Re: [jose] Signed JSON for "Open Banking" - An implementation report
Nat Sakimura <sakimura@gmail.com> Thu, 14 December 2017 04:08 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75DA31270A0 for <jose@ietfa.amsl.com>; Wed, 13 Dec 2017 20:08:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NW8n2X1ijTO1 for <jose@ietfa.amsl.com>; Wed, 13 Dec 2017 20:08:13 -0800 (PST)
Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43615126C22 for <jose@ietf.org>; Wed, 13 Dec 2017 20:08:13 -0800 (PST)
Received: by mail-it0-x230.google.com with SMTP id u62so8225885ita.2 for <jose@ietf.org>; Wed, 13 Dec 2017 20:08:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NHF9Psptg8oa0o2R3YYUa23wn//rKXfCkfscoUev/6s=; b=GFgm0VZq6TfH8YDLP9fLZchoDLgBwvcLX1y6IpohYe+YDkXe0QW5lanq3DY5mxCBI4 FgMy4lUZAAASFlhez8BHIUGt6Gc2yXjxDPa6UBHjdNdn0F3/7ZAn88asIgi8t0pn8oES FYg2b81LRRfwMy+UZF7f9kxoMeWYUErSAt6cTLtWXEggitxe6+yPVevgM9DenxfrlMJv LRK1XTu/Gne22OuZ+EGORATGiEl7TFHe38+FRM22tKSjKwbsFgY0S636KfPU25PSwxUU w84voljoTmj8Jft/t+OKqTOzWySxq25aan6juM24enwX9RNP79ajCGsl0u7ztF6agQvt aeZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NHF9Psptg8oa0o2R3YYUa23wn//rKXfCkfscoUev/6s=; b=SORCQKb6DZF5QdHVatoOzApHwRzpA3fiFTL8IkpmpZyw+VNQk298VcVNd2xUenSai8 TqHMv6z/JDfPe3QOYjXaxs/cUEZJMo845hkuBedikvTf6DVVxQ5bUfKBCl1K3rvgXFqc 4Vxdm8ghe4Jyv7d9Cfe/KaK/f1ab6GsrE/QM8o4NCRFBVWTeAXEegH+fI01kJVa+92cL BUmcMKh2SDAetmB0bYltythg16NyhMHMVWLNsPrVUv0TWghYZz0X0dX5cL1WBfysdbrx DDcqpzR/MQE88XJiR9bPgmBrkvW7PRaZDU5BvD7dlVmD+bxKzI0JDKCxRITMMmGtj8iz 4bdw==
X-Gm-Message-State: AKGB3mK0tLFxwdLzxf7S3U49iK+oLcWQtIGzyk5yGCyD6bz/r9MF0BdK Cb4rqnKM8WxaToV7zRQN19MMFHqEwpFC2rXImrE=
X-Google-Smtp-Source: ACJfBossSfwQAFqv7WyZML24rGBHm+5Uen15238oxa1htdk5fu3qkSqrmXyAm3umBfOHGYxmkl2wqFyuhLr8qh3ZUPw=
X-Received: by 10.107.112.22 with SMTP id l22mr6062204ioc.145.1513224492337; Wed, 13 Dec 2017 20:08:12 -0800 (PST)
MIME-Version: 1.0
References: <c6cf8313-7fda-d298-64a8-82d4d772cf5d@gmail.com>
In-Reply-To: <c6cf8313-7fda-d298-64a8-82d4d772cf5d@gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Thu, 14 Dec 2017 04:08:01 +0000
Message-ID: <CABzCy2D1QYsZCDjinknqtEeDGeWeREdSfpFcqiRGGCTNsut_9g@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="089e082be2f454d48805604508b5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/0XRs2-M0sn0G2_cJ1AGB4Ubr-XY>
Subject: Re: [jose] Signed JSON for "Open Banking" - An implementation report
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2017 04:08:15 -0000
Part of the reason for people preferring non-base64ed content is the tooling issue. The current OpenAPI tooling does not take care of the Base64url encoded body or JWS. Once the support comes, the pain will be much less. On Fri, Nov 17, 2017 at 3:53 PM Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > Dear List, > Here is a list of the three most well-known APIs for Open Banking and > their take on "Signed JSON": > > http://openid.net/specs/openid-financial-api-part-2.html#request > In-line JWS (base64url-encoded messages) > > https://www.stet.eu/assets/files/PSD2/API-DSP2-STET_V1.2.2.pdf#page=56 > HTTP-Signatures > <https://www.stet.eu/assets/files/PSD2/API-DSP2-STET_V1.2.2.pdf#page=56HTTP-Signatures> > (clear text messages using a not yet standardized signature scheme) > > > https://www.openbanking.org.uk/read-write-apis/payment-initiation-api/v1-1-0/#usage-examples-merchant-illustrative-interactions-payment-setup > Detached JWS (clear text messages signed by a JWS in a specific HTTP > header) > > I believe this supports my view that base64-encoded JSON will continue to > be a hard sell no matter how good it may be. > > Other "uncool" side-effects include lookup services providing signed > responses in base64url > https://tools.ietf.org/html/draft-ietf-oauth-discovery-07#section-2.1 > and security protocols needing artificial outer layers in order to make > objects recognizable > https://tools.ietf.org/html/draft-pei-opentrustprotocol-01#section-8.2.1.1 > > May I propose a JOSE2 effort based on ES6.JSON serialization [1] to end > the current proliferation of "DIY standards" and reducing the need for > [ugly] workarounds like used by UK's Open Banking? > > Making JOSE more Browser/JS friendly wouldn't be a terrible idea, either. > > Availability of ES6.JSON compatible tools isn't really a showstopper, we > are talking about < 2000 lines of pretty simple [2] code for parsing and > serialization. > > thanx, > Anders > > 1] > https://cyberphone.github.io/doc/security/jcs.html#Normalization_and_Signature_Validation > > 2] Well, number serialization is non-trivial so implementers probably need > to build on already written code and algorithms out there like I did. > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > -- Nat Sakimura Chairman of the Board, OpenID Foundation
- [jose] Signed JSON for "Open Banking" - An implem… Anders Rundgren
- Re: [jose] Signed JSON for "Open Banking" - An im… Nat Sakimura
- Re: [jose] Signed JSON for "Open Banking" - An im… Anders Rundgren