Re: [Acme] [Json] Signed JSON document / Json Content Metaheader / JSON Container

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 29 January 2015 04:03 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63BBA1A1B51; Wed, 28 Jan 2015 20:03:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3rWn0tl79PhR; Wed, 28 Jan 2015 20:03:07 -0800 (PST)
Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B1FB1A1AB4; Wed, 28 Jan 2015 20:03:07 -0800 (PST)
Received: by mail-lb0-f179.google.com with SMTP id 10so23904772lbg.10; Wed, 28 Jan 2015 20:03:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=N+ZIj/d932Tc08iUr4zlvf9TYblAQ6UWIR3f+CS1vX8=; b=Jj1OSf/i/kQCW7RjgupJhIUrGVBpZT9TOP1scEd+3+mO42c3luvIvghOzrH3PBEIVa AlRVFQ9pK61+fOHGf7j7Rgl3u2wVRhTb8Ozs4w/UMkdYKD8RijRZxKlHaYgV6e9ImQJO sHQ8q08smKIi9zny5f0tAxVN3YkZGbkUFN/V9f5YzDRHDIiNVaRU6GF07OEuTSzxOfSh NrgJVUBaGoTqRRER6v5Fm+q3XXfzxBsIR48QJX84GuAUEFAFNrgPFhby/RIiAg7y/q9B sVcO+/sEkjnGIBpGLvV21i1trn0B8F4sTbESKKSyHhQPrLrh2ImdfN14uCx5yMiGJi14 dOzw==
MIME-Version: 1.0
X-Received: by 10.152.29.193 with SMTP id m1mr12014457lah.84.1422504185595; Wed, 28 Jan 2015 20:03:05 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.147.193 with HTTP; Wed, 28 Jan 2015 20:03:05 -0800 (PST)
In-Reply-To: <CABzCy2DTa+2usPhGJRX7kq8vdxaC+LgAEgoZWNiBmaQNOaYdEg@mail.gmail.com>
References: <CAMm+Lwh12jzrH3ZVaS4HTqkNZkteg9mL+n6LYRsj5P1r-Q-DbQ@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1284ED9AA38@WSMSG3153V.srv.dir.telstra.com> <CABzCy2DTa+2usPhGJRX7kq8vdxaC+LgAEgoZWNiBmaQNOaYdEg@mail.gmail.com>
Date: Wed, 28 Jan 2015 23:03:05 -0500
X-Google-Sender-Auth: 4t53TvsEJNw0e6zH8ipqvXcFy0U
Message-ID: <CAMm+Lwirvv5tLU-2AEqnQe9DUDKT=GbJK9Jyy69BJVfeDZjCiA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Nat Sakimura <sakimura@gmail.com>
Content-Type: multipart/alternative; boundary=089e0158bf4cac8bec050dc2904a
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/IDEiECE--6kaVu3uIsjoRL9Vp8w>
Cc: "acme@ietf.org" <acme@ietf.org>, "Manger, James" <James.H.Manger@team.telstra.com>, JSON WG <json@ietf.org>
Subject: Re: [Acme] [Json] Signed JSON document / Json Content Metaheader / JSON Container
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 04:03:11 -0000

On Wed, Jan 28, 2015 at 9:57 PM, Nat Sakimura <sakimura@gmail.com> wrote:

> On a side note: if such a spec is to be defined here, IMHO, it should use
> the algorithms and probably header parameters specified by JWA, etc. It
> should limit the scope to payload processing and expression of the entire
> thing in JSON Log like format, and leave the rest to JOSE.
>

Absolutely. In fact that is why I am not raising it in JOSE as that just
provides the format for the main crypto attributes.






> On Thu Jan 29 2015 at 11:51:24 Manger, James <
> James.H.Manger@team.telstra.com> wrote:
>
>> A signed JAR file meets some of these requirements.
>>
>> Metadata and signatures are in extra files in the ZIP archive:
>> META-INF/MANIFEST.MF, META-INF/MYKEY.SF, META-INF/MYKEY.RSA.
>>
>> Content is the other files in the archive.
>>
>> It is not JSON of course, and the signature & certs are packaged in
>> ASN.1, but it is a useful comparison. It avoids BASE64 on the content; can
>> adds signatures, digests, and other metadata; can transport content and
>> metadata as a regular blob (*.jar file); can sign complete code
>> distributions.
>>
>>
>>
I have used signed jar files. But Sun rather poisoned the well there by
suing Microsoft over control of Java followed up by further lawsuits from
Oracle.

I can't imagine anyone is going to accept Jar or anything involving
assinine.1 as a wire format for packaging. Those days are long past. The
way you get coherence is to pick one encoding and stick to it. JSON seems
to have been the one we picked. It has all the functionality offered by the
alternatives and none of the drawbacks.