Re: [Acme] Specify which JWS serialization is used
Richard Barnes <rlb@ipv.sx> Mon, 05 March 2018 04:39 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B272126C3D for <acme@ietfa.amsl.com>; Sun, 4 Mar 2018 20:39:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N_fkSmG1qm1A for <acme@ietfa.amsl.com>; Sun, 4 Mar 2018 20:39:02 -0800 (PST)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3B7C12426E for <acme@ietf.org>; Sun, 4 Mar 2018 20:39:01 -0800 (PST)
Received: by mail-wm0-x22f.google.com with SMTP id a20so11340687wmd.1 for <acme@ietf.org>; Sun, 04 Mar 2018 20:39:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=KNE6kFBF4XrwAQB//SsTqwb31E1gUcAE3hxtPLtviJk=; b=FUJ+9e+X6UpTA/D/ZGWJINRfAeL++9FFNJbR1W/EjByAL2xt6+EbBFdt0rUxmJa+IM 12GNewThYITndGlXh07ysnt0Ir1BnOYs3Plqc9LSBmsAS4sFZTNJ83acM8dWOM9HGjVb hdbnKIGcjuTuHMkgFGZpBNbH7EJxggVSycWXF+o1bKiPwK+t2UE1W+xXwhKLChHcITzM Cdo6kyjDsMCTa5A4jDAn/oYUvtFMYZRdPwG2Fomy9tqG8YBw8BPo5sysgaXqGu0YKndy qN4bkR3guSL5jM8s468FN0Yj5jvKidywe2eSYvIxPT2ymdUJjSMb0YfvbG8prTu4qL+L SP8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=KNE6kFBF4XrwAQB//SsTqwb31E1gUcAE3hxtPLtviJk=; b=ZNy3B0FblpklpGdRIE654abtt0vpoThUWg7QN7lNIwBUKJ6yLHWCrbWMEKyn/zaO9U M6hBdio5gS1Yb7+gSBgAT4VZpTc15+ZXVa1YyUszCoccQdPem17EtJ7+QWyLT7WquaoR Mfj+Ry8EyYxq55NRtf7Z0LBfP1svWr6vmcqyCdHpVreZ6INa/KRc6INmhJ7dNsapuu39 IQjasqpFuqYMZuVoX1d7ypWv8K0S3+jW3SX81dC8ybQbFCk+P+nAOiVSDExswWlh5g3Q M9mAhvoERdZFfA8T0Th3MUYGFgVpGTx6u0riKkEnnNFnYO4Tw9d0/8pG3PEEfOBPdRp3 B39g==
X-Gm-Message-State: AElRT7GtYPutD0+XtvQ80HE9UHEpO+0yfDfYvGg/u20z7QKFfgtR7rVK 4wwRgKQpvi4hg/1kJHaYc+Y0DnSUZbgWEpO4iK5gZA==
X-Google-Smtp-Source: AG47ELsSKGmfFpGi08TXYx+7GhZKviVBrOWcMsWThMuNtI0uhOcgrv6egayx0xV50eJL8BS2HoeS978JUUkJthGw8eg=
X-Received: by 10.28.222.3 with SMTP id v3mr6518774wmg.25.1520224740016; Sun, 04 Mar 2018 20:39:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.12.140 with HTTP; Sun, 4 Mar 2018 20:38:59 -0800 (PST)
In-Reply-To: <CABkgnnUeiZvckTBRZNAv1Psg+ge-xK+y6vhSA4h2Ve_9_Nt8cg@mail.gmail.com>
References: <CAMmAzEKJhMaUBtCWSNZyGv-f+-edZ-WTq3=WFD_b1bXfvua89A@mail.gmail.com> <20180106001126.GB3076@carrot.tutnicht.de> <CAMmAzELgjpAmVCX6YB0VMvNQV3NH3NDdM_pdcz6d+h=ZO2rJww@mail.gmail.com> <CAMmAzEKMffffrxAihotVWPpqy=LaRkpSJuW9CpSVoQfLQ-nBwQ@mail.gmail.com> <CAL02cgRLXkkQECF5ssGh39uFL0xJp-3EODxGSQVzfPuEnE7FgA@mail.gmail.com> <63F4F466-8398-41E6-BD25-5414ADA9D1B3@felipegasper.com> <CAMmAzEKksnuBi0LPHsAsd2qs1brbMqrJBdtsbArTr6HhGrkN+A@mail.gmail.com> <CAL02cgRrH9fG-E9_oc4naSNvE4igaUcs9wXDfTtCTUCx+c4wbg@mail.gmail.com> <20180304125854.GH2161@carrot.tutnicht.de> <CAMmAzEJ0A2iOd2ASSHGJRfuB6Ss-BaOCXWsxUKUZx9UUzbT1ng@mail.gmail.com> <20180304143300.GI2161@carrot.tutnicht.de> <CAMmAzELuDLp4KxPtLgHp8AoyKGLOOjx4HPSrhDJ=yJ9RytU_vw@mail.gmail.com> <CAL02cgSAQaE0Qd=q3aSEDZdGe0TwyHs60xn-042OhKxu5LHxYA@mail.gmail.com> <CABkgnnWKhQ99qHtN8PkyG=6zNbJeGPYstL7Hgek36nR+747oHg@mail.gmail.com> <CAL02cgQFvVNEyBEAPsPdAtWK+VL0aPxdDqhZc_yrVLza4keZmg@mail.gmail.com> <CABkgnnUeiZvckTBRZNAv1Psg+ge-xK+y6vhSA4h2Ve_9_Nt8cg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Sun, 04 Mar 2018 23:38:59 -0500
Message-ID: <CAL02cgSbgr69Qbd23MfF=gOrDn6wUXwDfx0Qv=H6RczoC2uasA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Logan Widick <logan.widick@gmail.com>, Jörn Heissler <acme-specs@joern.heissler.de>, Felipe Gasper <felipe@felipegasper.com>, ACME WG <acme@ietf.org>, Fraser Tweedale <frase@frase.id.au>
