IETF Logo Mail Archive

Re: [Acme] Specify which JWS serialization is used

Martin Thomson <martin.thomson@gmail.com> Sun, 04 March 2018 22:33 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97AEC126B72 for <acme@ietfa.amsl.com>; Sun, 4 Mar 2018 14:33:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: YES
X-Spam-Score: 18.001
X-Spam-Level: ******************
X-Spam-Status: Yes, score=18.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLACK=20] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CmEGbktEpHtJ for <acme@ietfa.amsl.com>; Sun, 4 Mar 2018 14:33:40 -0800 (PST)
Received: from mail-ot0-x233.google.com (mail-ot0-x233.google.com [IPv6:2607:f8b0:4003:c0f::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 151B8120227 for <acme@ietf.org>; Sun, 4 Mar 2018 14:33:40 -0800 (PST)
Received: by mail-ot0-x233.google.com with SMTP id n74so13326143ota.1 for <acme@ietf.org>; Sun, 04 Mar 2018 14:33:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=TX3+B0+RZFiTRxLKmxazhRA6sSJn5lUVprUlvBp4yjE=; b=LrECcoY6KG3rafDuISbAdTWGFhUHeHjdA9+HadI2v33CBf8radtosk2SiyGFozE1GJ TsD+wtNPDkbZCCrRCZSKlXA4pScR261pkNnNfacJYv2LIK0LpodBEi88hTsX0lKarF/T Z4ZsLRS4c+okaofoQ1X1UzicMPTy1VwwJTQVf+0OCon2Ew5tHZema0vZpeIU0ZYvaeV3 FFn3y2SZw6ncpSGkKodGxH7Etec7mU2WQGjbK82xU4mzw/C3cGte4w3qhitA1yLcqTqg gMnTziQRJv3UbhM7fNfwK8tQaG13x5HCXGdb9HmDGHcZ6XhTbNcJcOBgT5QNkyzn6LOm Y3ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=TX3+B0+RZFiTRxLKmxazhRA6sSJn5lUVprUlvBp4yjE=; b=jUN6rGJ2ZlrOJzm5PvP2iWJOQrrj3TQ3SCu+w+80PqMkqk2Af3PomYPXKI6+biOmw+ GX82uKHQ4P64NphhgbACKNiTvTREXHrX6qgWwj5VnJetIYh2KeIrkOdJ818FTR6T9Z+O YJZf6ulSbvh7TixSl+uS98m03AFMXFvCKBybu6N+NUhVqfpWbufNPDnFqTaOw3pgboYc 1LturXRb5trZTgwd+H9MGEPLSElAtbw5ULzkv2EbGXRn3kVL6uPDLink4EJ07b7U3WCG IWJ3urSyI9Ch9EJdY0MurO+JHCD/Naz4pCfidJQex2stxC/c1C6gf8RiqflUNa+IAaqk p8zg==
X-Gm-Message-State: AElRT7H/1YWWhYaK37hge0J0C2+hE3oI7KblViR45//xhEYizNvgpVSa vPsSWyfIFRjiMvpgk/4ekuzJe6QMwYOnhB1f78w=
