IETF Logo Mail Archive

Re: [jose] Canonical JSON form

Bret Jordan <jordan.ietf@gmail.com> Sat, 24 November 2018 17:00 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04365130E7B for <jose@ietfa.amsl.com>; Sat, 24 Nov 2018 09:00:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZDY-hfxitlN6 for <jose@ietfa.amsl.com>; Sat, 24 Nov 2018 09:00:03 -0800 (PST)
Received: from mail-yw1-xc31.google.com (mail-yw1-xc31.google.com [IPv6:2607:f8b0:4864:20::c31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38BEB130E41 for <jose@ietf.org>; Sat, 24 Nov 2018 09:00:03 -0800 (PST)
Received: by mail-yw1-xc31.google.com with SMTP id i20so5911430ywc.5 for <jose@ietf.org>; Sat, 24 Nov 2018 09:00:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Yb32r3w4hGNbRh9UIlIXmYaeMNLwaMfgtVqJw96eawQ=; b=o4Ihld9SOoMlfHp3bpkB9FV/MkQ1MiM7UHwibtLDXhFxuGYNYlnpHhX29WoUebBBCU 9KIezsoHRJtxlhBRUjyJLHe5QgSgeRpf3lZicIK/mf+VJgL3mcadWhdwStThDU7oKPq4 RYaL5uM9LObJPOgnf+ku8sfH0bIRC5Nb1MElasfumP9C6m2iVflVWc66EpjzKO10BitY Y7ZzT5YORVOwqkB6VbutpipcFFFhoJrhpepqSpc3W0jkyx6pEMg/4aO3/IP/sn03jg0e B02SpB5ZncG8+ZXee+JpVNINvRNrfXk/2C48fyJ8S9Hsl2Kkfs1cG/nU6Y9WNfW5z0oA PlJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Yb32r3w4hGNbRh9UIlIXmYaeMNLwaMfgtVqJw96eawQ=; b=I1A9rSnRTzJNMDj9CsgU6+vvDwJXMQ+knrsAJfdTLaipTcyM+Cz2HBMl6d+6kjro7V u4hJb6Ppq6xjLDE2A5BqMSKqaMwjWk66QYWox+2Uqzmbyb5RNdQmfsttjv6fl3BMcQ2D WMg04/yJMND+ISEtgzmjnPptbBjF3Jx5x3rMIux99R5AfkPK0g5vQdpkUFAoUn7OE414 DtHWDsRweOaNA0hZWCgvOKf5BDt96+GYKDsn665OyJNkb7Yzp+mK7Vez8qGclzORbyCT B3qCcOIqoONY55RmgO4Hi8sKQYBct86HmbIc1Bisw+Re39yULNB63SDcdEUks6A5JZ1L i8tw==
X-Gm-Message-State: AGRZ1gIRySzWxD8UHU0i4xJJs1jvh6ukdjSXvaLIKBVHcYloxgJIBUQF lYempQDxeMYUegP8kFo7AuE=
X-Google-Smtp-Source: AJdET5eKSFmAimZNWfnlKccQk7SLr4Atb9EF08LhswoNe2oOrPl9Wai/+6W6nTtPW/JLuN1AB8jGnA==
X-Received: by 2002:a81:5dc2:: with SMTP id r185-v6mr20855179ywb.199.1543078802465; Sat, 24 Nov 2018 09:00:02 -0800 (PST)
Received: from ?IPv6:2605:a601:3260:266:fd32:4211:5e30:59b1? ([2605:a601:3260:266:fd32:4211:5e30:59b1]) by smtp.gmail.com with ESMTPSA id k192-v6sm17846774ywk.99.2018.11.24.09.00.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 24 Nov 2018 09:00:01 -0800 (PST)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <809C4645-3319-4305-BE98-63E4E829DEF1@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B2E25C0F-CB2F-4AB3-BF54-D72B527B930F"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Sat, 24 Nov 2018 09:59:50 -0700
In-Reply-To: <aeb42ec2-5951-e8d0-ebfc-3e15c839545e@gmail.com>
Cc: David Waite <david@alkaline-solutions.com>, Jim Schaad <ietf@augustcellars.com>, Carsten Bormann <cabo@tzi.org>, jose@ietf.org
To: Anders Rundgren <anders.rundgren.net@gmail.com>
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <8436AEE7-B25A-4538-B8F6-16D558D9A504@gmail.com> <MEAPR01MB35428606C09BF315DE04CC79E5E10@MEAPR01MB3542.ausprd01.prod.outlook.com> <CAHbuEH6DCD7Zc+PK3TnCBkKv1esnROwyCcDb8ZR+TKwgQQ+yXQ@mail.gmail.com> <0E6BD488-74D5-4640-BC31-5E45B0531AFC@gmail.com> <CAHbuEH5oH-Km6uAjrSr0pEHswFBLuDpfVweQ+gpj472yk+8iTQ@mail.gmail.com> <073CB50F-8D91-4EF6-90BE-FC897D557AA6@oracle.com> <A37D69B1-6B77-4E11-8BB9-A0209C77752C@tzi.org> <434fbdb6-0202-5a02-4cec-9332fbbe548c@gmail.com> <FBBFA6FA-4B0C-4239-9145-0B713120EC98@tzi.org> <01fd01d47f5f$4c4889f0$e4d99dd0$@augustcellars.com> <7b1d293c-1d97-44e4-0cd8-55ec1db6c3b5@gmail.com> <AD2DB2EB-3F06-4C55-94E4-CED60F6FF4CF@alkaline-solutions.com> <CADEL5zvbLOtuFBD6zgEpcUQZ2Y7hNYHxLcj=EhkEOnV-_dqwJQ@mail.gmail.com> <E7458037-AC7A-4C84-870F-9BDAEA420357@gmail.com> <600798e5-21b4-2ca2-44f2-3702d6aeb4c0@gmail.com> <C15EAFFA-1AC6-46DC-A5A1-68C666CB1241@gmail.com> <aeb42ec2-5951-e8d0-ebfc-3e15c839545e@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/4G6-GHODoCxvin2Y0jBhetl6A5g>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Nov 2018 17:00:06 -0000