Content-Type: multipart/alternative; boundary="001a114a5f149b9cab0566a2e7f2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/WTbtcvY8WcFghOKxfKukvFd6oyo>
Subject: Re: [Acme] Specify which JWS serialization is used
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2018 04:39:05 -0000
I also note that there's no issue with Accept if we require the use of the Flattened JSON serialization. https://i.imgflip.com/25r2ui.jpg https://github.com/ietf-wg-acme/acme/pull/410 On Sun, Mar 4, 2018 at 6:28 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > That's a bit silly. I'll follow-up with httpbis. I think that's an > error, though probably only an error of omission. 7694 was so fixated > on solving the content-coding issue, it neglected the obvious > accompanying fix. > > On Mon, Mar 5, 2018 at 9:38 AM, Richard Barnes <rlb@ipv.sx> wrote: > > How about Accept? It looks like 7694 gives the server a way to specify > > encodings, but not the content type. But 7231 says that Accept only > replies > > to response media types. > > > > On Sun, Mar 4, 2018 at 5:33 PM, Martin Thomson <martin.thomson@gmail.com > > > > wrote: > >> > >> 415 is for the case where a client provides bad request content, so yes. > >> See rfc7694 for details. > >> > >> 406 is for failed conneg. Not something you expect to see much here. > >> > >> > >> On 5 Mar. 2018 09:25, "Richard Barnes" <rlb@ipv.sx> wrote: > >> > >> The lengths of the emails in this thread illustrate the complexity risk > >> here :) > >> > >> In the interest of simplicity, I would really like to stick to Flattened > >> JSON unless someone has **strong** objections. > >> > >> Logan, to your point about library compatibility, two notes: (1) it's OK > >> if we front-run libraries a little. It's not hard for libraries to > upgrade; > >> this is only formatting, no crypto changes needed. (2) Empirically, > this > >> must not be too big a blocker for people, since as Jacob notes, Let's > >> Encrypt only supports Flattened JSON right now and they've got a bunch > of > >> clients talking to them. > >> > >> As far as headers / response codes: You're correct that 406 is wrong / > 415 > >> is right. But ISTM that Accept is still the right header to say what is > >> right. So the server should return 415+Accept. Copying Thomson to > check > >> our work here. > >> > >> --Richard > >> > >> On Sun, Mar 4, 2018 at 10:43 AM, Logan Widick <logan.widick@gmail.com> > >> wrote: > >>> > >>> How about this: Specify a default format (either "application/jose" for > >>> Compact Serialization, or "application/jose+json" with Flattened > >>> Serialization - I have no preference which one), with optional support > for > >>> other formats if needed? Even with JOSE libraries that don't support > all > >>> serializations and/or don't provide control over which serialization is > >>> used, a programmer would at least need to know (or experimentally find > out) > >>> if a JSON serialization or if the compact one is being produced. If a > JSON > >>> serialization is selected as the default, a programmer should be able > to > >>> convert between the two JSON serializations easily as needed before > and/or > >>> after using a JOSE library. If a JSON format is declared as the > default but > >>> the JOSE library only has the compact one, or vice-versa, conversion > before > >>> and/or after the JOSE library would be more complex but should still be > >>> doable with guidance. > >>> > >>> The directory meta item could be defined as something like: > >>> > >>> supportedSerializations: An array of supported serialization formats as > >>> described in {{jws-serialization-formats}}. If this is not specified, > assume > >>> that the server only supports [insert selected default here]. > >>> > >>> Then, the JWS Serialization Formats section could be changed to > something > >>> like the following: > >>> > >>> The JSON Web Signature (JWS) specification {{!RFC7515}} contains > multiple > >>> JWS serialization formats. When sending an ACME request with a > non-empty > >>> body, an ACME client implementation SHOULD use the HTTP Content-Type > >>> {{!RFC7231}} header to indicate which JWS serialization format is used > for > >>> encapsulating the ACME request payload. > >>> > >>> Each serialization format defined for use in ACME is described with a > >>> content type, and a series of ACME-specific restrictions on root JWS > and > >>> nested JWS instances. A "root JWS" is a JWS used to encapsulate an > entire > >>> ACME request payload, and a "nested JWS" is a JWS contained within the > ACME > >>> request payload (such as the "externalAccountBinding" described in > >>> {{external-account-binding}} or the "key-change" object described in > >>> {{account-key-roll-over}}). Below are the JWS serialization formats > that are > >>> defined for use in ACME: > >>> > >>> [same list as before but with the default format coming first] > >>> > >>> If no Content-Type is provided, the default serialization type is > [insert > >>> selected default here]. Servers MUST support [insert selected default > here]. > >>> [NOTE: If a JSON format is selected as the default, say that a server > SHOULD > >>> support the other JSON format.] A server MAY support additional > >>> serializations, such as [insert serialization(s) not picked here], by > >>> including a "supportedSerializations" field in the directory "meta" > object > >>> as described in {{directory}}. > >>> > >>> If a server receives a request using a serialization it does not > support, > >>> the server MUST send a response with HTTP status code 415 (Unacceptable > >>> Media Type) and a problem document with error type > >>> "unsupportedSerialization". This problem document SHOULD contain a > >>> "supportedSerializations" array of strings indicating the acceptable > >>> serialization content types. > >>> > >>> [TODO: If a client uses the General JSON Serialization but it turns out > >>> the server only supports the Flattened JSON Serialization (or > vice-versa), > >>> explain that a 415 response indicates that the client will need to > switch > >>> JSON formats] > >>> > >>> [TODO: Insert a sentence or two specifying what happens if a supported > >>> serialization is used but the serialization is malformed? Should this > be 400 > >>> Bad Request + malformed error code + supportedSerializations?] > >>> > >>> In the examples below, JWS objects are shown in the Flattened JSON > >>> serialization, with the protected header and payload expressed as > >>> base64url(content) instead of the actual base64-encoded value, so that > the > >>> content is readable. [Example readability is a very high priority > regardless > >>> of which serialization format is actually chosen as the default, and > the > >>> current convention of Flattened JSON + base64url(content) is about as > >>> readable as it gets, so I don't think any changes will need to be made > here] > >>> > >>> > >>> On Sun, Mar 4, 2018 at 8:33 AM, Jörn Heissler > >>> <acme-specs@joern.heissler.de> wrote: > >>>> > >>>> On Sun, Mar 04, 2018 at 07:45:36 -0600, Logan Widick wrote: > >>>> > Good catch. Should it be 415 (Unsupported Media Type) plus which of > >>>> > the > >>>> > following (or which combination of the following): > >>>> > > >>>> > - A new problem document field (tentatively named > >>>> > "supportedSerializations": an array of media type strings)? > >>>> > - A new directory field (tentatively named > >>>> > "supportedSerializations": an > >>>> > array of media type strings)? > >>>> > - Should this go in the directory's "meta" object, or in the > >>>> > directory object itself? > >>>> > - A HTTP header? > >>>> > - Something else? > >>>> > >>>> I like the directory approach with meta. Then a client could > >>>> use this information before sending the first POST. Else the client > >>>> would need to change an internal state after receiving the error > >>>> message. For my own client, I'm planning to support the OpenPGP smart > >>>> card. It takes 3 seconds to generate a signature. If a signature is > >>>> wasted to find out that the default serialization is not supported, it > >>>> would be annoying. Having to write a configuration file "use compact > by > >>>> default for CA foo" would be stupid too. > >>>> > >>>> This, and the problem document field. "supportedSerializations" sounds > >>>> fine. > >>>> > >>>> Should the two features be OPTIONAL? > >>>> > >>>> I don't like HTTP headers, it's quite complicated to parse them > >>>> correctly. > >>>> JSON is so much easier. > >>>> > >>>> > >>>> Or... specify that flattened MUST BE used :-) > >>>> > >>>> Cheers > >>>> Joern Heissler > >>> > >>> > >> > >> > > >
- [Acme] Specify which JWS serialization is used Jörn Heissler
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Fraser Tweedale
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Jörn Heissler
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Jörn Heissler
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Richard Barnes
- Re: [Acme] Specify which JWS serialization is used Felipe Gasper
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Richard Barnes
- Re: [Acme] Specify which JWS serialization is used Jacob Hoffman-Andrews
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Jörn Heissler
- Re: [Acme] Specify which JWS serialization is used Jörn Heissler
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Jörn Heissler
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Richard Barnes
- Re: [Acme] Specify which JWS serialization is used Martin Thomson
- Re: [Acme] Specify which JWS serialization is used Martin Thomson
- Re: [Acme] Specify which JWS serialization is used Richard Barnes
- Re: [Acme] Specify which JWS serialization is used Martin Thomson
- Re: [Acme] Specify which JWS serialization is used Richard Barnes
- Re: [Acme] Specify which JWS serialization is used Martin Thomson
- [Acme] Concerning alternative formats … Felipe Gasper
- Re: [Acme] Concerning alternative formats … Jörn Heissler
- Re: [Acme] Concerning alternative formats … Felipe Gasper
- Re: [Acme] Concerning alternative formats … Matthew D. Hardeman
- Re: [Acme] Concerning alternative formats … Felipe Gasper
- Re: [Acme] Concerning alternative formats … Richard Barnes
- Re: [Acme] Concerning alternative formats … Martin Thomson
- Re: [Acme] Concerning alternative formats … Matthew D. Hardeman
- Re: [Acme] Concerning alternative formats … Felipe Gasper