X-Google-Smtp-Source: AG47ELsXykbzUusk2JIqTa27gJWPD7mUYX9xwikBaVP8jWNP+WGtp4kFwTUN+oRNrbYD65JYPZS1LgL3LmmX55nhTBs=
X-Received: by 10.157.0.74 with SMTP id 68mr8583030ota.392.1520202819121; Sun, 04 Mar 2018 14:33:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.16.85 with HTTP; Sun, 4 Mar 2018 14:33:38 -0800 (PST)
Received: by 10.157.16.85 with HTTP; Sun, 4 Mar 2018 14:33:38 -0800 (PST)
In-Reply-To: <CAL02cgSAQaE0Qd=q3aSEDZdGe0TwyHs60xn-042OhKxu5LHxYA@mail.gmail.com>
References: <CAMmAzEKJhMaUBtCWSNZyGv-f+-edZ-WTq3=WFD_b1bXfvua89A@mail.gmail.com> <20180106001126.GB3076@carrot.tutnicht.de> <CAMmAzELgjpAmVCX6YB0VMvNQV3NH3NDdM_pdcz6d+h=ZO2rJww@mail.gmail.com> <CAMmAzEKMffffrxAihotVWPpqy=LaRkpSJuW9CpSVoQfLQ-nBwQ@mail.gmail.com> <CAL02cgRLXkkQECF5ssGh39uFL0xJp-3EODxGSQVzfPuEnE7FgA@mail.gmail.com> <63F4F466-8398-41E6-BD25-5414ADA9D1B3@felipegasper.com> <CAMmAzEKksnuBi0LPHsAsd2qs1brbMqrJBdtsbArTr6HhGrkN+A@mail.gmail.com> <CAL02cgRrH9fG-E9_oc4naSNvE4igaUcs9wXDfTtCTUCx+c4wbg@mail.gmail.com> <20180304125854.GH2161@carrot.tutnicht.de> <CAMmAzEJ0A2iOd2ASSHGJRfuB6Ss-BaOCXWsxUKUZx9UUzbT1ng@mail.gmail.com> <20180304143300.GI2161@carrot.tutnicht.de> <CAMmAzELuDLp4KxPtLgHp8AoyKGLOOjx4HPSrhDJ=yJ9RytU_vw@mail.gmail.com> <CAL02cgSAQaE0Qd=q3aSEDZdGe0TwyHs60xn-042OhKxu5LHxYA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 05 Mar 2018 09:33:38 +1100
Message-ID: <CABkgnnWKhQ99qHtN8PkyG=6zNbJeGPYstL7Hgek36nR+747oHg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Logan Widick <logan.widick@gmail.com>, Jörn Heissler <acme-specs@joern.heissler.de>, Felipe Gasper <felipe@felipegasper.com>, ACME WG <acme@ietf.org>, Fraser Tweedale <frase@frase.id.au>
Content-Type: multipart/alternative; boundary="94eb2c0328bc0537ee05669dcd61"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/IQ7AQx81y6Y70Djgl_1Xu77Abt8>
Subject: Re: [Acme] Specify which JWS serialization is used
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Mar 2018 22:33:42 -0000

