IETF Logo Mail Archive

Re: [art] [dispatch] [Secdispatch] Plain text JSON digital signatures

Samuel Erdtman <samuel@erdtman.se> Fri, 30 April 2021 21:37 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A352E3A27C4 for <art@ietfa.amsl.com>; Fri, 30 Apr 2021 14:37:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnQ1RaLj0TFk for <art@ietfa.amsl.com>; Fri, 30 Apr 2021 14:37:46 -0700 (PDT)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 419533A27C2 for <art@ietf.org>; Fri, 30 Apr 2021 14:37:45 -0700 (PDT)
Received: by mail-oi1-x230.google.com with SMTP id d25so33877072oij.5 for <art@ietf.org>; Fri, 30 Apr 2021 14:37:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=w1Q1xCyUlS5YecimIPNpEdvwo4WoaGXjHkYy0ET4Gq8=; b=G+5BD/4+MSxUlOssMP9ekqqDkHdKas3UOPNUHa9qTsD1njDIGILR2CXOKcZRM055pA OLrbqTVKHeKNhfK4UsqC3/PevtsnBCwPCr8fGtmR5rzEINGvPO5Q+wdxV2cC3Q/GxGy3 t7AOwr/zui2SpmsFO/Y9vpqw9XAkygpPVbX6SArALx1pCRHs1W/9sLh90JWaq4SRtNJs m8IqKfHNznC+OJ0vMDnsVD1Og3WuMmio9QgEy99Cy1sMu9XlBRK2M5f5w0KQHdMlAV/b ORzQ4KW8tGDRXoNySTFW4BDxH+4cOEni7UwkzVkPOt5HaUfglfGcK0HNDzQ332UYxbe2 gLLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=w1Q1xCyUlS5YecimIPNpEdvwo4WoaGXjHkYy0ET4Gq8=; b=j7Mp7FxrgrfbvcqC6tbwF3OLyedRJ61J1bhky2XwmGbv4gLKE6ETklNGNDf5g5utb1 rvOsB+JYHZmwL0WhTtmIG75cwHxJaoJciYrQC7dJp6a6xl7EtMqzwW+7FHvX+iriDOyH ozfMWPD5uYaUXDdxIsFs2nSKWwcc1BtTEH4aeMh0SYO6T1lxJHJT5AVBmJdu9awx2ztO /o1OVPf7gvF98oyay+ywSIZuffx7Jo+Kx8+HZhOKHRIglrakssnydki5bUAAIX+Dyzto ctnEpYvamATQk3dxVxoq/uaL3rrDI0PK++ztmZuzp0+gnH0HI/30fZ8GqnrQQMPSLOgB wI8g==
X-Gm-Message-State: AOAM533vZa37FggO/E2A66v8qOOUAztEUSNZtRtZnjZW5ereLSCm48l3 IdJIb+XnnhAbUBAsDmgTeeEWlmQX0yJwP3hoFFK9wA==
X-Google-Smtp-Source: ABdhPJzbixKWZxm7UKJpZ9r8taFjtGVuQHCHeq99EycD1ixd5lv2sZMGeIN4XADlSjaajU5RSPpCWY5CVSPWGbNPsiE=
X-Received: by 2002:aca:b9c1:: with SMTP id j184mr5470835oif.134.1619818664336; Fri, 30 Apr 2021 14:37:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-v7uJOpjj+nbZCfQe+4JEQt-6=b6cm57iFPAn_enGeRCQ@mail.gmail.com> <3B394519-4061-43A8-8963-55A6ADEDF269@gmail.com> <19a99964-8495-2de9-b49a-52aa8321c12e@aaa-sec.com> <220475a6-1e04-107e-6327-366d48d8b420@gmail.com> <27833d9d-53c3-d01c-b01c-e7d53424b5ab@aaa-sec.com> <A88D122C-C1EB-477B-A83C-A22F1BB3CC47@gmail.com> <B8E5AF13-7B59-4329-890F-2B14766032A5@tzi.org>
In-Reply-To: <B8E5AF13-7B59-4329-890F-2B14766032A5@tzi.org>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Fri, 30 Apr 2021 23:37:32 +0200
Message-ID: <CAF2hCbahPMAwe_63dT+pcz2BZSy0XOPstXqpxsCq1Vj0UmSDPg@mail.gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Cc: art@ietf.org, IETF SecDispatch <Secdispatch@ietf.org>, DISPATCH <dispatch@ietf.org>, "RFC ISE (Adrian Farrel)" <rfc-ise@rfc-editor.org>
Content-Type: multipart/alternative; boundary="00000000000016ddaf05c1376c64"
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/inOqgr58EE-xyubx0cDbInjspks>
Subject: Re: [art] [dispatch] [Secdispatch] Plain text JSON digital signatures
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2021 21:37:52 -0000

Hi Carsten,

Thank you for sharing your thoughts.

I´m not sure I understand your point, maybe you could elaborate a bit (I
have some questions).
1. What do you mean with data at rest, data store in database or file? Or
is it data that does not change? Sorry I do not get it.

2. What is weird with saying "Represented in JSON"? is it that the RFC7493
I-JSON subset is not all that JSON could be? (to me this is a reasonable
limitation that I in practice never have had to go outside)

3. So I totally get that one does not like XMLDigSig, in my opinion not
because of the signing procedures but because of the canonicalization
process. When I looked at it I gave up and created a hardcoded template.
The difference in canonicalization of JSON (RFC7493 I-JSON subset)
according to RFC8785 is like night and day compared to XML
canonicalization. In your comment it seems like you are of the opinion that
this effort will be as tricky as XMLDigSig. do you think so?

4. Not sure I agree with “clear text” or “plain text" being bad
descriptions. Yes what is signed is the RFC8785 transformation of the input
data, but the signature are then put into your data keeping the data in its
original “clear text” or “plain text" as opposed to base64-url encoded. I
guess enveloped JWS is a more accurate name but “clear text” or “plain
text" is easy to understand.

Best regards
//Samuel








On Wed, Apr 28, 2021 at 5:56 PM Carsten Bormann <cabo@tzi.org> wrote:

> Signing data at rest certainly is a use case that is worth addressing.
>
> “Represented in JSON” is a weird way to say that the data model that
> describes those data at rest is somehow compatible with the JSON data model
> (which isn’t really fully defined, but that is a problem that may not hurt
> you).  So if you have a deterministic way to transform your data at rest
> into the JSON-like data model subset supported by RFC8785 (which is in turn
> based on the RFC7493 I-JSON subset), you then can use RFC8785 to generate a
> text string that (using UTF-8’s deterministic encoding) can in turn be used
> as a signing input for well-known signature schemes such as JOSE or COSE.
>
> This is pretty much what XMLDSig set out to do, except that the XML data
> model is even less well-defined and generating a deterministic signing
> input from that is even more interesting.  Small matters of
> interoperability :-)
>
> None of this has anything to do with “clear text” or “plain text", which
> is an exceedingly bad label to apply to signing data at rest that are
> believed to be convertable to an RFC8785-subset JSON text.
>
> Grüße, Carsten
>
> _______________________________________________
> dispatch mailing list
> dispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/dispatch
>

v2.23.0 | Report a Bug | By Email