Re: [jose] #24: Move JWS headers into signature block
Daniel Holth <dholth@gmail.com> Wed, 03 July 2013 22:19 UTC
Return-Path: <dholth@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72EB821F9A5F for <jose@ietfa.amsl.com>; Wed, 3 Jul 2013 15:19:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVoFtM4UnHK3 for <jose@ietfa.amsl.com>; Wed, 3 Jul 2013 15:19:19 -0700 (PDT)
Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) by ietfa.amsl.com (Postfix) with ESMTP id 4BD2721F8EFE for <jose@ietf.org>; Wed, 3 Jul 2013 15:19:19 -0700 (PDT)
Received: by mail-wg0-f48.google.com with SMTP id f11so574508wgh.27 for <jose@ietf.org>; Wed, 03 Jul 2013 15:19:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gwpV/bsPBNX6VP2mjydRViUYWK3C2ncUw2a/yXZ00zw=; b=eBnL7GoNl6aTeRc7fpOroMlL+VM7uOJx0G3bseccJOocNnacX6rwUDvOaN3HWB28cD thLmDdiFQDRGgQ3puUMacP1iXWs7188b9qwMHDpbrS52SpiKQMb0iqLANxeh9SnzcOrp p/sDdRxYYhtYexPxbiaPIJaiP5wDnhc0VaqGX5m8ftIkZoqGalBscQZr0n4/mqdYPqsg WraAla9DodyhWBjAH/kRwhboooqtp85E2QlzhCXHH2770fmBhgq9KgtV1h0T0SljUDnb tEO/uG4QsLcKVIjWXn4s0+gPUR7tnI1Usp4bx9PwBTQbboh2G7F7DeoRY+CXUmV9KAUQ sDvQ==
MIME-Version: 1.0
X-Received: by 10.195.12.18 with SMTP id em18mr1780080wjd.78.1372889953698; Wed, 03 Jul 2013 15:19:13 -0700 (PDT)
Received: by 10.194.158.162 with HTTP; Wed, 3 Jul 2013 15:19:13 -0700 (PDT)
Received: by 10.194.158.162 with HTTP; Wed, 3 Jul 2013 15:19:13 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943678D9442@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943678D9442@TK5EX14MBXC285.redmond.corp.microsoft.com>
Date: Wed, 03 Jul 2013 18:19:13 -0400
Message-ID: <CAG8k2+6exY=SOPaQEo1ceXe+8z=Tqf-wHuym_Tjp_Gr=3fL=Zg@mail.gmail.com>
From: Daniel Holth <dholth@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="047d7bfcfde6018d4704e0a2da14"
Cc: Richard Barnes <rlb@ipv.sx>, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>, n-sakimura <n-sakimura@nri.co.jp>, "draft-ietf-jose-json-web-signature@tools.ietf.org" <draft-ietf-jose-json-web-signature@tools.ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [jose] #24: Move JWS headers into signature block
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2013 22:19:21 -0000
+1 on per signature protection. Where else would, say, the timestamp of the individual signature itself go? Imo the shared unprotected header is confusing. On Jul 3, 2013 5:47 PM, "Mike Jones" <Michael.Jones@microsoft.com> wrote: > [Changing subject line to the correct thread]**** > > ** ** > > *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf > Of *Mike Jones > *Sent:* Wednesday, July 03, 2013 2:40 PM > *To:* John Bradley; Richard Barnes > *Cc:* Jim Schaad; n-sakimura; > draft-ietf-jose-json-web-signature@tools.ietf.org; jose@ietf.org; Dick > Hardt > *Subject:* Re: [jose] #26: Allow for signature payload to not be base64 > encoded**** > > ** ** > > John, since you’re raising the topic of integrity protecting JWS header > values, I’d be interested in your reactions to my note encoded below.**** > > ** ** > > Cheers,*** > * > > -- Mike*** > * > > ** ** > > -----Original Message----- > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org<jose-bounces@ietf.org>] > On Behalf Of Mike Jones > Sent: Saturday, June 29, 2013 3:43 AM > To: jose@ietf.org > Subject: Re: [jose] #24: Move JWS headers into signature block**** > > ** ** > > Perhaps I'm in an odd frame of mind tonight, because I wouldn't normally > even consider re-raising a closed issue, but Ben Laurie's advice "why not > just protect everything" kept running my mind and I realized that the > current JWS JSON Serialization doesn't allow us to do that in the general > case. Specifically, we don't allow a per-signature "protected" headers > field, which would be necessary to protect the cryptographic parameters if > different signatures use different algorithms.**** > > ** ** > > So I'd at least like others' thoughts on whether we want to "fill in the > matrix" for the JWS JSON Serialization and allow header parameters to be > specified both in protected and unprotected forms, both on a shared and > per-signature basis. We currently support 3 of these 4 header parameter > locations.**** > > ** ** > > Note that we would not do this for JWE, since (as extensively discussed) > per-recipient protected content is problematic.**** > > ** ** > > For the signature input, if both shared and per-signature protected > headers were present, we'd need to concatenate the two base64url encoded > representations together with a separator character between (I'm thinking > comma (',') because it is distinct from period ('.'), which is also used as > a separator in the signature input).**** > > ** ** > > I'm fine with this issue remaining closed, but I wanted to at least run > this possibility by the working group for their input, since it hadn't been > discussed previously.**** > > ** ** > > Cheers,*** > * > > -- Mike*** > * > > ** ** > > *From:* John Bradley [mailto:ve7jtb@ve7jtb.com <ve7jtb@ve7jtb.com>] > *Sent:* Wednesday, July 03, 2013 2:25 PM > *To:* Richard Barnes > *Cc:* Dick Hardt; Jim Schaad; n-sakimura; Mike Jones; jose@ietf.org; > draft-ietf-jose-json-web-signature@tools.ietf.org > *Subject:* Re: [jose] #26: Allow for signature payload to not be base64 > encoded**** > > ** ** > > …**** > > ** ** > > Just for the record I am one of the people on the side of integrity > protecting headers unless there is a strong reason not to as is the case > with multiple recipients and counter mode encryption.**** > > ** ** > > John B.**** > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] #24: Move JWS headers into signature block jose issue tracker
- Re: [jose] #24: Move JWS headers into signature b… jose issue tracker
- Re: [jose] #24: Move JWS headers into signature b… jose issue tracker
- Re: [jose] #24: Move JWS headers into signature b… Richard Barnes
- Re: [jose] #24: Move JWS headers into signature b… Mike Jones
- Re: [jose] #24: Move JWS headers into signature b… Mike Jones
- Re: [jose] #24: Move JWS headers into signature b… Daniel Holth
- Re: [jose] #24: Move JWS headers into signature b… Richard Barnes
- Re: [jose] #24: Move JWS headers into signature b… Richard Barnes
- Re: [jose] #24: Move JWS headers into signature b… Mike Jones
- Re: [jose] #24: Move JWS headers into signature b… Brian Campbell