Re: [art] [Secdispatch] Plain text JSON digital signatures
Stefan Santesson <stefan@aaa-sec.com> Wed, 28 April 2021 06:52 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D5FD3A1CA1 for <art@ietfa.amsl.com>; Tue, 27 Apr 2021 23:52:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.915
X-Spam-Level:
X-Spam-Status: No, score=-1.915 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ds-kB9ptS0ar for <art@ietfa.amsl.com>; Tue, 27 Apr 2021 23:52:18 -0700 (PDT)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C8423A1CA3 for <art@ietf.org>; Tue, 27 Apr 2021 23:52:18 -0700 (PDT)
Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with UTF8SMTP id 2E1F51A91D65 for <art@ietf.org>; Wed, 28 Apr 2021 08:52:07 +0200 (CEST)
Received: from s630.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with UTF8SMTP id 1E62B2E2B083; Wed, 28 Apr 2021 08:52:07 +0200 (CEST)
Received: from s475.loopia.se (unknown [172.22.191.5]) by s630.loopia.se (Postfix) with UTF8SMTP id CA91213B9437; Wed, 28 Apr 2021 08:52:06 +0200 (CEST)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s934.loopia.se ([172.22.191.5]) by s475.loopia.se (s475.loopia.se [172.22.190.15]) (amavisd-new, port 10024) with UTF8LMTP id e98z6PW06j4v; Wed, 28 Apr 2021 08:52:05 +0200 (CEST)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 85.235.7.89
Received: from [192.168.1.219] (gw.aaa-sec.ideon.se [85.235.7.89]) (Authenticated sender: mailstore2@aaa-sec.com) by s934.loopia.se (Postfix) with UTF8SMTPSA id 46D997CEA0F; Wed, 28 Apr 2021 08:52:05 +0200 (CEST)
Content-Type: multipart/alternative; boundary="------------2LurtlQsQhRwHdctf4Ws9n0f"
Message-ID: <19a99964-8495-2de9-b49a-52aa8321c12e@aaa-sec.com>
Date: Wed, 28 Apr 2021 08:52:04 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Thunderbird/88.0
Content-Language: en-US
To: Bret Jordan <jordan.ietf@gmail.com>, Dick Hardt <dick.hardt@gmail.com>
Cc: art@ietf.org, DISPATCH <dispatch@ietf.org>, rfc-ise@rfc-editor.org, IETF SecDispatch <Secdispatch@ietf.org>
References: <CAD9ie-v7uJOpjj+nbZCfQe+4JEQt-6=b6cm57iFPAn_enGeRCQ@mail.gmail.com> <3B394519-4061-43A8-8963-55A6ADEDF269@gmail.com>
From: Stefan Santesson <stefan@aaa-sec.com>
Organization: 3xA Security AB
In-Reply-To: <3B394519-4061-43A8-8963-55A6ADEDF269@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/8JOD7PaQ1c1Bkjm7pFWEHWokdW4>
Subject: Re: [art] [Secdispatch] Plain text JSON digital signatures
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2021 06:52:25 -0000
How is this different/better than implementing RFC 7797 and apply the header b64=false in order to carry plaintext JSON in the payload? /Stefan On 2021-04-28 04:29, Bret Jordan wrote: > Luckily this time we have RFC8785 that solves the canonicalization > problem for JSON. > > Bret > > Sent from my Commodore 64 > > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > >> On Apr 27, 2021, at 7:39 PM, Dick Hardt <dick.hardt@gmail.com> wrote: >> >> >> I am supportive of this work, and would also be willing to work >> towards a PS. I am seeing rapid growth in the demand to embed JWS in >> JWS. >> >> Given my experience with XML-DSig (see below) making it more XML-DSig >> like does not sound like a good thing. >> >> For any interested in some JWT history, when we were brewing up what >> became OAuth 2.0, we did not want to tie a token format to the >> implementation as many deployments had their own proprietary token >> formats -- but we knew new deployments would benefit from >> standardizing a token. >> >> Our requirements were: >> - URL safe (access tokens at the time were often passed as a query >> parameter -- I know, not the best idea, but working with what >> people wanted) >> - HTTP header safe >> - richer than name / value pairs >> >> Options we considered: >> ASN.1 - the 60s are calling and want their data back >> XML-DSig - not URL safe, large size, and I personally had many scars >> canonicalizing XML. (An earlier company of mine had a contract to >> build XML-DSig libraries for a few languages) >> >> JSON was becoming very cool at that time, and with base 64 URL safe >> encoding the string, it was URL safe, and treating the JSON text as >> binary dealt with the canonicalization concerns -- and JSON >> canonicalization did not exist. >> >> Using a dot