Re: [jose] JWS Signing Input Options specification enabling non-base64-encoded payloads when safe to do so
Phillip Hallam-Baker <ietf@hallambaker.com> Fri, 29 May 2015 19:46 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE3481A1B28 for <jose@ietfa.amsl.com>; Fri, 29 May 2015 12:46:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.123
X-Spam-Level:
X-Spam-Status: No, score=0.123 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E3pnj4ibzLrW for <jose@ietfa.amsl.com>; Fri, 29 May 2015 12:46:04 -0700 (PDT)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7DE51A1B59 for <jose@ietf.org>; Fri, 29 May 2015 12:46:02 -0700 (PDT)
Received: by lagv1 with SMTP id v1so63390822lag.3 for <jose@ietf.org>; Fri, 29 May 2015 12:46:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=nBnRV/XULLN7gGp1z4ZeGsW6HuC/Z2hqhGFXSf9tYAs=; b=zE/k72Zd0OW2yoIwQ5kYr4Hg6FiFycmGqNHjJGxoVuu9i6jsWFFnZJSdsrIGHEeClj SgmAafu5SxvXIZR9fWO+QyuO4c0va0IoPuxJ0GM4tnoNdvN7d3WMYo9HnY2uhb//Nuii QwUtWKEr0nrn/++4+YvvfaaHNvfli5PB7FfKLjSgYtS2UVZVxT4bNGRlHNQdvzjQybK+ gA3MZw0HcRLtStEexJs3Od8536RHwYwLERGe8S8SUZme//Unijn7fGK441Qz/fuH/qVC KIw46MXCrV0YGsAUUeB77kETMBWJ/pigV/GdiqrOnpmu2XAHXC44r3dVmH9sJoghM7x8 khEA==
MIME-Version: 1.0
X-Received: by 10.152.164.233 with SMTP id yt9mr9903581lab.58.1432928761413; Fri, 29 May 2015 12:46:01 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.203.163 with HTTP; Fri, 29 May 2015 12:46:01 -0700 (PDT)
In-Reply-To: <BL2PR03MB433040EE90372FAC663B479F5CA0@BL2PR03MB433.namprd03.prod.outlook.com>
References: <BL2PR03MB433040EE90372FAC663B479F5CA0@BL2PR03MB433.namprd03.prod.outlook.com>
Date: Fri, 29 May 2015 15:46:01 -0400
X-Google-Sender-Auth: hBOzkhETv_6ccUuXfNL9DM6u364
Message-ID: <CAMm+Lwi6srVFktuA3Rv+bEVuf7MuWwL-hgfdY0NVvKDTd9PcWA@mail.gmail.com>
From: Phillip Hallam-Baker <ietf@hallambaker.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a1133b066d0069105173db967"
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/3Wh_EaZhbju2vjWkcas4OTKSBP8>
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] JWS Signing Input Options specification enabling non-base64-encoded payloads when safe to do so
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2015 19:46:06 -0000
I very much want this to happen and I think it is best that this happen here rather than elsewhere as I would like us to have exactly one way to make use of JOSE signatures in HTTP binding of JSON Web Services. ACME is definitely going to require something of this sort. The issue is not the inefficiency of BASE64 encoding itself but the effect of repeated encoding on nested structures and the loss of readability that BASE64 results in. Someone trying to debug a protocol wants to be able to look at the examples in the spec and the data they see on the wire and see the differences. Base64 encoding takes that away. In the medium term I would like there to be a consistent approach to a HTTP binding across JSON Web Services because that makes it a lot easier to move from the HTTP binding to a JSON based binding at some point in the future. Divergence in protocol styles is usually bad. This helps reduce divergence. Lets do it. On Wed, May 27, 2015 at 8:06 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > There’s been interest being able to not base64url-encode the JWS Payload > under some circumstances by a number of people. I’ve occasionally thought > about ways to accomplish this, and prompted again by discussions with > Phillip Hallam-Baker, Martin Thomson, Jim Schaad, and others at IETF 92 in > Dallas, recollections of conversations with Matt Miller and Richard Barnes > on the topic, and with Anders Rundgren on the JOSE mailing list, I decided > to write down a concrete proposal while there’s still a JOSE working group > to possibly consider taking it forward. The abstract of the spec is: > > > > JSON Web Signature (JWS) represents the payload of a JWS as a base64url > encoded value and uses this value in the JWS Signature computation. While > this enables arbitrary payloads to be integrity protected, some have > described use cases in which the base64url encoding is unnecessary and/or > an impediment to adoption, especially when the payload is large and/or > detached. This specification defines a means of accommodating these use > cases by defining an option to change the JWS Signing Input computation to > not base64url-encode the payload. > > > > Also, JWS includes a representation of the JWS Protected Header and a > period ('.') character in the JWS Signature computation. While this > cryptographically binds the protected Header Parameters to the integrity > protected payload, some of have described use cases in which this binding > is unnecessary and/or an impediment to adoption, especially when the > payload is large and/or detached. This specification defines a means of > accommodating these use cases by defining an option to change the JWS > Signing Input computation to not include a representation of the JWS > Protected Header and a period ('.') character in the JWS Signing Input. > > > > These options are intended to broaden the set of use cases for which the > use of JWS is a good fit. > > > > This specification is available at: > > · > https://tools.ietf.org/html/draft-jones-jose-jws-signing-input-options-00 > > > > An HTML formatted version is also available at: > > · > http://self-issued.info/docs/draft-jones-jose-jws-signing-input-options-00.html > > > > -- Mike > > > > P.S. This note was also posted at http://self-issued.info/?p=1398 and as > @selfissued. > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] JWS Signing Input Options specification en… Mike Jones
- Re: [jose] JWS Signing Input Options specificatio… Anders Rundgren
- Re: [jose] JWS Signing Input Options specificatio… Phillip Hallam-Baker