Re: [dispatch] Plain text JSON digital signatures

Brian Rosen <> Tue, 27 April 2021 15:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 492AB3A11E3 for <>; Tue, 27 Apr 2021 08:47:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RI58G1bsBabN for <>; Tue, 27 Apr 2021 08:47:13 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E260C3A11E0 for <>; Tue, 27 Apr 2021 08:47:12 -0700 (PDT)
Received: by with SMTP id z25so21725223qtn.8 for <>; Tue, 27 Apr 2021 08:47:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=52erJvHyH211Q+bUlVrzfZOPr8C/5MWHC+YGVbtO83o=; b=1q9NPBKHdjC12o5GTxJOs75Q202SY+VF8VG5aPFA2zlGuCF+C8iRwoq791cwlx/Cau fDDZ7zrImFABE5jyJC3fhGXLm3Oexi14gTqiZkTbju4i/IWH0axNDel0Qna1W3TGzC2R Dzi+4OuAn+DO84LnxoyzEab6jCGzP/ziDn2aEmYDp2vp7TW37vJC9owAm/gLiJb34cAm A7O3a0FAU+pQnabtdhSSa80bsDQ9F6sFx4Y/hq+Hbwxm2mPXuhn5V0dV4V+TRygti4GG /A4PQvXaeHph+9ULR2mrWRpoD612qFrd3y29OFR81b7AGrojZVBqQ1iCzD1zlsE+8sQd tdvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=52erJvHyH211Q+bUlVrzfZOPr8C/5MWHC+YGVbtO83o=; b=O10yrlVo/JoiYCzDe9OoByJW80E9Rye8IzFA4plIbxcQbn+jUzCr4r+S+bGOMlIog9 V2skp44gniZFOXz7xGycznwwkiNNdKxK7L4R5RIV4LPcyAo+YI680rGtKJvNbq64ePHe d4bS6AmFFJe2wuh4sQvvO3blRrhFytDwOrKfYFy94+cqD1W7sjVpbP6RisObSWfQJWCx snvUXwLwZ9VWEtJqhsmDPHY1lb9yA5hntAUf5r+mqJNKhcgyEkWt2kPJwVn3kum4JqzE A1cZqCpmORBqBk+E4KvHXrZ1UuOCDUI1vKxHGl9ZY6cj8Jl5tbnYJJEo0TIXEIslAfC+ iQOQ==
X-Gm-Message-State: AOAM532L5MNzS2vkTC1Q2JjNVID/YS2/9UvlqmOsDYfMaFgD7XFQM5gt vJL2pgSn9vgAyNfTqA07DF7GCA==
X-Google-Smtp-Source: ABdhPJyvwSd59fOf4gmHHNFK3B7uifstEscZKI3Wgj8BZMUSVE8mbPNnw0jNtdQtZjlHMgBGnNPgSw==
X-Received: by 2002:ac8:4658:: with SMTP id f24mr22451505qto.375.1619538429846; Tue, 27 Apr 2021 08:47:09 -0700 (PDT)
Received: from brians-mbp.lan ( []) by with ESMTPSA id p186sm2846105qka.66.2021. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Apr 2021 08:47:09 -0700 (PDT)
From: Brian Rosen <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0A9A5627-118A-43D8-8B5C-CB5BFC966A29"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Tue, 27 Apr 2021 11:47:03 -0400
In-Reply-To: <>
Cc: DISPATCH <>, IETF SecDispatch <>,,
To: Bret Jordan <>
References: <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [dispatch] Plain text JSON digital signatures
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 27 Apr 2021 15:47:17 -0000

I am very much interested in this work.  My preference would be for a Proposed Standard.  There was a lot of opposition to the idea previously, so it may be that ISE is all we can get, but I would be willing to work towards PS, either in a new, short lived work group or as part of another work group.  


> On Apr 27, 2021, at 11:27 AM, Bret Jordan <> wrote:
> Dear Dispatch,
> Anders Rundgren, Samuel, Erdtman, and I have been working on an ID for your consideration. This document describes how to use JWS and JCS to create plain-text JSON signatures. The abstract reads as follows:
> This document describes a method for extending the scope of the JSON Web Signature (JWS) standard, called JWS/CT.  By combining the detached mode of JWS with the JSON Canonicalization Scheme (JCS), JWS/CT enables JSON objects to remain in the JSON format after being signed (aka "Clear Text" signing).  In addition to supporting a consistent data format, this arrangement also simplifies documentation, debugging, and logging.  The ability to embed signed JSON objects in other JSON objects, makes the use of counter-signatures straightforward.
> The data tracker page for this: <>
> As you know there are large ecosystems that needs digital signatures for plain text JSON data, meaning where the JSON data is not base64 encoded. This ID provides a solution using existing IETF RFCs to make this work. Further, this work looks to be adopted by many groups and organizations from financial services, threat intelligence, and incident response. 
> We are not sure what direction would be best for this work in the IETF, should we send to the ISE for publication or do you want to create a working group. Ultimately there is a lot of work that could be done in this space to meet the needs of the market. We would be happy with releasing these IDs for ISE publication, or for creating a working group to move them forward. It is just important to note that the market is in desperate need of these solutions. If you want to take it for a spin, there is a JWS/CT playground at: <>
> Thanks
> Bret
> -- 
> Sent from my TI-99/4A
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> _______________________________________________
> dispatch mailing list