IETF Logo Mail Archive

Re: [Acme] ACME signature mechanics

Anders Rundgren <anders.rundgren.net@gmail.com> Tue, 16 December 2014 09:22 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2B161ACD42 for <acme@ietfa.amsl.com>; Tue, 16 Dec 2014 01:22:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gWvX--HSXbu9 for <acme@ietfa.amsl.com>; Tue, 16 Dec 2014 01:22:51 -0800 (PST)
Received: from mail-wg0-x22b.google.com (mail-wg0-x22b.google.com [IPv6:2a00:1450:400c:c00::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA74C1A1A67 for <acme@ietf.org>; Tue, 16 Dec 2014 01:22:50 -0800 (PST)
Received: by mail-wg0-f43.google.com with SMTP id l18so16940282wgh.2 for <acme@ietf.org>; Tue, 16 Dec 2014 01:22:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=aSDtJZBNuaf2jaQp2hkLPpRJM4/KGF8G5rhltQ/rqxU=; b=Xm+OFykc2IZHRu30oPUEP+QGkmEZKMDO258EgqcUctVyQOHC+dTXPpDP4PWVI/ZBU4 Ji4hc3E5ZVovbhFStxgIe9d54GhI9GStUAnCzVqwDqEzhQrGiwFU2IrJSNgSQG0PLtCP NABietdlZUNtfh7Rrp08TVKi5fx1i9GxhdmM8IuMsqs53EfEB9E0X/Eaa8OO5ihCFOYa U97lK377NvCHRWYTx5pLUKqlHkHt+pCE4OXTICTMbPS2D2YIBTH1i3bY2yfXFglGUS8a LNRcLWKWPl5Tdsgl6qKa1qEQm5QMUkwnI3azmLsH11Tap2HX/539cOcjLXPJVhR9aZOs /1MA==
X-Received: by 10.194.108.98 with SMTP id hj2mr60620778wjb.102.1418721769502; Tue, 16 Dec 2014 01:22:49 -0800 (PST)
Received: from [192.168.1.79] (52.16.14.81.rev.sfr.net. [81.14.16.52]) by mx.google.com with ESMTPSA id e7sm340760wjx.31.2014.12.16.01.22.48 for <acme@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 16 Dec 2014 01:22:48 -0800 (PST)
Message-ID: <548FF9E3.1020703@gmail.com>
Date: Tue, 16 Dec 2014 10:22:43 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: acme@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/vNTcThXh5_gin0D_kb9XIx_zlRk
Subject: Re: [Acme] ACME signature mechanics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2014 09:22:53 -0000

When the transition to JWS has been made, human-readable ACME messages like

    {
      "type": "certificateRequest",
      "csr": "5jNudRx6Ye4HzKEqT5...FS6aKdZeGsysoCo4H9P",
      "signature": {
        "alg": "RS256",
        "nonce": "h5aYpWVkq-xlJh6cpR-3cw",
        "sig": "KxITJ0rNlfDMAtfDr8eAw...fSSoehDFNZKQKzTZPtQ",
        "jwk": {
          "kty":"RSA",
          "e":"AQAB",
          "n":"KxITJ0rNlfDMAtfDr8eAw...fSSoehDFNZKQKzTZPtQ"
   }  }  }

will rather look like

{
   "payload":"<base64>",
   "protected":"<base64>",
   "header":<base64>,
   "signature":"<base64>"
}

Which apart from being ugly JWS also requires a JSON schema validator (or similar
mechanism) to work on separate, unpacked parts of the message.

Although I don't expect this to change, you may (or may not) want to know that
clear-text JSON signatures (without the complexity of XML DSig), is not black magic,
you only have to use JSON parsers that doesn't "manipulate" input data:
https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html#Sample_Signature

Cheers
AndersR

v2.23.0 | Report a Bug | By Email