Re: [dispatch] PING2. Re: JSON Canonicalization Standard

Brian Campbell <bcampbell@pingidentity.com> Fri, 07 September 2018 20:40 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8768B12F18C for <dispatch@ietfa.amsl.com>; Fri, 7 Sep 2018 13:40:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xHwrPmOe1bZm for <dispatch@ietfa.amsl.com>; Fri, 7 Sep 2018 13:40:42 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCF09128C65 for <dispatch@ietf.org>; Fri, 7 Sep 2018 13:40:42 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id e12-v6so2540718iok.12 for <dispatch@ietf.org>; Fri, 07 Sep 2018 13:40:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:from:date:message-id:subject:to:cc; bh=EZeFxRnzJMeKASPhXX6YgHwqDprqx0iVVXZe8umjavU=; b=LfMERwFTmZWoeOGoyM3VYKImliVqQazWGBe/aJrecR/+Z1wl0ovCJAzldOjLg/owl6 7cLNiLeZthroaGMRY8Zhay3qADoQbUzPZp3XUESuzWvZEvDefgu7dxloD4/8/F3/I5PK a42EW3N7Q1BZxhfg2aCvVT4fAR5PcOEpIgj+k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=EZeFxRnzJMeKASPhXX6YgHwqDprqx0iVVXZe8umjavU=; b=CnMm7sX47jTlfInRhaxc0f28+635MhjmcYR7HQufQNskdXHmPVy3PvMfym7yytFCwV 9Zr1FNQZNtAm2vqhPrM44D26Dnah4eMTtfSPOjEnRDXtTbOz3fWrsnUjxjX5JmKQCr2i CRSiIfdLzf3XlQDF/lhc330+8tFCdhfdt+lmSquWm84JDxa/gMwLdaWkkwiwxu7p5Tpb GEMF/awbr4CPOOIwcal3qj5jIJAS2amAQllKZlNnpC8XgDqNq2+Jxo7WQCIDQZCr04D2 jeMGPq5D9/kBZ8Pz4Ex/8rf45oo0HVcIfFHObOju9s0p/XE4JTn4ADstXk4jUprXCSd3 LvOA==
X-Gm-Message-State: APzg51DJIK5aT+6RApwAwQ4HdhUxFICcoFigg4nWz/A0rfPhQxWNgvdX 5UzT4NY5cVrfeUVopN7JEa0LoPD8znvGlksm53kH0/oicC2fBhuEZP7CSPDh/2IxWksExTNz4WX jt0CgQA7dvRY4cMwPtw==
X-Google-Smtp-Source: ANB0Vda7fPUqCo+/uwKXYYLXHYLsJ5Bz/qr0ifebbP7uWXvaDOFTvj+TqTGs6jhb3TU12EpcFE0C4U0rGcoL6kBR5m8=
X-Received: by 2002:a6b:294b:: with SMTP id p72-v6mr7379486iop.17.1536352842002; Fri, 07 Sep 2018 13:40:42 -0700 (PDT)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 7 Sep 2018 14:40:16 -0600
Message-ID: <CA+k3eCRvc5a-=5dR7xrOjaPtMM5JCqJ5DUPTZMVHjo3VtR2EOw@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, dispatch@ietf.org
Cc: Eric Rescorla <ekr@rtfm.com>, Ben Campbell <ben@nostrum.com>
Content-Type: multipart/alternative; boundary="00000000000065ced905754e051e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/RCRQgw69-jn0IlwnH1JTA7dwOlE>
Subject: Re: [dispatch] PING2. Re: JSON Canonicalization Standard
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Sep 2018 20:40:45 -0000

XML Canonicalization and Signatures are notoriously brittle and difficult
to get right while also being the source of numerous serious security
vulnerabilities.  The JSON case is maybe simpler and thus somewhat less
prone to the same issues but, if history is any guide, it's really hard to
get right and is fertile ground for all kinds of attacks.



> JCS is quite similar to its XML counterpart, albeit much simpler. Signed
> XML data never needed to be Base64 encoded.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._