as the separator between header, payload, and signature >> made it easy to parse. The dot was URL safe, but not in the base 64 set. >> >> And Simple Web Tokens were born -- to be renamed JSON Web Tokens. >> >> /Dick >> >> >> >> >> ᐧ >> >> On Tue, Apr 27, 2021 at 8:28 AM Bret Jordan <jordan.ietf@gmail.com> >> wrote: >> >> Dear Dispatch, >> >> Anders Rundgren, Samuel, Erdtman, and I have been working on an >> ID for your consideration. This document describes how to use JWS >> and JCS to create plain-text JSON signatures. The abstract reads >> as follows: >> >> This document describes a method for extending the scope of the >> JSON Web Signature (JWS) standard, called JWS/CT. By combining >> the detached mode of JWS with the JSON Canonicalization Scheme >> (JCS), JWS/CT enables JSON objects to remain in the JSON format >> after being signed (aka "Clear Text" signing). In addition to >> supporting a consistent data format, this arrangement also >> simplifies documentation, debugging, and logging. The ability >> to embed signed JSON objects in other JSON objects, makes the use >> of counter-signatures straightforward. >> >> The data tracker page for this: >> https://datatracker.ietf.org/doc/draft-jordan-jws-ct/ >> >> As you know there are large ecosystems that needs digital >> signatures for plain text JSON data, meaning where the JSON data >> is not base64 encoded. This ID provides a solution using existing >> IETF RFCs to make this work. Further, this work looks to be >> adopted by many groups and organizations from financial services, >> threat intelligence, and incident response. >> >> We are not sure what direction would be best for this work in the >> IETF, should we send to the ISE for publication or do you want to >> create a working group. Ultimately there is a lot of work that >> could be done in this space to meet the needs of the market. We >> would be happy with releasing these IDs for ISE publication, or >> for creating a working group to move them forward. It is just >> important to note that the market is in desperate need of these >> solutions. If you want to take it for a spin, there is a JWS/CT >> playground at: https://mobilepki.org/jws-ct >> >> Thanks >> Bret >> >> -- >> >> Sent from my TI-99/4A >> >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 >> 0050 >> _______________________________________________ >> art mailing list >> art@ietf.org >> https://www.ietf.org/mailman/listinfo/art >> > > _______________________________________________ > Secdispatch mailing list > Secdispatch@ietf.org > https://www.ietf.org/mailman/listinfo/secdispatch
- [art] Plain text JSON digital signatures Bret Jordan
- Re: [art] [dispatch] Plain text JSON digital sign… Brian Rosen
- Re: [art] [dispatch] Plain text JSON digital sign… Carsten Bormann
- Re: [art] [dispatch] Plain text JSON digital sign… Bret Jordan
- Re: [art] [dispatch] Plain text JSON digital sign… Anders Rundgren
- Re: [art] Plain text JSON digital signatures Dick Hardt
- Re: [art] Plain text JSON digital signatures Bret Jordan
- Re: [art] [Secdispatch] Plain text JSON digital s… Stefan Santesson
- Re: [art] [dispatch] [Secdispatch] Plain text JSO… Anders Rundgren
- Re: [art] Plain text JSON digital signatures Stian Soiland-Reyes
- Re: [art] [Secdispatch] [dispatch] Plain text JSO… Stefan Santesson
- Re: [art] Plain text JSON digital signatures Stian Soiland-Reyes
- Re: [art] [dispatch] [Secdispatch] Plain text JSO… Bret Jordan
- Re: [art] [dispatch] [Secdispatch] Plain text JSO… Carsten Bormann
- Re: [art] Plain text JSON digital signatures Bret Jordan
- Re: [art] [Secdispatch] [dispatch] Plain text JSO… Anders Rundgren
- Re: [art] [dispatch] [Secdispatch] Plain text JSO… Samuel Erdtman
- Re: [art] [dispatch] [Secdispatch] Plain text JSO… Carsten Bormann
- Re: [art] [dispatch] [Secdispatch] Plain text JSO… Anders Rundgren
- Re: [art] [dispatch] [Secdispatch] Plain text JSO… Samuel Erdtman
- Re: [art] [dispatch] [Secdispatch] Plain text JSO… Samuel Erdtman
- Re: [art] [dispatch] [Secdispatch] Plain text JSO… Carsten Bormann
- Re: [art] [Secdispatch] [dispatch] Plain text JSO… Carsten Bormann
- Re: [art] [dispatch] [Secdispatch] Plain text JSO… Samuel Erdtman
- Re: [art] [Secdispatch] [dispatch] Plain text JSO… Samuel Erdtman