mr50696926vdb.51.1436198343376; Mon, 06 Jul 2015 08:59:03 -0700 (PDT)
Received: by 10.31.164.207 with HTTP; Mon, 6 Jul 2015 08:59:03 -0700 (PDT)
In-Reply-To: <CAMm+LwhZy9HvF6T+9=U2ihUq6353gh6mcXgDPbt=FgA0A8RUjw@mail.gmail.com>
References: <CAL02cgTG50h_XYT6vSh+QczGEPfeh0ueBu=cK5dBeN8-=HpR-A@mail.gmail.com> <CAMm+LwhZy9HvF6T+9=U2ihUq6353gh6mcXgDPbt=FgA0A8RUjw@mail.gmail.com>
Date: Mon, 06 Jul 2015 11:59:03 -0400
Message-ID: <CAL02cgR53PvY6p0m4UCqQwwOepk594GdGJE0FX=183mg1zY9UA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/0vewlFpcoPfXir3TFEtVahAGrbg>
Cc: "Salz, Rich" <rsalz@akamai.com>, Ted Hardie <ted.ietf@gmail.com>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] JOSE usage (was Re: WG meeting at IETF 93)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 15:59:10 -0000
On Mon, Jul 6, 2015 at 11:19 AM, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > Not sure why you think that, can you elaborate? > > All that is being proposed here is to get rid of the base64 armor which is > unnecessary in http because it is 8-bit clean by definition. If you look at that draft, it doesn't make JOSE simpler, it makes it wildly more complicated. It doesn't remove the base64 armor -- it adds an *option* to, which has major implications, like changing the signed value. And unfortunately, the "remove the armor because HTTP is clean" option isn't the whole story. If you did something like a Content-Signature header with a detached signature, maybe. But if the whole JWS is in the body, you have to have some framing in order to separate header / payload / signature, and if you want that to be JSON, you're going to have to Base64-encode. > The intention is that this will be part of JOSE as-is. Given that the JOSE formats are already RFCs and therefore immutable, and that there are already pretty mature JOSE libraries, it seems like that ship has sailed. --Richard > > > > > > On Mon, Jul 6, 2015 at 10:35 AM, Richard Barnes <rlb@ipv.sx> wrote: >> >> Dealing with JOSE nuances is not germane to this WG. >> >> Yes, JOSE has failings -- pretty much all of which were pointed out >> during the JOSE WG process, and dismissed at the time. They are not >> so bad, however, as to render JOSE as-is unusable. Certainly the cure >> described in draft-jones-jose-jws-signing-input-options is much worse >> than the disease. Either let's scrap JOSE and re-design more cleanly, >> or let's just use it with the flaws it has. >> >> >> >> >> On Mon, Jul 6, 2015 at 10:14 AM, Phillip Hallam-Baker >> <phill@hallambaker.com> wrote: >> > Another point I think should be considered on the agenda is how to use >> > JOSE >> > in the spec. >> > >> > I think it would be a very good idea to adopt the approach Mike Jones >> > and >> > myself have been suggesting of using JOSE without base64 armoring for >> > authenticating requests and responses at the Web Service level. >> > >> > http://tools.ietf.org/html/draft-jones-jose-jws-signing-input-options-00 >> > >> > >> > I really hope that ACME is not going to be the last JSON based security >> > spec >> > IETF does and I would really like all the specs to end up with something >> > approaching a uniform style. >> > >> > >> > >> > On Tue, Jun 30, 2015 at 4:12 PM, Ted Hardie <ted.ietf@gmail.com> wrote: >> >> >> >> Just to bump this up on people's lists, Rich and I will put up a >> >> preliminary agenda next Monday. If you want time for something other >> >> than >> >> draft-barnes-acme, please let us know. >> >> >> >> thanks, >> >> >> >> Ted and Rich >> >> >> >> On Fri, Jun 26, 2015 at 10:54 AM, Ted Hardie <ted.ietf@gmail.com> >> >> wrote: >> >>> >> >>> Howdy, >> >>> >> >>> As you've seen from the IESG announcement, ACME has been approved as a >> >>> working group, so our meeting in Prague will be as a working group >> >>> rather >> >>> than a BoF. The IETF agenda is still tentative, but we're currently >> >>> scheduled for Thursday, July 23rd, 15:20-17:20, in Karlin I/II. >> >>> (There is >> >>> still a chance that will change, though, so please do not tailor >> >>> travel to >> >>> just that time frame!) >> >>> >> >>> Our charter lists draft-barnes-acme as a starting point, and Rich and >> >>> I >> >>> are asking the authors to produce an update for the meeting. We >> >>> expect some >> >>> of the working group time in Prague to be a document review/discussion >> >>> of >> >>> that draft. >> >>> >> >>> If you have other agenda items you'd like to request time for, please >> >>> send them to the list. >> >>> >> >>> thanks, >> >>> >> >>> Ted and Rich >> >> >> >> >> >> >> >> _______________________________________________ >> >> Acme mailing list >> >> Acme@ietf.org >> >> https://www.ietf.org/mailman/listinfo/acme >> >> >> > >> > >> > _______________________________________________ >> > Acme mailing list >> > Acme@ietf.org >> > https://www.ietf.org/mailman/listinfo/acme >> > > > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] JOSE usage (was Re: WG meeting at IETF 93) Richard Barnes
- Re: [Acme] JOSE usage (was Re: WG meeting at IETF… Phillip Hallam-Baker
- Re: [Acme] JOSE usage (was Re: WG meeting at IETF… Richard Barnes