IETF Logo Mail Archive

Re: [Acme] ACME signature mechanics

Nico Williams <nico@cryptonector.com> Wed, 17 December 2014 16:04 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C457C1A8AE4 for <acme@ietfa.amsl.com>; Wed, 17 Dec 2014 08:04:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKicEwQ4Yztx for <acme@ietfa.amsl.com>; Wed, 17 Dec 2014 08:04:34 -0800 (PST)
Received: from homiemail-a102.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 5963B1A8AF3 for <acme@ietf.org>; Wed, 17 Dec 2014 08:04:07 -0800 (PST)
Received: from homiemail-a102.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a102.g.dreamhost.com (Postfix) with ESMTP id 354332006D30F; Wed, 17 Dec 2014 08:04:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=KvKV1eTL+Mpsvw HuCr/AqCN1nAQ=; b=dH/c515OM152QLP8fLBcyOFYJfsMZqjEjIn9MBOKf8FsEt 77WeNZWuMbp5Yx/tJk6VV5p6AHpPU8ow90kUs+YPha9WLahpfSYjqKQl/usO3aLj tsjlhRwsrAD1e7l/0TwelUIda+QTsJxPtQUQkyFukwTPi8C61J9hU0Lz+DBfA=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a102.g.dreamhost.com (Postfix) with ESMTPA id CA0CA2006D30A; Wed, 17 Dec 2014 08:04:06 -0800 (PST)
Date: Wed, 17 Dec 2014 10:04:06 -0600
From: Nico Williams <nico@cryptonector.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <20141217160401.GT3241@localhost>
References: <548FF9E3.1020703@gmail.com> <CAL02cgT9iYqtX2Ui5XQYnj=yeF_QnSkKn-jE0D5d56WMzB5bBg@mail.gmail.com> <54910C53.7000107@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54910C53.7000107@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/_Oxg_zfbSdgDl6p5IACih-LK6R0
Cc: Richard Barnes <rlb@ipv.sx>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] ACME signature mechanics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Dec 2014 16:04:35 -0000

On Wed, Dec 17, 2014 at 05:53:39AM +0100, Anders Rundgren wrote:
> On 2014-12-16 17:27, Richard Barnes wrote:
> >I think there might be a middle way here.  I've been musing about
> >making a "Content-Signature" header that just carries a JWS signature
> >over the payload (no HTTP headers).  Since HTTP has to carry the
> >payload bit-exact, there's no c14n nonsense, so this could be much
> >simpler than other HTTP signing proposals.  It's sort of like JCS,
> >except that there is actually a guarantee that the payload stays the
> >same ;)
> 
> [...]
> 
> BTW, JCS does not depend on any c14n nonsense; it only requires that
> JSON property order is respected by the serializer/deserializer while
> whitespace is entirely insignificant.  You can even verify
> pretty-printed signatures!

You lost me.  If whitespace is insignificant, then you must be
canonicalizing.  Also, I assume you mean object name order by "property
order", but this is not required to be preserved by JSON parsers.

> >That said, if your concern is really human readability, I don't think
> >it's a tragedy to make someone copy/paste into a base64 decoder.

I don't either.

Nico
--

v2.23.0 | Report a Bug | By Email