415 is for the case where a client provides bad request content, so yes.
See rfc7694 for details.

 406 is for failed conneg. Not something you expect to see much here.

On 5 Mar. 2018 09:25, "Richard Barnes" <rlb@ipv.sx> wrote:

The lengths of the emails in this thread illustrate the complexity risk
here :)

In the interest of simplicity, I would really like to stick to Flattened
JSON unless someone has **strong** objections.

Logan, to your point about library compatibility, two notes: (1) it's OK if
we front-run libraries a little.  It's not hard for libraries to upgrade;
this is only formatting, no crypto changes needed.  (2) Empirically, this
must not be too big a blocker for people, since as Jacob notes, Let's
Encrypt only supports Flattened JSON right now and they've got a bunch of
clients talking to them.

As far as headers / response codes: You're correct that 406 is wrong / 415
is right.  But ISTM that Accept is still the right header to say what is
right.  So the server should return 415+Accept.  Copying Thomson to check
our work here.

--Richard

On Sun, Mar 4, 2018 at 10:43 AM, Logan Widick <logan.widick@gmail.com>
wrote:

> How about this: Specify a default format (either "application/jose" for
> Compact Serialization, or "application/jose+json" with Flattened
> Serialization - I have no preference which one), with optional support for
> other formats if needed? Even with JOSE libraries that don't support all
> serializations and/or don't provide control over which serialization is
> used, a programmer would at least need to know (or experimentally find out)
> if a JSON serialization or if the compact one is being produced. If a JSON
> serialization is selected as the default, a programmer should be able to
> convert between the two JSON serializations easily as needed before and/or
> after using a JOSE library. If a JSON format is declared as the default but
> the JOSE library only has the compact one, or vice-versa, conversion before
> and/or after the JOSE library would be more complex but should still be
> doable with guidance.
>
> The directory meta item could be defined as something like:
>
>    - supportedSerializations: An array of supported serialization formats
>    as described in {{jws-serialization-formats}}. If this is not specified,
>    assume that the server only supports [insert selected default here].
>
> Then, the JWS Serialization Formats section could be changed to something
> like the following:
>
> The JSON Web Signature (JWS) specification {{!RFC7515}} contains multiple
> JWS serialization formats. When sending an ACME request with a non-empty
> body, an ACME client implementation SHOULD use the HTTP Content-Type
> {{!RFC7231}} header to indicate which JWS serialization format is used for
> encapsulating the ACME request payload.
>
> Each serialization format defined for use in ACME is described with a
> content type, and a series of ACME-specific restrictions on root JWS and
> nested JWS instances.  A "root JWS" is a JWS used to encapsulate an entire
> ACME request payload, and a "nested JWS" is a JWS contained within the ACME
> request payload (such as the "externalAccountBinding" described in
> {{external-account-binding}} or the "key-change" object described in
> {{account-key-roll-over}}). Below are the JWS serialization formats that
> are defined for use in ACME:
>
> [same list as before but with the default format coming first]
>
> If no Content-Type is provided, the default serialization type is [insert
> selected default here]. Servers MUST support [insert selected default
> here]. [NOTE: If a JSON format is selected as the default, say that a
> server SHOULD support the other JSON format.] A server MAY support
> additional serializations, such as [insert serialization(s) not picked
> here], by including a "supportedSerializations" field in the directory
> "meta" object as described in {{directory}}.
>
> If a server receives a request using a serialization it does not support,
> the server MUST send a response with HTTP status code 415 (Unacceptable
> Media Type) and a problem document with error type
> "unsupportedSerialization". This problem document SHOULD contain a
> "supportedSerializations" array of strings indicating the acceptable
> serialization content types.
>
> [TODO: If a client uses the General JSON Serialization but it turns out
> the server only supports the Flattened JSON Serialization (or vice-versa),
> explain that a 415 response indicates that the client will need to switch
> JSON formats]
>
> [TODO: Insert a sentence or two specifying what happens if a supported
> serialization is used but the serialization is malformed? Should this be
> 400 Bad Request + malformed error code + supportedSerializations?]
>
> In the examples below, JWS objects are shown in the Flattened JSON
> serialization, with the protected header and payload expressed as
> base64url(content) instead of the actual base64-encoded value, so that the
> content is readable. [Example readability is a very high priority
> regardless of which serialization format is actually chosen as the default,
> and the current convention of Flattened JSON + base64url(content) is about
> as readable as it gets, so I don't think any changes will need to be made
> here]
>
>
> On Sun, Mar 4, 2018 at 8:33 AM, Jörn Heissler <
> acme-specs@joern.heissler.de> wrote:
>
>> On Sun, Mar 04, 2018 at 07:45:36 -0600, Logan Widick wrote:
>> > Good catch. Should it be 415 (Unsupported Media Type) plus which of the
>> > following (or which combination of the following):
>> >
>> >    - A new problem document field (tentatively named
>> >    "supportedSerializations": an array of media type strings)?
>> >    - A new directory field (tentatively named
>> "supportedSerializations": an
>> >    array of media type strings)?
>> >       - Should this go in the directory's "meta" object, or in the
>> >       directory object itself?
>> >    - A HTTP header?
>> >    - Something else?
>>
>> I like the directory approach with meta. Then a client could
>> use this information before sending the first POST. Else the client
>> would need to change an internal state after receiving the error
>> message. For my own client, I'm planning to support the OpenPGP smart
>> card. It takes 3 seconds to generate a signature. If a signature is
>> wasted to find out that the default serialization is not supported, it
>> would be annoying. Having to write a configuration file "use compact by
>> default for CA foo" would be stupid too.
>>
>> This, and the problem document field. "supportedSerializations" sounds
>> fine.
>>
>> Should the two features be OPTIONAL?
>>
>> I don't like HTTP headers, it's quite complicated to parse them correctly.
>> JSON is so much easier.
>>
>>
>> Or... specify that flattened MUST BE used :-)
>>
>> Cheers
>> Joern Heissler
>>
>
>

v2.23.0 | Report a Bug | By Email