I would hope that we could do this work in the IETF.  But, if the IETF community is not willing to entertain other use-cases and market needs, I am willing to help make this happen in another SDO.  

The thing everyone needs to remember, just because you do not like something, does not mean the use case is not valid and it is not needed in the market.  

Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Nov 24, 2018, at 12:16 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
> Since Open Banking's use of clear text signatures (enabled through HTTP
> bindings and the downsides of that [1]), TEEP/OTrP's need for clear
> text object type IDs (and the implications of that with respect to
> signature validation [2]), as well as my own use of a hash only in a
> novel counter signature scheme [3], haven't spurred a single comment
> relating to the actual applications and how they {c|sh}ould make best
> use of the existing or enhanced JOSE stack, there seems to be little
> point continuing these discussions within the IETF.
> 
> I'm still waiting for messages pointing out why JCS isn't working
> (beyond anecdotes from the XML/WS* era).  Since detached JWS signatures
> is already a de-facto standard in Open Banking, claims that data to be
> signed SHOULD be encoded in alien formats and then be embedded in specific
> signature containers can safely be ignored unless somebody has a very compelling
> security story to share with us.
> 
> Anyway, VmWare have a US patent on JSON clear text signatures [6] so maybe
> it is toast from that perspective as well?  Although I'm not a patent
> lawyer this smells prior art by a mile!  To me it only adds credibility
> to the idea since the concepts are virtually identical:-)
> 
> From the CBOR list I have gathered that the CBOR counterpart to JCS [4,5]
> apparently is in a pretty bad shape.  Carsten, you have a new job :-)
> 
> thanx,
> Anders
> 
> 1] http://lists.openid.net/pipermail/openid-specs-fapi/2018-November/001164.html
> 2] https://www.ietf.org/mail-archive/web/jose/current/msg05810.html
> 3] https://www.ietf.org/mail-archive/web/jose/current/msg05811.html
> 4] https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-01
> 5] https://mobilepki.org/jws-jcs
> 6] https://patentimages.storage.googleapis.com/68/be/70/582930ff11703d/US20150341176A1.pdf

v2.23.0 | Report a Bug | By Email