IETF Logo Mail Archive

Re: [Acme] Specify which JWS serialization is used

Logan Widick <logan.widick@gmail.com> Thu, 04 January 2018 00:21 UTC

Return-Path: <logan.widick@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D40C126BF0 for <acme@ietfa.amsl.com>; Wed, 3 Jan 2018 16:21:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ngFHHkX_ENaR for <acme@ietfa.amsl.com>; Wed, 3 Jan 2018 16:21:05 -0800 (PST)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E5E81200C5 for <acme@ietf.org>; Wed, 3 Jan 2018 16:21:05 -0800 (PST)
Received: by mail-it0-x231.google.com with SMTP id x28so495673ita.0 for <acme@ietf.org>; Wed, 03 Jan 2018 16:21:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eUaTgHuuZA3ZHo1KEtqWIUfetIu8KZuyiqtVkMW0Y98=; b=WQ6jXtJKQmaw7TMkdRom/LuZjtQegsmk5V2NwD2pCV0MWdna4N6mHMzxUtrR5MlHAP 8eHRpPbI+SE4gBLPIMFXZC/X1B8iQyxmDroexgh4jezFo5r7jBbXg2tYfIQEWaRDjbAq TCELGJqKYwrsIaoNTNiiQBc6BjDVPD2D8ANveWzqI2SKo1jY/buma9vlr6S6zxRw3ICd VHaxzoZorTCU9DZt200mZ0hmjUMA7o00FBnZSSmTTI8nNX/waPe4+w5+W/JnLa68/0ai YYQBrbXY1eaFT70VgjJt2AxUdEPChkZoHuZC7WPLdo5rdL/zjnoqKVQIMy2QH4jIH/2p YeCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eUaTgHuuZA3ZHo1KEtqWIUfetIu8KZuyiqtVkMW0Y98=; b=q7YEnRomOuz+oSsaEoj84gC3kmQS8T7qCcwEMPfbcQKMBt+nJx19rcGfM1wVColVq2 UnoWE0WqG1obtBpa6Qy5pr6MIi/bsk33XBUkrsAHGO0Yb0dOVoebpPFLfDCbJULZTp2W /xswdlCb3l6LxUfChr8V+YwxFT2MhwtIA3mdul+2EsvzdK88eQhwKV0w0xbds5Ji0uo8 FbazwkP6BcYFqCEySTp/y7fuBTIy1zAeOqcwOGGDNnBCH1rCHlhqLXy61XjslsV7Umik poQ8Wb2C1SLW3FGKfoAJwKhhaiOHmHd8DxQklmpdkXoYu6UrdLuy60g1LD4YNchh/IcF OEgA==
X-Gm-Message-State: AKGB3mLPJ7UWjfDK/qFyoA5EQvfBycCH0pqAp9/Esew/Kils2Rw2YxVU Knq3SS4wQmlLd4zJZS443zrmzf/O38ZsKFBkCPDpnQ==
X-Google-Smtp-Source: ACJfBou9lwyjdXFp+M0/dvESJ6GRbMn/nGxWTOq0O+T9kY2p0oUbLLW4CNpCo/XYUvPsV9rxyrTSZQ5TtiCpiormt+Y=
X-Received: by 10.36.172.14 with SMTP id s14mr3877203ite.142.1515025264658; Wed, 03 Jan 2018 16:21:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.152.59 with HTTP; Wed, 3 Jan 2018 16:21:04 -0800 (PST)
In-Reply-To: <20180103234718.GA1340@bacardi.hollandpark.frase.id.au>
References: <20180103230734.GM21695@carrot.tutnicht.de> <20180103234718.GA1340@bacardi.hollandpark.frase.id.au>
From: Logan Widick <logan.widick@gmail.com>
Date: Wed, 03 Jan 2018 18:21:04 -0600
Message-ID: <CAMmAzEKj33xOVhUK+i2UrHpvTBj=hz89DRyaFvTqAig4f66K-Q@mail.gmail.com>
To: Fraser Tweedale <frase@frase.id.au>
Cc: ACME WG <acme@ietf.org>, Jörn Heissler <acme-specs@joern.heissler.de>
Content-Type: multipart/alternative; boundary="94eb2c1fc978b9cd830561e84e19"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/1KRPZcCEvPZoJ7zBq-Weo-L7onQ>
Subject: Re: [Acme] Specify which JWS serialization is used
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2018 00:21:08 -0000

This looks good to me.

As for using JOSE implementations that lack support for the JSON
serialization formats (and only support the compact one), is there an RFC,
Internet-Draft, or similar document with an explanation of the conversion
process already prepared (that can simply be thrown into the ACME draft's
references section)? Or would it be necessary to include an appendix in the
ACME draft with an outline of the conversion process? The conversion
process looks fairly straightforward. However, it would be nice if there
was a document or part of a document that could be easily referenced.

Logan

On Wed, Jan 3, 2018 at 5:47 PM, Fraser Tweedale <frase@frase.id.au> wrote:

> On Thu, Jan 04, 2018 at 12:07:34AM +0100, Jörn Heissler wrote:
> > Hello and happy new Year!
> >
> > I've found an inaccuracy in the ACME specs.
> >
> > https://tools.ietf.org/html/rfc7515#section-7 states:
> >
> >     Applications using this specification need to specify what
> serialization
> >     and serialization features are used for that application.
> >
> > Although this is neither a "SHOULD" nor a "MUST", I think ACME should
> specify
> > which serialization formats need to be supported by server
> implementations.
> >
> > RFC7515 defines four serialization formats:
> >
> > * JWS Compact Serialization
> > * General JWS JSON Serialization Syntax
> >   * One signature only
> >   * Multiple signatures
> > * Flattened JWS JSON Serialization Syntax
> >
> > https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.
> html#rfc.section.6.2
> > states:
> >
> >     In the examples below, JWS objects are shown in the JSON or
> >     flattened JSON serialization
> >
> > All examples in the ACME specification use only the flattened
> serialization.
> > Depending on the clarification above, this might need to be amended too.
> >
> > Best regards
> > Jörn Heissler
>
> I am the author of a JOSE library, and have had to deal with
> interoperability issues arising from the multiple serialisations and
> underspecified applications/protocols.  Please heed my advice.
>
> Where there is a choice of JSON serialisation (i.e. exactly one
> signature), JOSE does not require or recommend a particular
> serialisation be used.  Not does the specification require or
> recommend that there be a mechanism for telling a library what JSON
> serialisation to use.  The outcome of this is that there are:
>
> - implementations that unconditionally produce the General JSON
>   serialisation
>
> - implementations that unconditionally produce the Flattened JSON
>   serialisation (and do not support multiple signatures at all)
>
> - implementations that produce the Flattened serialisation when
>   there is a single signature, and the General JSON serialisation
>   otherwise
>
> Therefore for interoperability and to avoid situations where a
> conforming JOSE library cannot be used for ACME, I suggest that ACME
> adopt the following regime:
>
> - Conforming ACME implementations MUST process JWS objects using the
>   Flattened JWS JSON Serialization and SHOULD process JWS objects
>   using the General JWS JSON Serialization.
>
> - Conforming ACME implementations MAY refuse to process JWS objects
>   with multiple signatures.  If an implementation accepts
>   multiple-signature JWS objects, it MUST validate at least one
>   signature using the account's public key.
>
> Cheers,
> Fraser
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
>

v2.23.0 | Report a Bug | By Email